Make INSECURE_REGISTRY_URL works for CoreOS

Parent commit allow custom secure HYPERKUBE_IMAGE_REPO (which can also
be a local registry). Here we implement INSECURE_REGISTRY_URL which
allow settings custom insecure registry for Kubernetes infra components.

It also enable the insecure registry for Docker daemon.

Partially-Implements: blueprint coreos-best-pratice
Partially-Implements: blueprint support-insecure-registry
Change-Id: If00afa2e8a9100546301f9a1f161daed6e3ffc4f

magnum/drivers/k8s_coreos_v1/templates/fragments/configure-docker.yaml

@@ -0,0 +1,36 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/configure-docker.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Configure Docker
+
+      [Service]
+      Type=oneshot
+      EnvironmentFile=/etc/sysconfig/heat-params
+      ExecStart=/etc/sysconfig/configure-docker.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/configure-docker.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      if [ -n "${INSECURE_REGISTRY_URL}" ]; then
+        DOCKER_OPTS="--insecure-registry ${INSECURE_REGISTRY_URL}"
+      fi
+
+      TEMPLATE=/etc/systemd/system/docker.service.d/docker-opts.conf
+      mkdir -p $(dirname ${TEMPLATE})
+      cat << EOF > $TEMPLATE
+      [Service]
+      Environment=DOCKER_OPTS=$DOCKER_OPTS
+      EOF
+
+      systemctl daemon-reload
+      systemctl --no-block restart docker.service

magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kubelet-master.yaml

@@ -25,6 +25,12 @@ write_files:
         KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
       fi
 
+      if [ -n "${INSECURE_REGISTRY_URL}" ]; then
+          INSECURE_REGISTRY_ARGS="--pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:3.0"
+      else
+          INSECURE_REGISTRY_ARGS=""
+      fi
+
       CONF_FILE=/etc/systemd/system/kubelet.service
       cat > $CONF_FILE <<EOF
       [Service]
@@ -39,7 +45,8 @@ write_files:
         --config=/etc/kubernetes/manifests \
         --hostname-override=${KUBE_NODE_IP} \
         --logtostderr=true \
-        --v=0
+        --v=0 \
+        ${INSECURE_REGISTRY_ARGS}
       Restart=always
       RestartSec=10
       [Install]

magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kubelet-minion.yaml

@@ -25,6 +25,12 @@ write_files:
         KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
       fi
 
+      if [ -n "${INSECURE_REGISTRY_URL}" ]; then
+          INSECURE_REGISTRY_ARGS="--pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:3.0"
+      else
+          INSECURE_REGISTRY_ARGS=""
+      fi
+
       TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
       TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
       KUBE_PROTOCOL="https"
@@ -54,7 +60,8 @@ write_files:
         --cadvisor-port=4194 \
         --kubeconfig=${KUBE_CONFIG} \
         --tls-cert-file=${TLS_CERT_FILE} \
-        --tls-private-key-file=${TLS_PRIVATE_KEY_FILE}
+        --tls-private-key-file=${TLS_PRIVATE_KEY_FILE} \
+        ${INSECURE_REGISTRY_ARGS}
       Restart=always
       RestartSec=10
       [Install]

magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml

@@ -110,7 +110,6 @@ parameters:
       Not used by this driver
     default: ""
 
-
   kube_allow_priv:
     type: string
     description: >
@@ -213,7 +212,7 @@ parameters:
     description: version of kubernetes used for kubernetes cluster
     default: v1.5.2_coreos.1
 
-  hyperkube_image_repo:
+  hyperkube_image:
     type: string
     description: >
       Docker registry used for hyperkube image
@@ -236,6 +235,13 @@ parameters:
       timeout for the Wait Conditions
     default: 6000
 
+  insecure_registry_url:
+    type: string
+    description: insecure registry url
+    constraints:
+      - allowed_pattern: "^$|.*/"
+    default: ""
+
 resources:
 
   ######################################################################
@@ -390,7 +396,8 @@ resources:
           trustee_password: {get_param: trustee_password}
           trust_id: {get_param: trust_id}
           auth_url: {get_param: auth_url}
-          hyperkube_image_repo: {get_param: hyperkube_image_repo}
+          hyperkube_image: {get_param: hyperkube_image}
+          insecure_registry_url: {get_param: insecure_registry_url}
 
   ######################################################################
   #
@@ -434,7 +441,8 @@ resources:
           trustee_password: {get_param: trustee_password}
           trust_id: {get_param: trust_id}
           auth_url: {get_param: auth_url}
-          hyperkube_image_repo: {get_param: hyperkube_image_repo}
+          hyperkube_image: {get_param: hyperkube_image}
+          insecure_registry_url: {get_param: insecure_registry_url}
 
 outputs:
 

magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml

@@ -169,6 +169,10 @@ parameters:
     type: string
     description: url for keystone
 
+  insecure_registry_url:
+    type: string
+    description: insecure registry url
+
 resources:
 
   master_wait_handle:
@@ -239,7 +243,13 @@ resources:
             "$AUTH_URL": {get_param: auth_url}
             "$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
             "$HOST_CERTS_PATH": "/usr/share/ca-certificates"
-            "$HYPERKUBE_IMAGE_REPO": {get_param: hyperkube_image_repo}
+            "$HYPERKUBE_IMAGE_REPO":
+              str_replace:
+                template: insecure_registry_urlhyperkube_image
+                params:
+                  insecure_registry_url: { get_param: insecure_registry_url }
+                  hyperkube_image: { get_param: hyperkube_image }
+            "$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
 
   configure_etcd:
     type: OS::Heat::SoftwareConfig
@@ -313,6 +323,12 @@ resources:
       group: ungrouped
       config: {get_file: fragments/add-proxy.yaml}
 
+  configure_docker:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/configure-docker.yaml}
+
   kube_master_init:
     type: OS::Heat::SoftwareConfig
     properties:
@@ -322,6 +338,7 @@ resources:
           template: |
             $write_heat_params
             $make_cert
+            $configure_docker
             $add_proxy
             $configure_etcd
             $write_network_config
@@ -337,6 +354,8 @@ resources:
               units:
                 - name: "make-cert.service"
                   command: "start"
+                - name: "configure-docker.service"
+                  command: "start"
                 - name: "add-proxy.service"
                   command: "start"
                 - name: "configure-etcd.service"
@@ -362,6 +381,7 @@ resources:
           params:
             "$write_heat_params": {get_attr: [write_heat_params, config]}
             "$make_cert": {get_attr: [make_cert, config]}
+            "$configure_docker": {get_attr: [configure_docker, config]}
             "$add_proxy": {get_attr: [add_proxy, config]}
             "$configure_etcd": {get_attr: [configure_etcd, config]}
             "$write_network_config": {get_attr: [write_network_config, config]}

magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml

@@ -57,7 +57,7 @@ parameters:
     type: string
     description: version of kubernetes used for kubernetes cluster
 
-  hyperkube_image_repo:
+  hyperkube_image:
     type: string
     description: >
       Docker registry used for hyperkube image
@@ -124,6 +124,10 @@ parameters:
     type: string
     description: url for keystone
 
+  insecure_registry_url:
+    type: string
+    description: insecure registry url
+
 resources:
 
   minion_wait_handle:
@@ -171,7 +175,13 @@ resources:
             "$AUTH_URL": {get_param: auth_url}
             "$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
             "$HOST_CERTS_PATH": "/usr/share/ca-certificates"
-            "$HYPERKUBE_IMAGE_REPO": {get_param: hyperkube_image_repo}
+            "$HYPERKUBE_IMAGE_REPO":
+              str_replace:
+                template: insecure_registry_urlhyperkube_image
+                params:
+                  insecure_registry_url: { get_param: insecure_registry_url }
+                  hyperkube_image: { get_param: hyperkube_image }
+            "$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
 
   write_kubeconfig:
     type: OS::Heat::SoftwareConfig
@@ -215,6 +225,12 @@ resources:
       group: ungrouped
       config: {get_file: fragments/add-proxy.yaml}
 
+  configure_docker:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/configure-docker.yaml}
+
   kube_minion_init:
     type: OS::Heat::SoftwareConfig
     properties:
@@ -225,6 +241,7 @@ resources:
             $write_heat_params
             $write_kubeconfig
             $make_cert
+            $configure_docker
             $add_proxy
             $enable_network_service
             $enable_kubelet
@@ -234,6 +251,8 @@ resources:
               units:
                 - name: "make-cert.service"
                   command: "start"
+                - name: "configure-docker.service"
+                  command: "start"
                 - name: "add-proxy.service"
                   command: "start"
                 - name: "enable-network-service.service"
@@ -248,6 +267,7 @@ resources:
             "$write_heat_params": {get_attr: [write_heat_params, config]}
             "$write_kubeconfig": {get_attr: [write_kubeconfig, config]}
             "$make_cert": {get_attr: [make_cert, config]}
+            "$configure_docker": {get_attr: [configure_docker, config]}
             "$add_proxy": {get_attr: [add_proxy, config]}
             "$enable_network_service": {get_attr: [enable_network_service, config]}
             "$enable_kubelet": {get_attr: [enable_kubelet, config]}