feat: change containerd config (#2829)

feat: change containerd default config



feat: change containerd default config



feat: change containerd default config



feat: change containerd default config



feat: change containerd default config



feat: change containerd default config



feat: change containerd default config



feat: change containerd default config

Signed-off-by: xuesongzuo@yunify.com <xuesongzuo@yunify.com>

builtin/core/playbooks/add_nodes.yaml

@@ -1,4 +1,8 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
 - import_playbook: hook/pre_install.yaml
 
 # Load default variables and perform prechecks on all hosts
@@ -8,7 +12,6 @@
   roles:
     - defaults
     - precheck
-    - native/root
 
 # Download all required software and generate certificates on the localhost
 - hosts:
@@ -17,6 +20,7 @@
   roles:
     - certs/init
     - download
+    - certs/check
 
 # Initialize all nodes and install necessary software packages
 - hosts:

builtin/core/playbooks/artifact_export.yaml

@@ -1,11 +1,14 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
 # Load default variables and perform prechecks on all hosts
 - hosts:
     - all
   gather_facts: true
   roles:
     - defaults
-    - native/root
 
 # Download all required software and generate certificates on the localhost
 - hosts:

builtin/core/playbooks/artifact_images.yaml

@@ -1,11 +1,14 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
 # Load default variables and perform prechecks on all hosts
 - hosts:
     - localhost
   tags: ["always"]
   roles:
     - defaults
-    - native/root
 
 - hosts:
     - localhost

builtin/core/playbooks/certs_renew.yaml

@@ -1,11 +1,14 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
 # Load default variables and perform prechecks on all hosts
 - hosts:
     - all
   gather_facts: true
   roles:
     - defaults
-    - native/root
 
 - hosts:
     - localhost

builtin/core/playbooks/create_cluster.yaml

@@ -1,4 +1,9 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
+
 - import_playbook: hook/pre_install.yaml
 
 # Load default variables and perform prechecks on all hosts
@@ -8,7 +13,6 @@
   roles:
     - defaults
     - precheck
-    - native/root
 
 # Download all required software and generate certificates on the localhost
 - hosts:
@@ -16,6 +20,7 @@
   roles:
     - certs/init
     - download
+    - certs/check
 
 # Initialize all nodes and install necessary software packages
 - hosts:

builtin/core/playbooks/delete_cluster.yaml

@@ -1,11 +1,14 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
 # Load default variables and perform prechecks on all hosts
 - hosts:
     - all
   gather_facts: true
   roles:
     - defaults
-    - native/root
 
 - hosts: 
     - k8s_cluster

builtin/core/playbooks/delete_nodes.yaml

@@ -1,4 +1,8 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
 # Load default variables and perform prechecks on all hosts
 - hosts:
     - all
@@ -6,7 +10,6 @@
   roles:
     - defaults
     - precheck
-    - native/root
 
 - hosts:
     - kube_control_plane

builtin/core/playbooks/delete_registry.yaml

@@ -1,11 +1,15 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
+
 # Load default variables and perform prechecks on all hosts
 - hosts:
     - all
   gather_facts: true
   roles:
     - defaults
-    - native/root
 
 - hosts:
    - image_registry

builtin/core/playbooks/init_os.yaml

@@ -1,11 +1,14 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
 # Load default variables and perform prechecks on all hosts
 - hosts:
     - all
   gather_facts: true
   roles:
     - defaults
-    - native/root
 
 # Download all required software and generate certificates on the localhost
 - hosts:

builtin/core/playbooks/init_registry.yaml

@@ -1,4 +1,8 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
 # Load default variables and perform prechecks on all hosts
 - hosts:
     - all
@@ -6,7 +10,6 @@
   gather_facts: true
   roles:
     - defaults
-    - native/root
 
 
 # Download all required software and generate certificates on the localhost
@@ -16,6 +19,7 @@
   roles:
     - role: certs/init
     - role: download
+    - role: certs/check
 
 # Initialize all nodes and install necessary software packages
 - hosts:

builtin/core/playbooks/precheck.yaml

@@ -1,4 +1,8 @@
 ---
+- hosts:
+    - all
+  roles:
+    - native/root
 # Load default variables and perform prechecks on all hosts
 - hosts:
     - all
@@ -6,4 +10,3 @@
   roles:
     - defaults
     - precheck
-    - native/root

builtin/core/roles/certs/check/tasks/main.yaml

@@ -0,0 +1,57 @@
+
+- name: Cert | Copy check shell
+  template:
+    src: check.sh
+    dest: /etc/kubekey/scripts/check.sh
+    mode: 0755
+
+- name: Cert | Set cert check command
+  set_fact:
+    cri:
+      cert:
+        check:
+          cmd: >-
+            /etc/kubekey/scripts/check.sh {{ .image_registry.auth.registry }} 
+                {{- if .image_registry.auth.insecure -}}
+                {{ printf " --insecure  " }} 
+                {{- end -}}
+                {{- if .image_registry.auth.ca_file | empty | not -}}
+                {{ printf " --ca-file %s " .image_registry.auth.ca_file }}
+                {{- end -}}
+                {{- if .image_registry.auth.cert_file | empty | not -}}
+                {{ printf " --cert-file %s .image_registry.auth.cert_file " }}
+                {{- end -}}
+                {{- if .image_registry.auth.key_file | empty | not -}}
+                {{ printf " --key-file %s " .image_registry.auth.key_file }}
+                {{- end -}}
+
+- name: Cert | Exec check shell with input certs
+  register: cert_check_input_cert_result
+  command: |
+    if {{ .cri.cert.check.cmd }} ; then
+        echo "true"
+    else
+        echo "false"
+    fi
+
+- name: Cert | Exec check shell with local certs
+  when: .cert_check_input_cert_result.stdout | eq "false"
+  register: cert_check_self_cert_result
+  command: |
+    if /etc/kubekey/scripts/check.sh {{ .image_registry.auth.registry }} --ca-file {{ .binary_dir }}/pki/root.crt --cert-file {{ .binary_dir }}/pki/image_registry.crt --key-file {{ .binary_dir }}/pki/image_registry.key ; then
+        echo "true"
+    else
+        echo "false"
+    fi
+
+- name: Cert | Set auth ca
+  ignore_error: true
+  when: .cert_check_self_cert_result.stdout | eq "true"
+  add_hostvars:
+    hosts: all
+    vars:
+      image_registry:
+        auth:
+          ca_file: "{{ .binary_dir }}/pki/root.crt"
+          cert_file: "{{ .binary_dir }}/pki/image_registry.crt"
+          key_file: "{{ .binary_dir }}/pki/image_registry.key"

builtin/core/roles/certs/check/templates/check.sh

@@ -0,0 +1,150 @@
+#!/bin/bash
+
+# example
+# ./check_registry.sh registry.example.com [options]
+# return: 0 (success) or 1 (fail)
+
+REGISTRY_HOST=""
+REGISTRY_PORT=443
+CA_FILE=""
+CERT_FILE=""
+KEY_FILE=""
+INSECURE=false
+
+parse_arguments() {
+    REGISTRY_HOST=$1
+    shift
+    while [[ $# -gt 0 ]]; do
+        case $1 in
+            -p|--port)
+                REGISTRY_PORT="$2"
+                shift 2
+                ;;
+            --ca-file)
+                CA_FILE="$2"
+                shift 2
+                ;;
+            --cert-file)
+                CERT_FILE="$2"
+                shift 2
+                ;;
+            --key-file)
+                KEY_FILE="$2"
+                shift 2
+                ;;
+            -k|--insecure)
+                INSECURE=true
+                shift
+                ;;
+            -h|--help)
+                exit 0
+                ;;
+            *)
+                exit 1
+                ;;
+        esac
+    done
+    if [ -z "$REGISTRY_HOST" ]; then
+        exit 1
+    fi
+}
+
+# verify input ca cert key
+validate_cert_files() {
+    if [ -n "$CA_FILE" ] && [ ! -f "$CA_FILE" ]; then
+        return 1
+    fi
+    if [ -n "$CERT_FILE" ] && [ ! -f "$CERT_FILE" ]; then
+        return 1
+    fi
+    if [ -n "$KEY_FILE" ] && [ ! -f "$KEY_FILE" ]; then
+        return 1
+    fi
+    return 0
+}
+
+# verify port accessible
+check_port_connectivity() {
+    local host=$1
+    local port=$2
+
+    if command -v nc >/dev/null 2>&1; then
+        if nc -z -w 5 "$host" "$port" >/dev/null 2>&1; then
+            return 0
+        else
+            return 1
+        fi
+    elif command -v timeout >/dev/null 2>&1; then
+        if timeout 5 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null; then
+            return 0
+        else
+            return 1
+        fi
+    else
+        return 0
+    fi
+}
+
+# check Registry API usable
+check_registry_api() {
+    local host=$1
+    local port=$2
+    local ca_file=$3
+    local cert_file=$4
+    local key_file=$5
+    local insecure=$6
+
+    if ! command -v curl >/dev/null 2>&1; then
+        return 1
+    fi
+
+    local curl_cmd="curl -s --max-time 10"
+
+    if [ -n "$ca_file" ]; then
+        curl_cmd="$curl_cmd --cacert $ca_file"
+    elif [ "$insecure" = true ]; then
+        curl_cmd="$curl_cmd --insecure"
+    fi
+
+    if [ -n "$cert_file" ] && [ -n "$key_file" ]; then
+        curl_cmd="$curl_cmd --cert $cert_file --key $key_file"
+    fi
+
+    local protocol="https"
+    if [ "$port" = "80" ] || [ "$insecure" = true ]; then
+        protocol="http"
+    fi
+
+    if eval "$curl_cmd $protocol://$host:$port/v2/" >/dev/null 2>&1; then
+        return 0
+    fi
+
+    if [ "$protocol" = "https" ] && [ "$insecure" = true ]; then
+        if eval "$curl_cmd http://$host:$port/v2/" >/dev/null 2>&1; then
+            return 0
+        fi
+    fi
+
+    local response
+    response=$(eval "$curl_cmd -I $protocol://$host:$port/ 2>/dev/null | head -n 1 | cut -d' ' -f2")
+
+    if [ -n "$response" ]; then
+        return 0
+    fi
+
+    return 1
+}
+
+main() {
+    parse_arguments "$@" || exit 1
+
+    validate_cert_files || exit 1
+
+    check_port_connectivity "$REGISTRY_HOST" "$REGISTRY_PORT" || exit 1
+
+    check_registry_api "$REGISTRY_HOST" "$REGISTRY_PORT" "$CA_FILE" "$CERT_FILE" "$KEY_FILE" "$INSECURE" || exit 1
+
+    exit 0
+}
+
+main "$@" 2>/dev/null

builtin/core/roles/cri/containerd/templates/config.toml

@@ -47,7 +47,6 @@ state = "/run/containerd"
       max_conf_num = 1
       conf_template = ""
     [plugins."io.containerd.grpc.v1.cri".registry]
-      config_path = "/etc/containerd/certs.d"
       [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
 {{- if .cri.registry.mirrors | empty | not }}
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
@@ -64,6 +63,15 @@ state = "/run/containerd"
             username = "{{ .image_registry.auth.username }}"
             password = "{{ .image_registry.auth.password }}"
           [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ .image_registry.auth.registry }}".tls]
+{{- if .image_registry.auth.ca_file | empty | not }}
+            ca_file = "/etc/containerd/certs.d/{{ .image_registry.auth.registry }}/ca.crt"
+{{- end }}
+{{- if .image_registry.auth.cert_file | empty | not }}
+            cert_file = "/etc/containerd/certs.d/{{ .image_registry.auth.registry }}/server.crt"
+{{- end }}
+{{- if .image_registry.auth.key_file | empty | not }}
+            key_file = "/etc/containerd/certs.d/{{ .image_registry.auth.registry }}/server.key"
+{{- end }}
             insecure_skip_verify = {{ .image_registry.auth.insecure | default true }}
 {{- if .cri.registry.auths | empty | not }}
   {{- range .cri.registry.auths }}

builtin/core/roles/image-registry/harbor/tasks/main.yaml

@@ -27,7 +27,7 @@
 - name: Harbor | Synchronize self signed ca cert to remote host
   copy:
     src: >-
-      {{ .binary_dir }}/pki/ca.crt
+      {{ .binary_dir }}/pki/root.crt
     dest: >-
       /opt/harbor/{{ .image_registry.harbor_version }}/ssl/ca.crt