containerd insecure registry support (kubernetes-sigs#8298)

sw-cho · Apr 26, 2023 · f070da9 · f070da9
1 parent 31ed63c
commit f070da9
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/inventory/sample/group_vars/all/containerd.yml b/inventory/sample/group_vars/all/containerd.yml
@@ -28,6 +28,14 @@
 
 # containerd_metrics_grpc_histogram: false
 
+## An obvious use case is allowing insecure-registry access to self hosted registries.
+## Can be ipaddress and domain_name.
+## example define mirror.registry.io or 172.19.16.11:5000
+## Port number is also needed if the default HTTPS port is not used.
+# containerd_insecure_registries:
+#   - mirror.registry.io
+#   - 172.19.16.11:5000
+
 # containerd_registries:
 #   "docker.io": "https://registry-1.docker.io"
 

diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2
@@ -49,6 +49,12 @@ oom_score = {{ containerd_oom_score }}
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ registry }}"]
           endpoint = ["{{ ([ addr ] | flatten ) | join('","') }}"]
 {% endfor %}
+{% for addr in containerd_insecure_registries %}
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ addr }}"]
+          endpoint = ["{{ ([ addr ] | flatten ) | join('","') }}"]
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ addr }}".tls]
+          insecure_skip_verify = true
+{% endfor %}
 {% for registry in containerd_registry_auth if registry['registry'] is defined %}
 {% if (registry['username'] is defined and registry['password'] is defined) or registry['auth'] is defined %}
       [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ registry['registry'] }}".auth]

diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
@@ -325,6 +325,21 @@ etcd_kubeadm_enabled: false
 containerd_version: 1.4.9
 containerd_use_systemd_cgroup: true
 
+<<<<<<< HEAD
+=======
+# Docker options - this is relevant when container_manager == 'docker'
+docker_containerd_version: 1.4.12
+
+## An obvious use case is allowing insecure-registry access to self hosted registries.
+## Can be ipaddress and domain_name.
+## example define mirror.registry.io or 172.19.16.11:5000
+## Port number is also needed if the default HTTPS port is not used.
+# containerd_insecure_registries:
+#   - mirror.registry.io
+#   - 172.19.16.11:5000
+containerd_insecure_registries: []
+
+>>>>>>> 4f27c763a (containerd insecure registry support (#8298))
 # Settings for containerized control plane (etcd/kubelet/secrets)
 # deployment type for legacy etcd mode
 etcd_deployment_type: docker