Browse Source

[k8s-fcos] Fix insecure registry

At present, insecure registry doesn't work as expected when Podman is
used. This patch addresses the issue by fixing the ignition user data so
that Podman is configured correctly. Then it ensures that
--insecure-registry flag is provided to Docker in /etc/sysconfig/docker.

Story: 2008479
Task: 41519

Change-Id: I2e1c86e0c88ab5b59185fd523e9c9696ce0f951e
changes/89/749989/8
Bharat Kunwar 11 months ago
parent
commit
7bfd7519af
  1. 6
      magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
  2. 6
      magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
  3. 18
      magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
  4. 8
      magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
  5. 8
      magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
  6. 15
      magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json

6
magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh

@ -450,11 +450,11 @@ if [ -f /etc/sysconfig/docker ] ; then
sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
# json-file is required for conformance.
# https://docs.docker.com/config/containers/logging/json-file/
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
fi
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
fi
KUBELET_ARGS="${KUBELET_ARGS} --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"

6
magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh

@ -263,11 +263,11 @@ if [ -f /etc/sysconfig/docker ] ; then
sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
# json-file is required for conformance.
# https://docs.docker.com/config/containers/logging/json-file/
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
fi
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
fi
KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${CONTAINER_INFRA_PREFIX:-gcr.io/google_containers/}pause:3.1"

18
magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml

@ -5,9 +5,9 @@
#
# You can use podman or docker to generate the ignition formatted json:
# podman run --rm \
# -v ./fcct-config.yaml:/config.fcc:z \
# quay.io/coreos/fcct:release \
# --pretty --strict --input /config.fcc > ./user_data.json
# -v $(pwd)/fcct-config.yaml:/config.fcc \
# quay.io/coreos/fcct:release \
# --pretty --strict /config.fcc > ./user_data.json
#
# [0] https://github.com/coreos/fcct
# [1] https://github.com/coreos/fedora-coreos-docs/blob/master/modules/ROOT/pages/producing-ign.adoc
@ -69,6 +69,18 @@ storage:
# -1 is unlimited
# 50m
max_log_size = 52428800
- path: /etc/containers/__REGISTRIES_CONF__
# 420 (decimal) == 644 (octal)
mode: 420
user:
name: root
group:
name: root
append:
- inline: |
[[registry]]
location = "__INSECURE_REGISTRY_URL__"
insecure = true
- path: /etc/hostname
# 420 (decimal) == 644 (octal)
mode: 420

8
magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml

@ -708,6 +708,14 @@ resources:
__HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy}
__SELINUX_MODE__: {get_param: selinux_mode}
__INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
__REGISTRIES_CONF__:
if:
- equals:
- get_param: insecure_registry_url
- ""
- ".registries.conf"
- "registries.conf"
master_config:
type: OS::Heat::SoftwareConfig

8
magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml

@ -402,6 +402,14 @@ resources:
__HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy}
__SELINUX_MODE__: {get_param: selinux_mode}
__INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
__REGISTRIES_CONF__:
if:
- equals:
- get_param: insecure_registry_url
- ""
- ".registries.conf"
- "registries.conf"
######################################################################
#

15
magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json

@ -63,6 +63,21 @@
},
"mode": 420
},
{
"group": {
"name": "root"
},
"path": "/etc/containers/__REGISTRIES_CONF__",
"user": {
"name": "root"
},
"append": [
{
"source": "data:,%5B%5Bregistry%5D%5D%0Alocation%20%3D%20%22__INSECURE_REGISTRY_URL__%22%0Ainsecure%20%3D%20true%0A"
}
],
"mode": 420
},
{
"group": {
"name": "root"

Loading…
Cancel
Save