Merge "[k8s-fcos] Fix insecure registry"

5 months ago · 14aa6830da
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@ -450,11 +450,11 @@ if [ -f /etc/sysconfig/docker ] ; then
    sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
    # json-file is required for conformance.
    # https://docs.docker.com/config/containers/logging/json-file/
    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker

    DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
    if [ -n "${INSECURE_REGISTRY_URL}" ]; then
        echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
        DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
    fi
    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
 fi

 KUBELET_ARGS="${KUBELET_ARGS} --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
@ -263,11 +263,11 @@ if [ -f /etc/sysconfig/docker ] ; then
    sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
    # json-file is required for conformance.
    # https://docs.docker.com/config/containers/logging/json-file/
    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker

    DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
    if [ -n "${INSECURE_REGISTRY_URL}" ]; then
        echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
        DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
    fi
    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
 fi

 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${CONTAINER_INFRA_PREFIX:-gcr.io/google_containers/}pause:3.1"
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
@ -5,9 +5,9 @@
 #
 # You can use podman or docker to generate the ignition formatted json:
 # podman run --rm \
 # -v ./fcct-config.yaml:/config.fcc:z \
 # quay.io/coreos/fcct:release \
 # --pretty --strict --input /config.fcc > ./user_data.json
 #   -v $(pwd)/fcct-config.yaml:/config.fcc \
 #   quay.io/coreos/fcct:release \
 #   --pretty --strict /config.fcc > ./user_data.json
 #
 # [0] https://github.com/coreos/fcct
 # [1] https://github.com/coreos/fedora-coreos-docs/blob/master/modules/ROOT/pages/producing-ign.adoc
@ -69,6 +69,18 @@ storage:
          # -1 is unlimited
          # 50m
          max_log_size = 52428800
    - path: /etc/containers/__REGISTRIES_CONF__
      # 420 (decimal) == 644 (octal)
      mode: 420
      user:
        name: root
      group:
        name: root
      append:
        - inline: |
            [[registry]]
            location = "__INSECURE_REGISTRY_URL__"
            insecure = true
    - path: /etc/hostname
      # 420 (decimal) == 644 (octal)
      mode: 420
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@ -708,6 +708,14 @@ resources:
                  __HTTPS_PROXY__: {get_param: https_proxy}
                  __NO_PROXY__: {get_param: no_proxy}
                  __SELINUX_MODE__: {get_param: selinux_mode}
                  __INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
                  __REGISTRIES_CONF__:
                    if:
                      - equals:
                        - get_param: insecure_registry_url
                        - ""
                      - ".registries.conf"
                      - "registries.conf"

  master_config:
    type: OS::Heat::SoftwareConfig
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
@ -402,6 +402,14 @@ resources:
                  __HTTPS_PROXY__: {get_param: https_proxy}
                  __NO_PROXY__: {get_param: no_proxy}
                  __SELINUX_MODE__: {get_param: selinux_mode}
                  __INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
                  __REGISTRIES_CONF__:
                    if:
                      - equals:
                        - get_param: insecure_registry_url
                        - ""
                      - ".registries.conf"
                      - "registries.conf"

  ######################################################################
  #
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
@ -63,6 +63,21 @@
        },
        "mode": 420
      },
      {
        "group": {
          "name": "root"
        },
        "path": "/etc/containers/__REGISTRIES_CONF__",
        "user": {
          "name": "root"
        },
        "append": [
          {
            "source": "data:,%5B%5Bregistry%5D%5D%0Alocation%20%3D%20%22__INSECURE_REGISTRY_URL__%22%0Ainsecure%20%3D%20true%0A"
          }
        ],
        "mode": 420
      },
      {
        "group": {
          "name": "root"