Parameterize gcr, quay, and docker image repo defines

[qingkunl]

This allows to easily override the gcr, quay, and docker repos with the
mirror repos in countries like China, where the default accesses are
blocked or unstable.

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test

/kind feature

/kind flake

What this PR does / why we need it:

Allows to use ansible variables to define gcr, quay, and docker repos, so that people can easily override them (e.g. with the mirror repos) in the inventory file. This is very useful for Kubespray users in countries like China, where the access to gcr, quay, and docker repos are blocked or unstable.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

I've tested this change locally on the machines in China. Without this change, the gcr, quay, and docker images couldn't not be downloaded.

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

Welcome @qingkunl!

It looks like this is your first PR to kubernetes-sigs/kubespray 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kubespray has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
• Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: login-issues@jira.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[qingkunl]

/assign @woopstar

[qingkunl]

/retest

[k8s-ci-robot]

@qingkunl: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mirwan]

Unless I'm wrong images from docker hub could benefit from the same variable with "docker.io" as default.

[qingkunl]

Unless I'm wrong images from docker hub could benefit from the same variable with "docker.io" as default.

It's true that "docker.io" is blocked in China. But we've already got ways to specify the docker mirror by overriding 'docker_registry_mirrors' defined in 'roles/kubespray-defaults/defaults/main.yaml':

## A list of additional registry mirrors, for example China registry mirror. Empty by default.
# docker_registry_mirrors:
#   - https://registry.docker-cn.com
#   - https://mirror.aliyuncs.com
docker_registry_mirrors: []

[mirwan]

docker_registry_mirrors is only used if docker is used as container runtime, with containerd for example, some images for docker.io get pulled

[mirwan]

Have the same variable for docker.io as for gcr.io and qua.ioy would ease the overridings of all *_image_repo variables in offline installations as well

[Timoses]

Why not use something like the following:

roles/download/defaults/main.yml

downloads:
  cilium:
    enabled: "{{ kube_network_plugin == 'cilium' }}"
    container: true
    repo: docker.io/cilium/cilium
    tag: "{{ cilium_version }}"
    sha256: "{{ cilium_digest_checksum|default(None) }}"
    groups:
      - k8s-cluster

User then wants to use another registry:

downloads_overrides:
  cilium:
    repo: mycustomregistry.io/myproject/cilium

Then roles/download/tasks/main.yml would use

downloads | combine(downloads_overrides)

This would get rid of all the *_image_repo and *_image_tag variables while allowing the user to specify which download should be adjusted.

Additionally, it would be possible to use:

downloads:
  cilium:
    repo: "{{ downloads_image_registry | default('docker.io/cilium/cilium') }}"

in case the user wants to use a single registry.

Note: Be aware that the download role has a dynamic part:

kubespray/roles/download/tasks/main.yml

Line 30 in 7f74906

- name: download | Get kubeadm binary and list of required images

[qingkunl]

@mirwan That makes sense. I've updated the PR to add the variable for "docker.io" as well. Thanks.

[qingkunl]

Why not use something like the following:

roles/download/defaults/main.yml

downloads:
  cilium:
    enabled: "{{ kube_network_plugin == 'cilium' }}"
    container: true
    repo: docker.io/cilium/cilium
    tag: "{{ cilium_version }}"
    sha256: "{{ cilium_digest_checksum|default(None) }}"
    groups:
      - k8s-cluster

User then wants to use another registry:

downloads_overrides:
  cilium:
    repo: mycustomregistry.io/myproject/cilium

Then roles/download/tasks/main.yml would use

downloads | combine(downloads_overrides)

This would get rid of all the *_image_repo and *_image_tag variables while allowing the user to specify which download should be adjusted.

Additionally, it would be possible to use:

downloads:
  cilium:
    repo: "{{ downloads_image_registry | default('docker.io/cilium/cilium') }}"

in case the user wants to use a single registry.

Note: Be aware that the download role has a dynamic part:

kubespray/roles/download/tasks/main.yml

Line 30 in 7f74906

- name: download | Get kubeadm binary and list of required images

Thanks for the suggestion. But it doesn't solve the problem I'm trying to solve in this PR. I'd like to be able to just override the repo for all gcr/quay/docker images with a simple repo override (so that I can easily use mirror repos), instead of having to go through and override each image (etcd, cilium, dashboard, nodelocaldns, etc.).

[mirwan]

The images repos with no namespace should have the library namespace added like nginx_image_repo: "{{ docker_image_repo }}/library/nginx"

[qingkunl]

The images repos with no namespace should have the library namespace added like nginx_image_repo: "{{ docker_image_repo }}/library/nginx"

Updated the PR to add library namespace. Thanks

[mirwan]

/lgtm

[qingkunl]

It's been silent for a while. Anything else I should do here?

[riverzhang]

{{ docker_image_repo }}/kubeovn/kube-ovn-controller
I think this needs to be fixed.

[qingkunl]

Good catch!

[qingkunl]

Fixed in the latest commit

[riverzhang]

Have the same variable for docker.io as for gcr.io and qua.ioy would ease the overridings of all *_image_repo variables in offline installations as well

I agree with this approach, otherwise users will have a lot of configuration options.
@qingkunl in case the user wants to use a single registry. This is very useful for Chinese users, or harbor users. I think @Timoses 's suggestion can be considered，What do you think?

[riverzhang]

/hold

[qingkunl]

Have the same variable for docker.io as for gcr.io and qua.ioy would ease the overridings of all *_image_repo variables in offline installations as well

I agree with this approach, otherwise users will have a lot of configuration options.

I think @mirwan meant to also define a variable for docker.io, as I originally only defined variables for gcr.io and quay.io, and I've already done that. Please let me know if I misunderstood.

@qingkunl in case the user wants to use a single registry. This is very useful for Chinese users, or harbor users. I think @Timoses 's suggestion can be considered，What do you think?

It may not help much in my case, as I need to override all images with the mirror repos and don't want to go through and override each of them (etcd, cilium, dashboard, nodelocaldns, etc.). In addition, since it requires a more involved code change and refactor, I suggest consider it in a separate PR. And in case we do want @Timoses 's suggestion, I still suggest keeping this PR to allow the mirror repo override.

[riverzhang]

@qingkunl Thanks,
/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qingkunl, riverzhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [riverzhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[riverzhang]

/hold cancel