Make INSECURE_REGISTRY_URL works for CoreOS
Parent commit allow custom secure HYPERKUBE_IMAGE_REPO (which can also be a local registry). Here we implement INSECURE_REGISTRY_URL which allow settings custom insecure registry for Kubernetes infra components. It also enable the insecure registry for Docker daemon. Partially-Implements: blueprint coreos-best-pratice Partially-Implements: blueprint support-insecure-registry Change-Id: If00afa2e8a9100546301f9a1f161daed6e3ffc4f
This commit is contained in:
parent
2351d78be2
commit
7117ff28ca
|
@ -0,0 +1,36 @@
|
|||
#cloud-config
|
||||
write_files:
|
||||
- path: /etc/systemd/system/configure-docker.service
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Configure Docker
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=/etc/sysconfig/heat-params
|
||||
ExecStart=/etc/sysconfig/configure-docker.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
- path: /etc/sysconfig/configure-docker.sh
|
||||
owner: "root:root"
|
||||
permissions: "0755"
|
||||
content: |
|
||||
#!/bin/sh
|
||||
|
||||
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
|
||||
DOCKER_OPTS="--insecure-registry ${INSECURE_REGISTRY_URL}"
|
||||
fi
|
||||
|
||||
TEMPLATE=/etc/systemd/system/docker.service.d/docker-opts.conf
|
||||
mkdir -p $(dirname ${TEMPLATE})
|
||||
cat << EOF > $TEMPLATE
|
||||
[Service]
|
||||
Environment=DOCKER_OPTS=$DOCKER_OPTS
|
||||
EOF
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl --no-block restart docker.service
|
|
@ -25,6 +25,12 @@ write_files:
|
|||
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||
fi
|
||||
|
||||
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
|
||||
INSECURE_REGISTRY_ARGS="--pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:3.0"
|
||||
else
|
||||
INSECURE_REGISTRY_ARGS=""
|
||||
fi
|
||||
|
||||
CONF_FILE=/etc/systemd/system/kubelet.service
|
||||
cat > $CONF_FILE <<EOF
|
||||
[Service]
|
||||
|
@ -39,7 +45,8 @@ write_files:
|
|||
--config=/etc/kubernetes/manifests \
|
||||
--hostname-override=${KUBE_NODE_IP} \
|
||||
--logtostderr=true \
|
||||
--v=0
|
||||
--v=0 \
|
||||
${INSECURE_REGISTRY_ARGS}
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
[Install]
|
||||
|
|
|
@ -25,6 +25,12 @@ write_files:
|
|||
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||
fi
|
||||
|
||||
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
|
||||
INSECURE_REGISTRY_ARGS="--pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:3.0"
|
||||
else
|
||||
INSECURE_REGISTRY_ARGS=""
|
||||
fi
|
||||
|
||||
TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
|
||||
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
|
||||
KUBE_PROTOCOL="https"
|
||||
|
@ -54,7 +60,8 @@ write_files:
|
|||
--cadvisor-port=4194 \
|
||||
--kubeconfig=${KUBE_CONFIG} \
|
||||
--tls-cert-file=${TLS_CERT_FILE} \
|
||||
--tls-private-key-file=${TLS_PRIVATE_KEY_FILE}
|
||||
--tls-private-key-file=${TLS_PRIVATE_KEY_FILE} \
|
||||
${INSECURE_REGISTRY_ARGS}
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
[Install]
|
||||
|
|
|
@ -110,7 +110,6 @@ parameters:
|
|||
Not used by this driver
|
||||
default: ""
|
||||
|
||||
|
||||
kube_allow_priv:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -213,7 +212,7 @@ parameters:
|
|||
description: version of kubernetes used for kubernetes cluster
|
||||
default: v1.5.2_coreos.1
|
||||
|
||||
hyperkube_image_repo:
|
||||
hyperkube_image:
|
||||
type: string
|
||||
description: >
|
||||
Docker registry used for hyperkube image
|
||||
|
@ -236,6 +235,13 @@ parameters:
|
|||
timeout for the Wait Conditions
|
||||
default: 6000
|
||||
|
||||
insecure_registry_url:
|
||||
type: string
|
||||
description: insecure registry url
|
||||
constraints:
|
||||
- allowed_pattern: "^$|.*/"
|
||||
default: ""
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -390,7 +396,8 @@ resources:
|
|||
trustee_password: {get_param: trustee_password}
|
||||
trust_id: {get_param: trust_id}
|
||||
auth_url: {get_param: auth_url}
|
||||
hyperkube_image_repo: {get_param: hyperkube_image_repo}
|
||||
hyperkube_image: {get_param: hyperkube_image}
|
||||
insecure_registry_url: {get_param: insecure_registry_url}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -434,7 +441,8 @@ resources:
|
|||
trustee_password: {get_param: trustee_password}
|
||||
trust_id: {get_param: trust_id}
|
||||
auth_url: {get_param: auth_url}
|
||||
hyperkube_image_repo: {get_param: hyperkube_image_repo}
|
||||
hyperkube_image: {get_param: hyperkube_image}
|
||||
insecure_registry_url: {get_param: insecure_registry_url}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -169,6 +169,10 @@ parameters:
|
|||
type: string
|
||||
description: url for keystone
|
||||
|
||||
insecure_registry_url:
|
||||
type: string
|
||||
description: insecure registry url
|
||||
|
||||
resources:
|
||||
|
||||
master_wait_handle:
|
||||
|
@ -239,7 +243,13 @@ resources:
|
|||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
|
||||
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
|
||||
"$HYPERKUBE_IMAGE_REPO": {get_param: hyperkube_image_repo}
|
||||
"$HYPERKUBE_IMAGE_REPO":
|
||||
str_replace:
|
||||
template: insecure_registry_urlhyperkube_image
|
||||
params:
|
||||
insecure_registry_url: { get_param: insecure_registry_url }
|
||||
hyperkube_image: { get_param: hyperkube_image }
|
||||
"$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
|
||||
|
||||
configure_etcd:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
@ -313,6 +323,12 @@ resources:
|
|||
group: ungrouped
|
||||
config: {get_file: fragments/add-proxy.yaml}
|
||||
|
||||
configure_docker:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config: {get_file: fragments/configure-docker.yaml}
|
||||
|
||||
kube_master_init:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -322,6 +338,7 @@ resources:
|
|||
template: |
|
||||
$write_heat_params
|
||||
$make_cert
|
||||
$configure_docker
|
||||
$add_proxy
|
||||
$configure_etcd
|
||||
$write_network_config
|
||||
|
@ -337,6 +354,8 @@ resources:
|
|||
units:
|
||||
- name: "make-cert.service"
|
||||
command: "start"
|
||||
- name: "configure-docker.service"
|
||||
command: "start"
|
||||
- name: "add-proxy.service"
|
||||
command: "start"
|
||||
- name: "configure-etcd.service"
|
||||
|
@ -362,6 +381,7 @@ resources:
|
|||
params:
|
||||
"$write_heat_params": {get_attr: [write_heat_params, config]}
|
||||
"$make_cert": {get_attr: [make_cert, config]}
|
||||
"$configure_docker": {get_attr: [configure_docker, config]}
|
||||
"$add_proxy": {get_attr: [add_proxy, config]}
|
||||
"$configure_etcd": {get_attr: [configure_etcd, config]}
|
||||
"$write_network_config": {get_attr: [write_network_config, config]}
|
||||
|
|
|
@ -57,7 +57,7 @@ parameters:
|
|||
type: string
|
||||
description: version of kubernetes used for kubernetes cluster
|
||||
|
||||
hyperkube_image_repo:
|
||||
hyperkube_image:
|
||||
type: string
|
||||
description: >
|
||||
Docker registry used for hyperkube image
|
||||
|
@ -124,6 +124,10 @@ parameters:
|
|||
type: string
|
||||
description: url for keystone
|
||||
|
||||
insecure_registry_url:
|
||||
type: string
|
||||
description: insecure registry url
|
||||
|
||||
resources:
|
||||
|
||||
minion_wait_handle:
|
||||
|
@ -171,7 +175,13 @@ resources:
|
|||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
|
||||
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
|
||||
"$HYPERKUBE_IMAGE_REPO": {get_param: hyperkube_image_repo}
|
||||
"$HYPERKUBE_IMAGE_REPO":
|
||||
str_replace:
|
||||
template: insecure_registry_urlhyperkube_image
|
||||
params:
|
||||
insecure_registry_url: { get_param: insecure_registry_url }
|
||||
hyperkube_image: { get_param: hyperkube_image }
|
||||
"$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
|
||||
|
||||
write_kubeconfig:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
@ -215,6 +225,12 @@ resources:
|
|||
group: ungrouped
|
||||
config: {get_file: fragments/add-proxy.yaml}
|
||||
|
||||
configure_docker:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config: {get_file: fragments/configure-docker.yaml}
|
||||
|
||||
kube_minion_init:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -225,6 +241,7 @@ resources:
|
|||
$write_heat_params
|
||||
$write_kubeconfig
|
||||
$make_cert
|
||||
$configure_docker
|
||||
$add_proxy
|
||||
$enable_network_service
|
||||
$enable_kubelet
|
||||
|
@ -234,6 +251,8 @@ resources:
|
|||
units:
|
||||
- name: "make-cert.service"
|
||||
command: "start"
|
||||
- name: "configure-docker.service"
|
||||
command: "start"
|
||||
- name: "add-proxy.service"
|
||||
command: "start"
|
||||
- name: "enable-network-service.service"
|
||||
|
@ -248,6 +267,7 @@ resources:
|
|||
"$write_heat_params": {get_attr: [write_heat_params, config]}
|
||||
"$write_kubeconfig": {get_attr: [write_kubeconfig, config]}
|
||||
"$make_cert": {get_attr: [make_cert, config]}
|
||||
"$configure_docker": {get_attr: [configure_docker, config]}
|
||||
"$add_proxy": {get_attr: [add_proxy, config]}
|
||||
"$enable_network_service": {get_attr: [enable_network_service, config]}
|
||||
"$enable_kubelet": {get_attr: [enable_kubelet, config]}
|
||||
|
|
Loading…
Reference in New Issue