Update containerd registry.local configuration

As part of bootstrap, k8s.gcr.io/pause:3.2 is pulled via crictl from registry.local with explicitly provided credentials. If this image is manually removed or removed due to garbage collection, containerd is unable to pull it from registry.local. Lookup the registry credentials so that they can be applied to the registry.local auth configuration in containerd's config.toml. This will allow containerd pull access when needed. Change-Id: I5095abbe44c4e9bab36726a336654284482e44b4 Depends-On: https://review.opendev.org/#/c/733941/ Closes-Bug: #1881353 Signed-off-by: Robert Church <robert.church@windriver.com>
2020-06-01 21:36:38 -04:00 · 2020-06-01 21:36:38 -04:00 · d9f0a9896f
parent 28a4cc50ab
commit d9f0a9896f
2 changed files with 40 additions and 14 deletions
--- a/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml
@ -88,6 +88,29 @@
  environment:
    CNI_BIN_DIR: "{{ kubelet_cni_bin_dir }}"

+- name: Get local registry credentials
+  vars:
+    script_content: |
+      import keyring
+      password = keyring.get_password("CGCS", "admin")
+      if not password:
+          raise Exception("Local registry password not found.")
+      print dict(username='admin', password=str(password))
+  shell: "{{ script_content }}"
+  args:
+    executable: /usr/bin/python
+  register: local_registry_credentials_output
+
+- set_fact:
+    local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
+
+- name: Update config.toml with registry auth
+  command: "sed -i -e 's|<%= @registry_auth %>|$REG_AUTH|g' /etc/containerd/config.toml"
+  args:
+    warn: false
+  environment:
+    REG_AUTH: "{{ (local_registry_credentials['username'] + ':' + local_registry_credentials['password']) | b64encode }}"
+
 - name: Determine the stream_server_address for containerd
  set_fact:
    stream_server_address: "{{ '127.0.0.1' if ipv6_addressing == False else '::1' }}"
--- a/playbookconfig/src/playbooks/roles/common/push-docker-images/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/common/push-docker-images/tasks/main.yml
@ -134,21 +134,24 @@
  when: item.username is defined
  no_log: true

- name: Get local registry credentials
-  vars:
-    script_content: |
-      import keyring
-      password = keyring.get_password("CGCS", "admin")
-      if not password:
-          raise Exception("Local registry password not found.")
-      print dict(username='admin', password=str(password))
-  shell: "{{ script_content }}"
-  args:
-    executable: /usr/bin/python
-  register: local_registry_credentials_output
+# Retrieve local registry credentials unless it has been already
+- block:
+  - name: Get local registry credentials
+    vars:
+      script_content: |
+        import keyring
+        password = keyring.get_password("CGCS", "admin")
+        if not password:
+            raise Exception("Local registry password not found.")
+        print dict(username='admin', password=str(password))
+    shell: "{{ script_content }}"
+    args:
+      executable: /usr/bin/python
+    register: local_registry_credentials_output

- set_fact:
-    local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
+  - set_fact:
+      local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
+  when: local_registry_credentials is not defined

 - name: Download images and push to local registry
  script: download_images.py {{ download_images }}