From 4f27c763af4aecc1c0d56f9bba1bb570c7d03b1c Mon Sep 17 00:00:00 2001
From: Marat Talipov <Morion-Self@users.noreply.github.com>
Date: Mon, 13 Dec 2021 13:41:58 +0500
Subject: [PATCH] containerd insecure registry support (#8298)

---
 inventory/sample/group_vars/all/containerd.yml           | 8 ++++++++
 .../container-engine/containerd/templates/config.toml.j2 | 6 ++++++
 roles/kubespray-defaults/defaults/main.yaml              | 9 +++++++++
 3 files changed, 23 insertions(+)

diff --git a/inventory/sample/group_vars/all/containerd.yml b/inventory/sample/group_vars/all/containerd.yml
index 3f617f206..4aee14bcd 100644
--- a/inventory/sample/group_vars/all/containerd.yml
+++ b/inventory/sample/group_vars/all/containerd.yml
@@ -28,6 +28,14 @@
 
 # containerd_metrics_grpc_histogram: false
 
+## An obvious use case is allowing insecure-registry access to self hosted registries.
+## Can be ipaddress and domain_name.
+## example define mirror.registry.io or 172.19.16.11:5000
+## Port number is also needed if the default HTTPS port is not used.
+# containerd_insecure_registries:
+#   - mirror.registry.io
+#   - 172.19.16.11:5000
+
 # containerd_registries:
 #   "docker.io": "https://registry-1.docker.io"
 
diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2
index 48f3628e0..0bc249846 100644
--- a/roles/container-engine/containerd/templates/config.toml.j2
+++ b/roles/container-engine/containerd/templates/config.toml.j2
@@ -54,6 +54,12 @@ oom_score = {{ containerd_oom_score }}
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ registry }}"]
           endpoint = ["{{ ([ addr ] | flatten ) | join('","') }}"]
 {% endfor %}
+{% for addr in containerd_insecure_registries %}
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ addr }}"]
+          endpoint = ["{{ ([ addr ] | flatten ) | join('","') }}"]
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ addr }}".tls]
+          insecure_skip_verify = true
+{% endfor %}
 {% for registry in containerd_registry_auth if registry['registry'] is defined %}
 {% if (registry['username'] is defined and registry['password'] is defined) or registry['auth'] is defined %}
       [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ registry['registry'] }}".auth]
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 12a28b9af..ef9d4d21c 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -346,6 +346,15 @@ containerd_use_systemd_cgroup: true
 # Docker options - this is relevant when container_manager == 'docker'
 docker_containerd_version: 1.4.12
 
+## An obvious use case is allowing insecure-registry access to self hosted registries.
+## Can be ipaddress and domain_name.
+## example define mirror.registry.io or 172.19.16.11:5000
+## Port number is also needed if the default HTTPS port is not used.
+# containerd_insecure_registries:
+#   - mirror.registry.io
+#   - 172.19.16.11:5000
+containerd_insecure_registries: []
+
 # Settings for containerized control plane (etcd/kubelet/secrets)
 # deployment type for legacy etcd mode
 etcd_deployment_type: host
-- 
GitLab