Update containerd registry.local configuration

As part of bootstrap, k8s.gcr.io/pause:3.2 is pulled via crictl from registry.local with explicitly provided credentials. If this image is manually removed or removed due to garbage collection, containerd is unable to pull it from registry.local. Lookup the registry credentials so that they can be applied to the registry.local auth configuration in containerd's config.toml. This will allow containerd pull access when needed. Change-Id: Ie29a797a09879d7dff28356a2335980ab6c49bed Depends-On: https://review.opendev.org/#/c/732724/ Closes-Bug: #1881353 Signed-off-by: Robert Church <robert.church@windriver.com>
2020-06-01 21:36:38 -04:00 · 2020-06-01 21:36:38 -04:00 · f6b33a95d9
parent c4cc3fe049
commit f6b33a95d9
2 changed files with 40 additions and 14 deletions
--- a/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml
@ -88,6 +88,29 @@
  environment:
    CNI_BIN_DIR: "{{ kubelet_cni_bin_dir }}"

+- name: Get local registry credentials
+  vars:
+    script_content: |
+      import keyring
+      password = keyring.get_password("CGCS", "admin")
+      if not password:
+          raise Exception("Local registry password not found.")
+      print dict(username='admin', password=str(password))
+  shell: "{{ script_content }}"
+  args:
+    executable: /usr/bin/python
+  register: local_registry_credentials_output
+
+- set_fact:
+    local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
+
+- name: Update config.toml with registry auth
+  command: "sed -i -e 's|<%= @registry_auth %>|$REG_AUTH|g' /etc/containerd/config.toml"
+  args:
+    warn: false
+  environment:
+    REG_AUTH: "{{ (local_registry_credentials['username'] + ':' + local_registry_credentials['password']) | b64encode }}"
+
 - name: Determine the stream_server_address for containerd
  set_fact:
    stream_server_address: "{{ '127.0.0.1' if ipv6_addressing == False else '::1' }}"
--- a/playbookconfig/src/playbooks/roles/common/push-docker-images/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/common/push-docker-images/tasks/main.yml
@ -134,21 +134,24 @@
  when: item.username is defined
  no_log: true

- name: Get local registry credentials
-  vars:
-    script_content: |
-      import keyring
-      password = keyring.get_password("CGCS", "admin")
-      if not password:
-          raise Exception("Local registry password not found.")
-      print dict(username='admin', password=str(password))
-  shell: "{{ script_content }}"
-  args:
-    executable: /usr/bin/python
-  register: local_registry_credentials_output
+# Retrieve local registry credentials unless it has been already
+- block:
+  - name: Get local registry credentials
+    vars:
+      script_content: |
+        import keyring
+        password = keyring.get_password("CGCS", "admin")
+        if not password:
+            raise Exception("Local registry password not found.")
+        print dict(username='admin', password=str(password))
+    shell: "{{ script_content }}"
+    args:
+      executable: /usr/bin/python
+    register: local_registry_credentials_output

- set_fact:
-    local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
+  - set_fact:
+      local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
+  when: local_registry_credentials is not defined

 - name: Download images and push to local registry
  script: download_images.py {{ download_images }}