Skip to content

Commit

Permalink
Allow airgapped CRI-O installation (#6927)
Browse files Browse the repository at this point in the history
  • Loading branch information
basvandenbrink authored Nov 28, 2020
1 parent 97ff67e commit 17fb1ce
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 2 deletions.
7 changes: 7 additions & 0 deletions roles/container-engine/cri-o/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
# By default unqualified images are not allowed for security reasons
crio_registries: []

# Configure insecure registries.
crio_insecure_registries: []

crio_seccomp_profile: ""
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
Expand Down Expand Up @@ -50,3 +53,7 @@ kata_runtimes:
path: /opt/kata/bin/kata-qemu
type: oci
root: /run/kata-containers

# When this is true, CRI-O package repositories are added. Set this to false when using an
# environment with preconfigured CRI-O package repositories.
crio_add_repos: true
4 changes: 3 additions & 1 deletion roles/container-engine/cri-o/tasks/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,9 @@
- (ansible_distribution_major_version | int) >= 31
- ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0'

- import_tasks: "crio_repo.yml"
- name: import crio repo
import_tasks: "crio_repo.yml"
when: crio_add_repos

- import_tasks: "crictl.yml"

Expand Down
6 changes: 5 additions & 1 deletion roles/container-engine/cri-o/templates/crio.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -339,7 +339,11 @@ signature_policy = "{{ crio_signature_policy }}"
# List of registries to skip TLS verification for pulling images. Please
# consider configuring the registries via /etc/containers/registries.conf before
# changing them here.
#insecure_registries = "[]"
insecure_registries = [
{% for insecure_registry in crio_insecure_registries %}
"{{ insecure_registry }}",
{% endfor %}
]

# Controls how image volumes are handled. The valid values are mkdir, bind and
# ignore; the latter will ignore volumes entirely.
Expand Down

0 comments on commit 17fb1ce

Please sign in to comment.