From 81bf4f93047f3d05c592a10bb0e95543f8099fac Mon Sep 17 00:00:00 2001
From: kranthi guttikonda <kranthi.guttikonda9@hotmail.com>
Date: Wed, 1 Sep 2021 13:20:59 -0400
Subject: [PATCH] cri-o registry auth support (#7837)

* cri-o registry auth support

* yaml lint for comments

* crio_registry_auth from registry_auth

* crio_registry_auth as defaults
---
 inventory/sample/group_vars/all/cri-o.yml       |  6 ++++++
 roles/container-engine/cri-o/defaults/main.yml  |  6 ++++++
 roles/container-engine/cri-o/tasks/main.yaml    |  7 +++++++
 .../cri-o/templates/config.json.j2              | 17 +++++++++++++++++
 .../cri-o/templates/crio.conf.j2                |  2 +-
 5 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 inventory/sample/group_vars/all/cri-o.yml
 create mode 100644 roles/container-engine/cri-o/templates/config.json.j2

diff --git a/inventory/sample/group_vars/all/cri-o.yml b/inventory/sample/group_vars/all/cri-o.yml
new file mode 100644
index 000000000..3e6e4eebb
--- /dev/null
+++ b/inventory/sample/group_vars/all/cri-o.yml
@@ -0,0 +1,6 @@
+# crio_insecure_registries:
+#   - 10.0.0.2:5000
+# crio_registry_auth:
+#   - registry: 10.0.0.2:5000
+#     username: user
+#     password: pass
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index bc9092fd7..5f53aa6f9 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -14,6 +14,12 @@ crio_registries: []
 # Configure insecure registries.
 crio_insecure_registries: []
 
+# Configure registry auth (if applicable to secure/insecure registries)
+crio_registry_auth: []
+#  - registry: 10.0.0.2:5000
+#    username: user
+#    password: pass
+
 # Define registiries mirror
 
 crio_registries_mirrors: []
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index d22d1dc32..55db2690f 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -80,6 +80,12 @@
     mode: 0644
   register: config_install
 
+- name: Install config.json
+  template:
+    src: config.json.j2
+    dest: /etc/crio/config.json
+  register: reg_auth_install
+
 - name: Add skopeo pkg to install
   set_fact:
     crio_packages: "{{ crio_packages + skopeo_packages }}"
@@ -198,6 +204,7 @@
     state: restarted
   when:
     - config_install.changed
+    - reg_auth_install.changed
     - not package_install.changed
     - not service_start.changed
 
diff --git a/roles/container-engine/cri-o/templates/config.json.j2 b/roles/container-engine/cri-o/templates/config.json.j2
new file mode 100644
index 000000000..522ade7a4
--- /dev/null
+++ b/roles/container-engine/cri-o/templates/config.json.j2
@@ -0,0 +1,17 @@
+{% if crio_registry_auth is defined and crio_registry_auth|length %}
+{ 
+{% for reg in crio_registry_auth %}
+  "auths": {
+    "{{ reg.registry }}": {
+      "auth": "{{ (reg.username + ':' + reg.password) | string | b64encode }}"
+    }
+{% if not loop.last %}
+  },
+{% else %}
+  }
+{% endif %}
+{% endfor %}
+}
+{% else %}
+{}
+{% endif %}
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index cdc7363ac..b6f5357dd 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -313,7 +313,7 @@ default_transport = "docker://"
 
 # The path to a file containing credentials necessary for pulling images from
 # secure registries. The file is similar to that of /var/lib/kubelet/config.json
-global_auth_file = ""
+global_auth_file = "/etc/crio/config.json"
 
 # The image used to instantiate infra containers.
 # This option supports live configuration reload.
-- 
GitLab