Switch to podman_image module

By default the podman_image module has validate_certs enabled which forces the --tls-verify flag. This prevents *any* insecure registry from working. This is different from the default mechanism where SSL registries are required unless explicitly defined in the insecure registries list in /etc/containers/registries.conf. The undercloud is an insecure registry so we don't want to force --tls-verify. Change-Id: I47221977ceeddcfa8e2d3da719692ffe87379ac4
2020-04-02 16:37:47 -06:00 · 2020-04-02 16:37:47 -06:00 · bbee30c907
parent 24fb2e3f5e
commit bbee30c907
1 changed files with 10 additions and 2 deletions
--- a/deployment/podman/podman-baremetal-ansible.yaml
+++ b/deployment/podman/podman-baremetal-ansible.yaml
@ -137,10 +137,18 @@ outputs:
        - when:
            - (step|int) == 1
          block:
-            # TODO(mwhahaha): figure out the bug in podman_image
+            # NOTE(mwhahaha): validate_certs is a misnomer because what it
+            # actually does is enable the --tls-verify flag which forces
+            # registries to only be over HTTPS. By default, podman will only
+            # use HTTPS registries but has a way to configure specific insecure
+            # and non-HTTPS registries. The --tls-verify flag prevents this
+            # fallback from functioning. We rely on this fallback for the
+            # undercloud registry.
            - name: Pre-fetch all the containers
              become: true
-              shell: podman pull "{{ container_image }}"
+              podman_image:
+                  name: "{{ container_image }}"
+                  validate_certs: false
              loop_control:
                  loop_var: container_image
              loop: "{{ lookup('file', tripleo_role_name + '/docker_config.yaml', errors='ignore') | default('{}', True) | from_yaml | recursive_get_key_from_dict(key='image') | unique }}"