From 666706682630d36c5a5954eac783f5707409a6ef Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 8 Jul 2025 11:28:42 -0500 Subject: [PATCH] kubelet: Configure cri-o container registries The _containers-image_ role configures _containers-registries.conf(5)_ and _containers-cert.d(5)_, which are used by CRI-O (and `podman`). Specifically, we'll use these to redirect requests for images on Docker Hub (docker.io) to the internal caching proxy. --- group_vars/kubelet.yml | 9 +++ roles/containers-image/defaults/main.yml | 2 + roles/containers-image/tasks/main.yml | 64 +++++++++++++++++++ .../templates/registries.conf.j2 | 6 ++ roles/kubelet/meta/main.yml | 1 + 5 files changed, 82 insertions(+) create mode 100644 roles/containers-image/defaults/main.yml create mode 100644 roles/containers-image/tasks/main.yml create mode 100644 roles/containers-image/templates/registries.conf.j2 diff --git a/group_vars/kubelet.yml b/group_vars/kubelet.yml index 4773cea..d3a3ef3 100644 --- a/group_vars/kubelet.yml +++ b/group_vars/kubelet.yml @@ -12,3 +12,12 @@ collectd_df_ignore_mountpoint: - /etc/cni/net.d - /opt/cni - /usr/libexec/kubernetes/kubelet-plugins + +container_registries: +- location: docker-hub.proxy.pyrocufflink.blue + prefix: docker.io + +container_registry_certs: + docker-hub.proxy.pyrocufflink.blue:443: + ca: >- + {{ lookup('file', 'dch-root-ca-r2.crt') }} diff --git a/roles/containers-image/defaults/main.yml b/roles/containers-image/defaults/main.yml new file mode 100644 index 0000000..85a0cc0 --- /dev/null +++ b/roles/containers-image/defaults/main.yml @@ -0,0 +1,2 @@ +container_registries: [] +container_registry_certs: {} diff --git a/roles/containers-image/tasks/main.yml b/roles/containers-image/tasks/main.yml new file mode 100644 index 0000000..4ca1f95 --- /dev/null +++ b/roles/containers-image/tasks/main.yml @@ -0,0 +1,64 @@ +- name: ensure container registries are configured + template: + src: registries.conf.j2 + dest: /etc/containers/registries.d/40-registries.conf + owner: root + group: root + mode: u=rw,go=r + tags: + - config + - containers-registries + +- name: ensure container registry certs directories exist + file: + path: /etc/containers/certs.d/{{ item }} + owner: root + group: root + mode: u=rwx,go=rx + state: directory + loop: '{{ container_registry_certs.keys() }}' + tags: + - config + - containers-certs +- name: ensure container registry ca certs are configured + copy: + content: |+ + {{ container_registry_certs[item].ca }} + dest: /etc/containers/certs.d/{{ item }}/ca.crt + owner: root + group: root + mode: u=rw,go=r + loop: '{{ container_registry_certs.keys() }}' + tags: + - config + - containers-certs + - ca-cert +- name: ensure container registry client certs are configured + copy: + content: |+ + {{ container_registry_certs[item].client_cert }} + dest: /etc/containers/certs.d/{{ item }}/client.cert + owner: root + group: root + mode: u=rw,go=r + when: item.client_cert|d + loop: '{{ container_registry_certs.keys() }}' + tags: + - config + - containers-certs + - client-cert +- name: ensure container registry client keys are configured + copy: + content: |+ + {{ container_registry_certs[item].client_key }} + dest: /etc/containers/certs.d/{{ item }}/client.key + owner: root + group: root + mode: u=rw,go=r + diff: false + when: item.client_key|d + loop: '{{ container_registry_certs.keys() }}' + tags: + - config + - containers-certs + - client-key diff --git a/roles/containers-image/templates/registries.conf.j2 b/roles/containers-image/templates/registries.conf.j2 new file mode 100644 index 0000000..3d3c062 --- /dev/null +++ b/roles/containers-image/templates/registries.conf.j2 @@ -0,0 +1,6 @@ +{% for registry in container_registries|d([]) %} +[[registry]] +{% for key, value in registry|dictsort %} +{{ key }} = {{ value | to_json }} +{% endfor %} +{% endfor %} diff --git a/roles/kubelet/meta/main.yml b/roles/kubelet/meta/main.yml index 4595a0b..a3d4f5e 100644 --- a/roles/kubelet/meta/main.yml +++ b/roles/kubelet/meta/main.yml @@ -3,3 +3,4 @@ dependencies: - role: cri-o tags: - cri-o +- containers-image