[k8s-fcos] Fix insecure registry

At present, insecure registry doesn't work as expected when Podman is used. This patch addresses the issue by fixing the ignition user data so that Podman is configured correctly. Then it ensures that --insecure-registry flag is provided to Docker in /etc/sysconfig/docker. Story: 2008479 Task: 41519 Change-Id: I2e1c86e0c88ab5b59185fd523e9c9696ce0f951e
2020-09-04 15:36:42 +00:00 · 2020-09-04 15:36:42 +00:00 · 7bfd7519af
parent f2aae8834e
commit 7bfd7519af
6 changed files with 52 additions and 9 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@ -450,11 +450,11 @@ if [ -f /etc/sysconfig/docker ] ; then
    sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
    # json-file is required for conformance.
    # https://docs.docker.com/config/containers/logging/json-file/
-    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
-
+    DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
    if [ -n "${INSECURE_REGISTRY_URL}" ]; then
-        echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
+        DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
    fi
+    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
 fi

 KUBELET_ARGS="${KUBELET_ARGS} --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
@ -263,11 +263,11 @@ if [ -f /etc/sysconfig/docker ] ; then
    sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
    # json-file is required for conformance.
    # https://docs.docker.com/config/containers/logging/json-file/
-    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
-
+    DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
    if [ -n "${INSECURE_REGISTRY_URL}" ]; then
-        echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
+        DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
    fi
+    sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
 fi

 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${CONTAINER_INFRA_PREFIX:-gcr.io/google_containers/}pause:3.1"
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
@ -5,9 +5,9 @@
 #
 # You can use podman or docker to generate the ignition formatted json:
 # podman run --rm \
-# -v ./fcct-config.yaml:/config.fcc:z \
+#   -v $(pwd)/fcct-config.yaml:/config.fcc \
 #   quay.io/coreos/fcct:release \
-# --pretty --strict --input /config.fcc > ./user_data.json
+#   --pretty --strict /config.fcc > ./user_data.json
 #
 # [0] https://github.com/coreos/fcct
 # [1] https://github.com/coreos/fedora-coreos-docs/blob/master/modules/ROOT/pages/producing-ign.adoc
@ -69,6 +69,18 @@ storage:
          # -1 is unlimited
          # 50m
          max_log_size = 52428800
+    - path: /etc/containers/__REGISTRIES_CONF__
+      # 420 (decimal) == 644 (octal)
+      mode: 420
+      user:
+        name: root
+      group:
+        name: root
+      append:
+        - inline: |
+            [[registry]]
+            location = "__INSECURE_REGISTRY_URL__"
+            insecure = true
    - path: /etc/hostname
      # 420 (decimal) == 644 (octal)
      mode: 420
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@ -708,6 +708,14 @@ resources:
                  __HTTPS_PROXY__: {get_param: https_proxy}
                  __NO_PROXY__: {get_param: no_proxy}
                  __SELINUX_MODE__: {get_param: selinux_mode}
+                  __INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
+                  __REGISTRIES_CONF__:
+                    if:
+                      - equals:
+                        - get_param: insecure_registry_url
+                        - ""
+                      - ".registries.conf"
+                      - "registries.conf"

  master_config:
    type: OS::Heat::SoftwareConfig
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
@ -402,6 +402,14 @@ resources:
                  __HTTPS_PROXY__: {get_param: https_proxy}
                  __NO_PROXY__: {get_param: no_proxy}
                  __SELINUX_MODE__: {get_param: selinux_mode}
+                  __INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
+                  __REGISTRIES_CONF__:
+                    if:
+                      - equals:
+                        - get_param: insecure_registry_url
+                        - ""
+                      - ".registries.conf"
+                      - "registries.conf"

  ######################################################################
  #
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
@ -63,6 +63,21 @@
        },
        "mode": 420
      },
+      {
+        "group": {
+          "name": "root"
+        },
+        "path": "/etc/containers/__REGISTRIES_CONF__",
+        "user": {
+          "name": "root"
+        },
+        "append": [
+          {
+            "source": "data:,%5B%5Bregistry%5D%5D%0Alocation%20%3D%20%22__INSECURE_REGISTRY_URL__%22%0Ainsecure%20%3D%20true%0A"
+          }
+        ],
+        "mode": 420
+      },
      {
        "group": {
          "name": "root"