From 9f2dd09628a11f419f394f70dae800c88b3b6959 Mon Sep 17 00:00:00 2001
From: Etienne Champetier <champetier.etienne@gmail.com>
Date: Wed, 29 Jan 2020 04:24:14 -0500
Subject: [PATCH] Add proxy support to containerd, improves no_proxy (#5583)

* containerd: add proxy support

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* kubespray-defaults: add kube_service_addresses / kube_pods_subnet to no_proxy

CIDR notation in no_proxy is supported by a lot of programs/languages,
including go: https://github.com/golang/go/issues/16704
Without that containerd cannot talk the the API server (kube_apiserver_ip),
but it should not go through an external proxy for the nodes/pods/services

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
---
 roles/container-engine/containerd/tasks/main.yml     | 12 ++++++++++++
 .../containerd/templates/http-proxy.conf.j2          |  2 ++
 roles/kubespray-defaults/defaults/main.yaml          |  2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 roles/container-engine/containerd/templates/http-proxy.conf.j2

diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml
index 2d4d6d489..093e00210 100644
--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -26,6 +26,18 @@
 
 - include_tasks: containerd_repo.yml
 
+- name: Create containerd service systemd directory if it doesn't exist
+  file:
+    path: /etc/systemd/system/containerd.service.d
+    state: directory
+
+- name: Write containerd proxy drop-in
+  template:
+    src: http-proxy.conf.j2
+    dest: /etc/systemd/system/containerd.service.d/http-proxy.conf
+  notify: restart containerd
+  when: http_proxy is defined or https_proxy is defined
+
 - name: ensure containerd config directory
   file:
     dest: "{{ containerd_cfg_dir }}"
diff --git a/roles/container-engine/containerd/templates/http-proxy.conf.j2 b/roles/container-engine/containerd/templates/http-proxy.conf.j2
new file mode 100644
index 000000000..212f30f92
--- /dev/null
+++ b/roles/container-engine/containerd/templates/http-proxy.conf.j2
@@ -0,0 +1,2 @@
+[Service]
+Environment={% if http_proxy is defined %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy is defined %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy is defined %}"NO_PROXY={{ no_proxy }}"{% endif %}
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index d5a1cd7f9..48ac3c6ec 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -416,7 +416,7 @@ no_proxy: >-
   {%- if additional_no_proxy is defined -%}
   {{ additional_no_proxy }},
   {%- endif -%}
-  127.0.0.1,localhost
+  127.0.0.1,localhost,{{kube_service_addresses}},{{kube_pods_subnet}}
   {%- endif %}
 
 proxy_env:
-- 
GitLab