kubelet: Configure cri-o container registries

The _containers-image_ role configures _containers-registries.conf(5)_ and
_containers-cert.d(5)_, which are used by CRI-O (and `podman`).
Specifically, we'll use these to redirect requests for images on Docker
Hub (docker.io) to the internal caching proxy.

group_vars/kubelet.yml

@@ -12,3 +12,12 @@ collectd_df_ignore_mountpoint:
 - /etc/cni/net.d
 - /opt/cni
 - /usr/libexec/kubernetes/kubelet-plugins
+
+container_registries:
+- location: docker-hub.proxy.pyrocufflink.blue
+  prefix: docker.io
+
+container_registry_certs:
+  docker-hub.proxy.pyrocufflink.blue:443:
+    ca: >-
+      {{ lookup('file', 'dch-root-ca-r2.crt') }}

roles/containers-image/defaults/main.yml

@@ -0,0 +1,2 @@
+container_registries: []
+container_registry_certs: {}

roles/containers-image/tasks/main.yml

@@ -0,0 +1,64 @@
+- name: ensure container registries are configured
+  template:
+    src: registries.conf.j2
+    dest: /etc/containers/registries.d/40-registries.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+  - containers-registries
+
+- name: ensure container registry certs directories exist
+  file:
+    path: /etc/containers/certs.d/{{ item }}
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  loop: '{{ container_registry_certs.keys() }}'
+  tags:
+  - config
+  - containers-certs
+- name: ensure container registry ca certs are configured
+  copy:
+    content: |+
+      {{ container_registry_certs[item].ca }}
+    dest: /etc/containers/certs.d/{{ item }}/ca.crt
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  loop: '{{ container_registry_certs.keys() }}'
+  tags:
+  - config
+  - containers-certs
+  - ca-cert
+- name: ensure container registry client certs are configured
+  copy:
+    content: |+
+      {{ container_registry_certs[item].client_cert }}
+    dest: /etc/containers/certs.d/{{ item }}/client.cert
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  when: item.client_cert|d
+  loop: '{{ container_registry_certs.keys() }}'
+  tags:
+  - config
+  - containers-certs
+  - client-cert
+- name: ensure container registry client keys are configured
+  copy:
+    content: |+
+      {{ container_registry_certs[item].client_key }}
+    dest: /etc/containers/certs.d/{{ item }}/client.key
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  diff: false
+  when: item.client_key|d
+  loop: '{{ container_registry_certs.keys() }}'
+  tags:
+  - config
+  - containers-certs
+  - client-key

roles/containers-image/templates/registries.conf.j2

@@ -0,0 +1,6 @@
+{% for registry in container_registries|d([]) %}
+[[registry]]
+{% for key, value in registry|dictsort %}
+{{ key }} = {{ value | to_json }}
+{% endfor %}
+{% endfor %}

roles/kubelet/meta/main.yml

@@ -3,3 +3,4 @@ dependencies:
 - role: cri-o
   tags:
   - cri-o
+- containers-image