Merge pull request #500 from andeman/containerd_private_registry_auth

Configure image registry settings for  containerd when installed via package

Author: daianamezdrea

README.md

@@ -318,6 +318,52 @@ The download URL for the containerd archive.
 
 Defaults to `https://github.com/containerd/containerd/releases/download/v${containerd_version}/${containerd_archive}`.
 
+#### `containerd_plugins_registry`
+
+The configuration for the image registries used by containerd.
+
+See https://github.com/containerd/containerd/blob/master/docs/cri/registry.md
+
+Defaults to `{'docker.io' => {'mirrors' => {'endpoint' => 'https://registry-1.docker.io'}}}`.
+
+For example,
+
+```puppet
+'containerd_plugins_registry' => {
+    'docker.io' => {
+        'mirrors' => {
+            'endpoint' => 'https://registry-1.docker.io'
+        },
+    },
+    'docker.private.example.com' => {
+        'mirrors' => {
+            'endpoint' => 'docker.private.example.com'
+        },
+        'tls' => {
+            'ca_file' => 'ca.pem',
+            'cert_file' => 'cert.pem',
+            'key_file' => 'key.pem',
+            'insecure_skip_verify' => true,
+        },
+        'auth' => {
+            'auth' => '1azhzLXVuaXQtdGVzdDpCQ0NwNWZUUXlyd3c1aUxoMXpEQXJnUT==',
+        },
+    },
+    'docker.private.example2.com' => {
+        'mirrors' => {
+            'endpoint' => 'docker.private.example2.com'
+        },
+        'tls' => {
+            'insecure_skip_verify' => true,
+        },
+        'auth' => {
+            'username' => 'user2',
+            'password' => 'secret2',
+        },
+    },
+}
+```
+
 #### `controller_address`
 
 The IP address and port for the controller the worker node joins. For example `172.17.10.101:6443`.

manifests/init.pp

@@ -50,6 +50,11 @@
 #  The URL to download the containerd archive
 #  Defaults to https://github.com/containerd/containerd/releases/download/v${containerd_version}/${containerd_archive}
 #
+# [*containerd_plugins_registry*]
+#  The configuration for the image registries used by containerd when containerd_install_method is package.
+#  See https://github.com/containerd/containerd/blob/master/docs/cri/registry.md
+#  Defaults to `undef`
+#
 # [*dns_domain*]
 #   This is a string that sets the dns domain in kubernetes cluster
 #   Default cluster.local
@@ -594,6 +599,13 @@
   Optional[String] $containerd_archive_checksum                  = undef,
   Optional[String] $containerd_source                            =
     "https://github.com/containerd/containerd/releases/download/v${containerd_version}/${containerd_archive}",
+  Optional[Hash] $containerd_plugins_registry                    = {
+    'docker.io' => {
+      'mirrors' => {
+        'endpoint' => 'https://registry-1.docker.io'
+      },
+    },
+  },
   String $etcd_archive                                           = "etcd-v${etcd_version}-linux-amd64.tar.gz",
   Optional[String] $etcd_archive_checksum                        = undef,
   String $etcd_package_name                                      = 'etcd-server',

manifests/packages.pp

@@ -20,6 +20,7 @@
   Optional[String] $containerd_archive                  = $kubernetes::containerd_archive,
   Optional[String] $containerd_archive_checksum         = $kubernetes::containerd_archive_checksum,
   Optional[String] $containerd_source                   = $kubernetes::containerd_source,
+  Optional[Hash] $containerd_plugins_registry           = $kubernetes::containerd_plugins_registry,
   String $etcd_archive                                  = $kubernetes::etcd_archive,
   Optional[String] $etcd_archive_checksum               = $kubernetes::etcd_archive_checksum,
   String $etcd_version                                  = $kubernetes::etcd_version,

spec/classes/packages_spec.rb

@@ -65,6 +65,13 @@
         'etcd_archive_checksum' => nil,
         'runc_source_checksum' => nil,
         'tmp_directory' => '/var/tmp/puppetlabs-kubernetes',
+        'containerd_plugins_registry' => {
+            'docker.io' => {
+                'mirrors' => {
+                    'endpoint' => 'https://registry-1.docker.io'
+                },
+            },
+          },
         }
     end
     it { should contain_file_line('remove swap in /etc/fstab')}
@@ -154,6 +161,13 @@
         'etcd_archive_checksum' => nil,
         'runc_source_checksum' => nil,
         'tmp_directory' => '/var/tmp/puppetlabs-kubernetes',
+        'containerd_plugins_registry' => {
+            'docker.io' => {
+                'mirrors' => {
+                    'endpoint' => 'https://registry-1.docker.io'
+                },
+            },
+          },
         }
     end
     it { should contain_file_line('remove swap in /etc/fstab')}
@@ -242,6 +256,47 @@
         'etcd_archive_checksum' => nil,
         'runc_source_checksum' => nil,
         'tmp_directory' => '/var/tmp/puppetlabs-kubernetes',
+        'containerd_plugins_registry' => {
+            'docker.io' => {
+                'mirrors' => {
+                    'endpoint' => 'https://registry-1.docker.io'
+                },
+            },
+            'docker.private.example.com' => {
+                'mirrors' => {},
+                'tls' => {
+                    'ca_file' => 'ca1.pem',
+                    'cert_file' => 'cert1.pem',
+                    'key_file' => 'key1.pem',
+                },
+                'auth' => {
+                    'auth' => '1azhzLXVuaXQtdGVzdDpCQ0NwNWZUUXlyd3c1aUxoMXpEQXJnUT==',
+                },
+            },
+            'docker.more-private.example.com' => {
+                'mirrors' => {
+                    'endpoint' => 'https://docker.more-private.example.com'
+                },
+                'tls' => {
+                    'insecure_skip_verify' => true,
+                },
+                'auth' => {
+                    'username' => 'user2',
+                    'password' => 'secret2',
+                },
+            },
+            'docker.even-more-private.example.com' => {
+                'mirrors' => {
+                    'endpoint' => 'https://docker.even-more-private.example.com'
+                },
+                'tls' => {
+                    'ca_file' => 'ca2.pem',
+                },
+                'auth' => {
+                    'identitytoken' => 'azhzLXVuaXQtdGVzdDpCQ0NwNWZUUXlyd3c1aUxoMXpEQXJnUT',
+                },
+            },
+          },
         }
     end
     it { should contain_file_line('remove swap in /etc/fstab')}
@@ -255,7 +310,54 @@
     it { should contain_package('kubectl').with_ensure('1.10.2')}
     it { should contain_package('kubeadm').with_ensure('1.10.2')}
     it { should contain_file('/etc/containerd')}
-    it { should contain_file('/etc/containerd/config.toml')}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*\[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"\]\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*endpoint = \["https:\/\/registry-1.docker.io"\]\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').without_content(
+        /\s*\[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.private.example.com"\]\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*\[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.even-more-private.example.com"\]\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*endpoint = \["https:\/\/docker.even-more-private.example.com"\]\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*\[plugins."io.containerd.grpc.v1.cri".registry.configs."docker.private.example.com".auth\]\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*auth = "1azhzLXVuaXQtdGVzdDpCQ0NwNWZUUXlyd3c1aUxoMXpEQXJnUT=="\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*username = "user2"\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*password = "secret2"\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*identitytoken = "azhzLXVuaXQtdGVzdDpCQ0NwNWZUUXlyd3c1aUxoMXpEQXJnUT"\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*\[plugins."io.containerd.grpc.v1.cri".registry.configs."docker.private.example.com".tls\]\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*ca_file = "ca1.pem"\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*cert_file = "cert1.pem"\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*key_file = "key1.pem"\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*insecure_skip_verify = true\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*ca_file = "ca2.pem"\s*/
+    )}
     it { should_not contain_file('/etc/apt/preferences.d/containerd')}
   end
 
@@ -319,6 +421,13 @@
         'etcd_archive_checksum' => nil,
         'runc_source_checksum' => nil,
         'tmp_directory' => '/var/tmp/puppetlabs-kubernetes',
+        'containerd_plugins_registry' => {
+            'docker.io' => {
+                'mirrors' => {
+                    'endpoint' => 'https://registry-1.docker.io'
+                },
+            },
+          },
         }
     end
     it { should contain_file_line('remove swap in /etc/fstab')}
@@ -407,6 +516,13 @@
         'etcd_archive_checksum' => nil,
         'runc_source_checksum' => nil,
         'tmp_directory' => '/var/tmp/puppetlabs-kubernetes',
+        'containerd_plugins_registry' => {
+            'docker.io' => {
+                'mirrors' => {
+                    'endpoint' => 'https://registry-1.docker.io'
+                },
+            },
+          },
         }
     end
     it { should contain_file_line('remove swap in /etc/fstab')}
@@ -495,6 +611,13 @@
         'etcd_archive_checksum' => nil,
         'runc_source_checksum' => nil,
         'tmp_directory' => '/var/tmp/puppetlabs-kubernetes',
+        'containerd_plugins_registry' => {
+            'docker.io' => {
+                'mirrors' => {
+                    'endpoint' => 'https://registry-1.docker.io'
+                },
+            },
+          },
         }
     end
     it { should contain_file_line('remove swap in /etc/fstab')}
@@ -579,6 +702,13 @@
         'etcd_archive_checksum' => nil,
         'runc_source_checksum' => nil,
         'tmp_directory' => '/var/tmp/puppetlabs-kubernetes',
+        'containerd_plugins_registry' => {
+            'docker.io' => {
+                'mirrors' => {
+                    'endpoint' => 'https://registry-1.docker.io'
+                },
+            },
+          },
         }
     end
     it { should contain_file_line('remove swap in /etc/fstab')}
@@ -593,7 +723,13 @@
     it { should contain_package('containerd.io').with_ensure('1.4.3')}
     it { should contain_file('/etc/containerd')}
     it { should contain_file('/etc/containerd/config.toml')}
-    it { should contain_file('/etc/apt/preferences.d/containerd')}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*\[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"\]\s*/
+    )}
+    it { should contain_file('/etc/containerd/config.toml').with_content(
+        /\s*endpoint = \["https:\/\/registry-1.docker.io"\]\s*/
+    )}
+    # it { should contain_file('/etc/apt/preferences.d/containerd')}
   end
 
   context 'with disable_swap => true' do
@@ -656,6 +792,13 @@
         'etcd_archive_checksum' => 'bcab421f6bf4111accfceb004e0a0ac2bcfb92ac93081d9429e313248dd78c41',
         'runc_source_checksum' => 'bcab421f6bf4111accfceb004e0a0ac2bcfb92ac93081d9429e313248dd78c41',
         'tmp_directory' => '/var/tmp/puppetlabs-kubernetes',
+        'containerd_plugins_registry' => {
+            'docker.io' => {
+                'mirrors' => {
+                    'endpoint' => 'https://registry-1.docker.io'
+                },
+            },
+          },
         }
     end
     it { should contain_file_line('remove swap in /etc/fstab')}

templates/containerd/config.toml.erb

@@ -90,8 +90,49 @@ oom_score = 0
       conf_template = ""
     [plugins."io.containerd.grpc.v1.cri".registry]
       [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
-        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
-          endpoint = ["https://registry-1.docker.io"]
+      <%- @containerd_plugins_registry.each do |registry, sections| -%>
+      <%- if sections['mirrors'] and not sections['mirrors'].empty? -%>
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."<%= registry %>"]
+        <%- if sections['mirrors']['endpoint'] -%>
+          endpoint = ["<%= sections['mirrors']['endpoint'] %>"]
+        <%- end -%>
+      <%- end -%>
+      <%- end -%>
+      [plugins."io.containerd.grpc.v1.cri".registry.configs]
+      <%- @containerd_plugins_registry.each do |registry, sections| -%>
+      <%- if sections['auth'] and not sections['auth'].empty? -%>
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."<%= registry %>".auth]
+        <%- if sections['auth']['username'] -%>
+          username = "<%= sections['auth']['username'] %>"
+        <%- end -%>
+        <%- if sections['auth']['password'] -%>
+          password = "<%= sections['auth']['password'] %>"
+        <%- end -%>
+        <%- if sections['auth']['auth'] -%>
+          auth = "<%= sections['auth']['auth'] %>"
+        <%- end -%>
+        <%- if sections['auth']['identitytoken'] -%>
+          identitytoken = "<%= sections['auth']['identitytoken'] %>"
+        <%- end -%>
+      <%- end -%>
+      <%- end -%>
+      <%- @containerd_plugins_registry.each do |registry, sections| -%>
+      <%- if sections['tls'] and not sections['tls'].empty? -%>
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."<%= registry %>".tls]
+        <%- if sections['tls']['ca_file'] -%>
+          ca_file = "<%= sections['tls']['ca_file'] %>"
+        <%- end -%>
+        <%- if sections['tls']['cert_file'] -%>
+          cert_file = "<%= sections['tls']['cert_file'] %>"
+        <%- end -%>
+        <%- if sections['tls']['key_file'] -%>
+          key_file = "<%= sections['tls']['key_file'] %>"
+        <%- end -%>
+        <%- if sections['tls']['insecure_skip_verify'] -%>
+          insecure_skip_verify = <%= sections['tls']['insecure_skip_verify'] %>
+        <%- end -%>
+      <%- end -%>
+      <%- end -%>
     [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
       tls_cert_file = ""
       tls_key_file = ""