Add support for v2 registries.conf

https://github.com/containers/image/blob/master/docs/containers-registries.conf.5.md#version-2 This allows for mirrors to be configured for specific hosts however it is incompatibilty with the default v1 configuration so we have to nuke the existing configuration. Additionally it uses TOML which there is currently no ansible module to manage. Change-Id: Ic35155f04bf05913b9e9b8eaa22fe6c02515396c
2020-04-13 09:35:31 -06:00 · 2020-04-13 09:35:31 -06:00 · bf80fe922b
commit bf80fe922b
parent cfd3e13ff7
3 changed files with 60 additions and 8 deletions
--- a/tripleo_ansible/roles/tripleo_podman/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_podman/defaults/main.yml
@ -24,3 +24,28 @@ tripleo_podman_packages: "{{ _tripleo_podman_packages | default([]) }}"
 tripleo_podman_purge_packages: "{{ _tripleo_podman_purge_packages | default([]) }}"
 tripleo_podman_tls_verify: true
 tripleo_podman_debug: false
+tripleo_podman_unqualified_search_registries:
+  - registry.redhat.io
+  - registry.access.redhat.com
+  - registry.fedoraproject.org
+  - registry.centos.org
+  - docker.io
+tripleo_podman_insecure_registries: "{{ tripleo_container_registry_insecure_registries }}"
+# tripleo_podman_registries requires a list of dictionaries
+# Example:
+# tripleo_podman_registries:
+#   - prefix: docker.io
+#     insecure: false
+#     location: docker.io
+#     mirrors:
+#       - location: 192.168.0.1:8787
+#         insecure: true
+#   - prefix: registry.redhat.io
+#     insecure: false
+#     location: registry.redhat.io
+#     mirrors:
+#       - location: 192.168.0.2:8787
+#         insecure: false
+#   - prefix: registry.fedoraproject.org
+#     blocked: true
+tripleo_podman_registries: []
--- a/tripleo_ansible/roles/tripleo_podman/tasks/tripleo_podman_install.yml
+++ b/tripleo_ansible/roles/tripleo_podman/tasks/tripleo_podman_install.yml
@ -48,11 +48,11 @@
      when:
        - podman_bridge_config.stat.exists | bool

-    - name: configure insecure registries /etc/containers/registries.conf
-      ini_file:
-        path: /etc/containers/registries.conf
-        section: 'registries.insecure'
-        option: registries
-        value: "{{ tripleo_container_registry_insecure_registries }}"
-      when:
-        - (tripleo_container_registry_insecure_registries | length) > 0
+    - name: Write containers registries.conf
+      template:
+        src: registries.conf.j2
+        dest: /etc/containers/registries.conf
+        owner: root
+        group: root
+        setype: etc_t
+        mode: '0644'
--- a/tripleo_ansible/roles/tripleo_podman/templates/registries.conf.j2
+++ b/tripleo_ansible/roles/tripleo_podman/templates/registries.conf.j2
@ -0,0 +1,27 @@
+# This file is managed via tripleo-ansible
+
+unqualified-search-registries = {{ tripleo_podman_unqualified_search_registries | list }}
+
+# registries configuration
+{% for reg in tripleo_podman_registries %}
+[[registry]]
+prefix = "{{ reg.prefix }}"
+location = "{{ reg.location | default(reg.prefix) }}"
+insecure = {{ reg.insecure | default(False) | bool | ternary('true', 'false') }}
+blocked = {{ reg.blocked | default(False) | bool | ternary('true', 'false') }}
+{% if 'mirrors' in reg %}
+{% for mirror in reg.mirrors %}
+[[registry.mirror]]
+location = "{{ mirror.location }}"
+insecure = {{ mirror.insecure | default(False) | bool | ternary('true', 'false') }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+
+# insecure registry list
+{% for reg in tripleo_podman_insecure_registries %}
+[[registry]]
+prefix = "{{ reg }}"
+insecure = true
+location = "{{ reg }}"
+{% endfor %}