From 59f62473c9c3349a146543fc6e53939cce2dee25 Mon Sep 17 00:00:00 2001
From: Bart Sloeserwij <34059609+bsloeserwij@users.noreply.github.com>
Date: Wed, 5 Jan 2022 16:36:40 +0100
Subject: [PATCH] Update configuration of registries in cri-o (#7852)

* Update configuration of registries in cri-o

* Update docs to match new registry configuration
---
 docs/cri-o.md                                 |  2 +-
 .../container-engine/cri-o/defaults/main.yml  | 23 +++++++------------
 roles/container-engine/cri-o/tasks/main.yaml  | 14 +++++++----
 .../cri-o/templates/crio.conf.j2              | 21 -----------------
 .../cri-o/templates/registry-mirror.conf.j2   | 11 ---------
 .../cri-o/templates/registry.conf.j2          | 13 +++++++++++
 .../cri-o/templates/unqualified.conf.j2       | 10 ++++++++
 7 files changed, 42 insertions(+), 52 deletions(-)
 delete mode 100644 roles/container-engine/cri-o/templates/registry-mirror.conf.j2
 create mode 100644 roles/container-engine/cri-o/templates/registry.conf.j2
 create mode 100644 roles/container-engine/cri-o/templates/unqualified.conf.j2

diff --git a/docs/cri-o.md b/docs/cri-o.md
index 5644d2e03..c4831529e 100644
--- a/docs/cri-o.md
+++ b/docs/cri-o.md
@@ -33,7 +33,7 @@ etcd_deployment_type: host # optionally and mutually exclusive with etcd_kubeadm
 Enable docker hub registry mirrors
 
 ```yaml
-crio_registries_mirrors:
+crio_registries:
   - prefix: docker.io
     insecure: false
     blocked: false
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index 9dd07074b..912428ff0 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -7,32 +7,25 @@ crio_log_level: "info"
 crio_metrics_port: "9090"
 crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
 
-# Trusted registries to pull unqualified images (e.g. alpine:latest) from
+# Registries defined within cri-o.
 # By default unqualified images are not allowed for security reasons
 crio_registries: []
-
-# Configure insecure registries.
-crio_insecure_registries: []
-
-# Configure registry auth (if applicable to secure/insecure registries)
-crio_registry_auth: []
-#  - registry: 10.0.0.2:5000
-#    username: user
-#    password: pass
-
-# Define registiries mirror
-
-crio_registries_mirrors: []
 #  - prefix: docker.io
 #    insecure: false
 #    blocked: false
-#    location: registry-1.docker.io
+#    location: registry-1.docker.io ## REQUIRED
+#    unqualified: false
 #    mirrors:
 #      - location: 172.20.100.52:5000
 #        insecure: true
 #      - location: mirror.gcr.io
 #        insecure: false
 
+crio_registry_auth: []
+#  - registry: 10.0.0.2:5000
+#    username: user
+#    password: pass
+
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
 crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index 9283a772a..d8ae4ad44 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -166,12 +166,18 @@
     owner: root
     mode: 0755
 
-- name: Write registries mirror configs
+- name: Write registries configs
   template:
-    src: registry-mirror.conf.j2
-    dest: "/etc/containers/registries.conf.d/{{ item.prefix }}.conf"
+    src: registry.conf.j2
+    dest: "/etc/containers/registries.conf.d/10-{{ item.prefix | default(item.location) | regex_replace(':', '_') }}.conf"
     mode: 0644
-  loop: "{{ crio_registries_mirrors }}"
+  loop: "{{ crio_registries }}"
+  notify: restart crio
+
+- name: Configure unqualified registry settings
+  template:
+    src: unqualified.conf.j2
+    dest: "/etc/containers/registries.conf.d/01-unqualified.conf"
   notify: restart crio
 
 - name: Write cri-o proxy drop-in
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index 8fbd23a1d..780044c71 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -338,31 +338,10 @@ pause_command = "/pause"
 # refer to containers-policy.json(5) for more details.
 signature_policy = "{{ crio_signature_policy }}"
 
-# List of registries to skip TLS verification for pulling images. Please
-# consider configuring the registries via /etc/containers/registries.conf before
-# changing them here.
-insecure_registries = [
-  {% for insecure_registry in crio_insecure_registries %}
-  "{{ insecure_registry }}",
-  {% endfor %}
-]
-
 # Controls how image volumes are handled. The valid values are mkdir, bind and
 # ignore; the latter will ignore volumes entirely.
 image_volumes = "mkdir"
 
-# List of registries to be used when pulling an unqualified image (e.g.,
-# "alpine:latest"). By default, registries is set to "docker.io" for
-# compatibility reasons. Depending on your workload and usecase you may add more
-# registries (e.g., "quay.io", "registry.fedoraproject.org",
-# "registry.opensuse.org", etc.).
-registries = [
-  {% for registry in crio_registries %}
-  "{{ registry }}",
-  {% endfor %}
-]
-
-
 # The crio.network table containers settings pertaining to the management of
 # CNI plugins.
 [crio.network]
diff --git a/roles/container-engine/cri-o/templates/registry-mirror.conf.j2 b/roles/container-engine/cri-o/templates/registry-mirror.conf.j2
deleted file mode 100644
index 3c55026ea..000000000
--- a/roles/container-engine/cri-o/templates/registry-mirror.conf.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-[[registry]]
-prefix = "{{ item.prefix }}"
-insecure = {{ item.insecure | d('false') | string | lower }}
-blocked = {{ item.blocked | d('false') | string | lower }}
-location = "{{ item.location | d(item.prefix) }}"
-{% for mirror in item.mirrors %}
-
-[[registry.mirror]]
-location = "{{ mirror.location }}"
-insecure = {{ mirror.insecure | d ('false') | string | lower }}
-{% endfor %}
diff --git a/roles/container-engine/cri-o/templates/registry.conf.j2 b/roles/container-engine/cri-o/templates/registry.conf.j2
new file mode 100644
index 000000000..38368f989
--- /dev/null
+++ b/roles/container-engine/cri-o/templates/registry.conf.j2
@@ -0,0 +1,13 @@
+[[registry]]
+prefix = "{{ item.prefix | default(item.location) }}"
+insecure = {{ item.insecure | default('false') | string | lower }}
+blocked = {{ item.blocked | default('false') | string | lower }}
+location = "{{ item.location }}"
+{% if item.mirrors is defined %}
+{% for mirror in item.mirrors %}
+
+[[registry.mirror]]
+location = "{{ mirror.location }}"
+insecure = {{ mirror.insecure | default('false') | string | lower }}
+{% endfor %}
+{% endif %}
diff --git a/roles/container-engine/cri-o/templates/unqualified.conf.j2 b/roles/container-engine/cri-o/templates/unqualified.conf.j2
new file mode 100644
index 000000000..8d690dc24
--- /dev/null
+++ b/roles/container-engine/cri-o/templates/unqualified.conf.j2
@@ -0,0 +1,10 @@
+{%- set _unqualified_registries = [] -%}
+{% for _registry in crio_registries if _registry.unqualified -%}
+{% if _registry.prefix is defined -%}
+{{ _unqualified_registries.append(_registry.prefix) }}
+{% else %}
+{{ _unqualified_registries.append(_registry.location) }}
+{%- endif %}
+{%- endfor %}
+
+unqualified-search-registries = {{ _unqualified_registries | to_yaml }}
-- 
GitLab