Add containerd registry override folder (docker mirror)

babs · babs · commit ead946e82572 · 2023-10-30T20:53:56.000+01:00
diff --git a/k8s/v1/containerd.sls b/k8s/v1/containerd.sls
@@ -43,12 +43,28 @@ containerd:
   cmd.run:
     - name: |
           containerd config default > /etc/containerd/default.toml.tmp \
-          && python3 -c 'import toml; v = toml.load("/etc/containerd/default.toml.tmp"); v["plugins"]["io.containerd.grpc.v1.cri"]["containerd"]["runtimes"]["runc"]["options"]["SystemdCgroup"] = True; v["root"] = "/srv/containerd/"; s = toml.dumps(v); print(s);' > /etc/containerd/config.toml && rm /etc/containerd/default.toml.tmp
+          && python3 -c 'import toml; v = toml.load("/etc/containerd/default.toml.tmp"); v["plugins"]["io.containerd.grpc.v1.cri"]["containerd"]["runtimes"]["runc"]["options"]["SystemdCgroup"] = True; v["root"] = "/srv/containerd/"; v["plugins"]["io.containerd.grpc.v1.cri"]["registry"]["config_path"] = "/etc/containerd/certs.d/";s = toml.dumps(v); print(s);' > /etc/containerd/config.toml && rm /etc/containerd/default.toml.tmp
     - unless:
-      - python3 -c 'import toml, sys; v = toml.load("/etc/containerd/config.toml"); sys.exit(v["plugins"]["io.containerd.grpc.v1.cri"]["containerd"]["runtimes"]["runc"]["options"]["SystemdCgroup"] != True or v["root"] != "/srv/containerd/");'
+      - python3 -c 'import toml, sys; v = toml.load("/etc/containerd/config.toml"); sys.exit(v["plugins"]["io.containerd.grpc.v1.cri"]["containerd"]["runtimes"]["runc"]["options"]["SystemdCgroup"] != True or v["root"] != "/srv/containerd/" or v["plugins"]["io.containerd.grpc.v1.cri"]["registry"]["config_path"] != "/etc/containerd/certs.d/");'
     - watch_in:
       - service: containerd
 
+/etc/containerd/certs.d/:
+  file.directory:
+    - require:
+      - service: containerd
+
+{%- for mirror in salt['pillar.get']("containerd:oci mirrors", {}) %}
+
+/etc/containerd/certs.d/{{ mirror }}/hosts.toml:
+  file.managed:
+    - contents_pillar: containerd:oci mirrors:{{ mirror }}:content
+    - makedirs: true
+    - watch_in:
+      - service: containerd
+
+{%- endfor %}
+
 /etc/crictl.yaml:
   file.managed:
     - contents: |
diff --git a/pillar.example.yaml b/pillar.example.yaml
@@ -62,7 +62,7 @@ k8s:
         chart: metallb/metallb
         namespace: metallb-system
         flags:
-         - create-namespace
+          - create-namespace
 
     cert-manager:
       repo:
@@ -112,3 +112,13 @@ k8s:
           - securityContext.runAsGroup=0
           - securityContext.runAsNonRoot=false
           - securityContext.runAsUser=0
+
+containerd:
+  oci mirrors:
+    docker.io:
+      content: |
+          server = "https://docker.io"
+
+          [host."http://my.local.registry.for.docker.io:5000"]
+            capabilities = ["pull", "resolve"]
+            skip_verify = true
