Merge "[k8s-fcos] Fix insecure registry"

2021-02-01 22:22:43 +00:00 · 2021-02-01 22:22:43 +00:00 · 14aa6830da
parent 7608579f19 7bfd7519af
commit 14aa6830da
6 changed files with 52 additions and 9 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@ -450,11 +450,11 @@ if [ -f /etc/sysconfig/docker ] ; then
    sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
    # json-file is required for conformance.
    # https://docs.docker.com/config/containers/logging/json-file/
-    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
-
+    DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
    if [ -n "${INSECURE_REGISTRY_URL}" ]; then
-        echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
+        DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
    fi
+    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
 fi

 KUBELET_ARGS="${KUBELET_ARGS} --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
@ -263,11 +263,11 @@ if [ -f /etc/sysconfig/docker ] ; then
    sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
    # json-file is required for conformance.
    # https://docs.docker.com/config/containers/logging/json-file/
-    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
-
+    DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
    if [ -n "${INSECURE_REGISTRY_URL}" ]; then
-        echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
+        DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
    fi
+    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
 fi

 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${CONTAINER_INFRA_PREFIX:-gcr.io/google_containers/}pause:3.1"
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
@ -5,9 +5,9 @@
 #
 # You can use podman or docker to generate the ignition formatted json:
 # podman run --rm \
-# -v ./fcct-config.yaml:/config.fcc:z \
-# quay.io/coreos/fcct:release \
-# --pretty --strict --input /config.fcc > ./user_data.json
+#   -v $(pwd)/fcct-config.yaml:/config.fcc \
+#   quay.io/coreos/fcct:release \
+#   --pretty --strict /config.fcc > ./user_data.json
 #
 # [0] https://github.com/coreos/fcct
 # [1] https://github.com/coreos/fedora-coreos-docs/blob/master/modules/ROOT/pages/producing-ign.adoc
@ -69,6 +69,18 @@ storage:
          # -1 is unlimited
          # 50m
          max_log_size = 52428800
+    - path: /etc/containers/__REGISTRIES_CONF__
+      # 420 (decimal) == 644 (octal)
+      mode: 420
+      user:
+        name: root
+      group:
+        name: root
+      append:
+        - inline: |
+            [[registry]]
+            location = "__INSECURE_REGISTRY_URL__"
+            insecure = true
    - path: /etc/hostname
      # 420 (decimal) == 644 (octal)
      mode: 420
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@ -708,6 +708,14 @@ resources:
                  __HTTPS_PROXY__: {get_param: https_proxy}
                  __NO_PROXY__: {get_param: no_proxy}
                  __SELINUX_MODE__: {get_param: selinux_mode}
+                  __INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
+                  __REGISTRIES_CONF__:
+                    if:
+                      - equals:
+                        - get_param: insecure_registry_url
+                        - ""
+                      - ".registries.conf"
+                      - "registries.conf"

  master_config:
    type: OS::Heat::SoftwareConfig
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
@ -402,6 +402,14 @@ resources:
                  __HTTPS_PROXY__: {get_param: https_proxy}
                  __NO_PROXY__: {get_param: no_proxy}
                  __SELINUX_MODE__: {get_param: selinux_mode}
+                  __INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
+                  __REGISTRIES_CONF__:
+                    if:
+                      - equals:
+                        - get_param: insecure_registry_url
+                        - ""
+                      - ".registries.conf"
+                      - "registries.conf"

  ######################################################################
  #
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
@ -63,6 +63,21 @@
        },
        "mode": 420
      },
+      {
+        "group": {
+          "name": "root"
+        },
+        "path": "/etc/containers/__REGISTRIES_CONF__",
+        "user": {
+          "name": "root"
+        },
+        "append": [
+          {
+            "source": "data:,%5B%5Bregistry%5D%5D%0Alocation%20%3D%20%22__INSECURE_REGISTRY_URL__%22%0Ainsecure%20%3D%20true%0A"
+          }
+        ],
+        "mode": 420
+      },
      {
        "group": {
          "name": "root"