From 525b67647da7ff8b020e15047db2512ad8b91c86 Mon Sep 17 00:00:00 2001 From: zuoxuesong-worker Date: Tue, 28 Oct 2025 17:31:35 +0800 Subject: [PATCH] feat: change containerd config (#2829) feat: change containerd default config feat: change containerd default config feat: change containerd default config feat: change containerd default config feat: change containerd default config feat: change containerd default config feat: change containerd default config feat: change containerd default config Signed-off-by: xuesongzuo@yunify.com --- builtin/core/playbooks/add_nodes.yaml | 6 +- builtin/core/playbooks/artifact_export.yaml | 5 +- builtin/core/playbooks/artifact_images.yaml | 5 +- builtin/core/playbooks/certs_renew.yaml | 5 +- builtin/core/playbooks/create_cluster.yaml | 7 +- builtin/core/playbooks/delete_cluster.yaml | 5 +- builtin/core/playbooks/delete_nodes.yaml | 5 +- builtin/core/playbooks/delete_registry.yaml | 6 +- builtin/core/playbooks/init_os.yaml | 5 +- builtin/core/playbooks/init_registry.yaml | 6 +- builtin/core/playbooks/precheck.yaml | 5 +- .../core/roles/certs/check/tasks/main.yaml | 57 +++++++ .../core/roles/certs/check/templates/check.sh | 150 ++++++++++++++++++ .../cri/containerd/templates/config.toml | 10 +- .../image-registry/harbor/tasks/main.yaml | 2 +- 15 files changed, 266 insertions(+), 13 deletions(-) create mode 100644 builtin/core/roles/certs/check/tasks/main.yaml create mode 100644 builtin/core/roles/certs/check/templates/check.sh diff --git a/builtin/core/playbooks/add_nodes.yaml b/builtin/core/playbooks/add_nodes.yaml index 0b9b8990..8056f585 100644 --- a/builtin/core/playbooks/add_nodes.yaml +++ b/builtin/core/playbooks/add_nodes.yaml @@ -1,4 +1,8 @@ --- +- hosts: + - all + roles: + - native/root - import_playbook: hook/pre_install.yaml # Load default variables and perform prechecks on all hosts @@ -8,7 +12,6 @@ roles: - defaults - precheck - - native/root # Download all required software and generate certificates on the localhost - hosts: @@ -17,6 +20,7 @@ roles: - certs/init - download + - certs/check # Initialize all nodes and install necessary software packages - hosts: diff --git a/builtin/core/playbooks/artifact_export.yaml b/builtin/core/playbooks/artifact_export.yaml index 849defff..034f586d 100644 --- a/builtin/core/playbooks/artifact_export.yaml +++ b/builtin/core/playbooks/artifact_export.yaml @@ -1,11 +1,14 @@ --- +- hosts: + - all + roles: + - native/root # Load default variables and perform prechecks on all hosts - hosts: - all gather_facts: true roles: - defaults - - native/root # Download all required software and generate certificates on the localhost - hosts: diff --git a/builtin/core/playbooks/artifact_images.yaml b/builtin/core/playbooks/artifact_images.yaml index de59659b..8163da27 100644 --- a/builtin/core/playbooks/artifact_images.yaml +++ b/builtin/core/playbooks/artifact_images.yaml @@ -1,11 +1,14 @@ --- +- hosts: + - all + roles: + - native/root # Load default variables and perform prechecks on all hosts - hosts: - localhost tags: ["always"] roles: - defaults - - native/root - hosts: - localhost diff --git a/builtin/core/playbooks/certs_renew.yaml b/builtin/core/playbooks/certs_renew.yaml index 8068e98d..05dd72ef 100644 --- a/builtin/core/playbooks/certs_renew.yaml +++ b/builtin/core/playbooks/certs_renew.yaml @@ -1,11 +1,14 @@ --- +- hosts: + - all + roles: + - native/root # Load default variables and perform prechecks on all hosts - hosts: - all gather_facts: true roles: - defaults - - native/root - hosts: - localhost diff --git a/builtin/core/playbooks/create_cluster.yaml b/builtin/core/playbooks/create_cluster.yaml index d2aadf5c..7242b5bb 100644 --- a/builtin/core/playbooks/create_cluster.yaml +++ b/builtin/core/playbooks/create_cluster.yaml @@ -1,4 +1,9 @@ --- +- hosts: + - all + roles: + - native/root + - import_playbook: hook/pre_install.yaml # Load default variables and perform prechecks on all hosts @@ -8,7 +13,6 @@ roles: - defaults - precheck - - native/root # Download all required software and generate certificates on the localhost - hosts: @@ -16,6 +20,7 @@ roles: - certs/init - download + - certs/check # Initialize all nodes and install necessary software packages - hosts: diff --git a/builtin/core/playbooks/delete_cluster.yaml b/builtin/core/playbooks/delete_cluster.yaml index b012d593..395b2c54 100644 --- a/builtin/core/playbooks/delete_cluster.yaml +++ b/builtin/core/playbooks/delete_cluster.yaml @@ -1,11 +1,14 @@ --- +- hosts: + - all + roles: + - native/root # Load default variables and perform prechecks on all hosts - hosts: - all gather_facts: true roles: - defaults - - native/root - hosts: - k8s_cluster diff --git a/builtin/core/playbooks/delete_nodes.yaml b/builtin/core/playbooks/delete_nodes.yaml index 4d73921f..b42d4854 100644 --- a/builtin/core/playbooks/delete_nodes.yaml +++ b/builtin/core/playbooks/delete_nodes.yaml @@ -1,4 +1,8 @@ --- +- hosts: + - all + roles: + - native/root # Load default variables and perform prechecks on all hosts - hosts: - all @@ -6,7 +10,6 @@ roles: - defaults - precheck - - native/root - hosts: - kube_control_plane diff --git a/builtin/core/playbooks/delete_registry.yaml b/builtin/core/playbooks/delete_registry.yaml index c54a7a49..ff4b2b57 100644 --- a/builtin/core/playbooks/delete_registry.yaml +++ b/builtin/core/playbooks/delete_registry.yaml @@ -1,11 +1,15 @@ --- +- hosts: + - all + roles: + - native/root + # Load default variables and perform prechecks on all hosts - hosts: - all gather_facts: true roles: - defaults - - native/root - hosts: - image_registry diff --git a/builtin/core/playbooks/init_os.yaml b/builtin/core/playbooks/init_os.yaml index 3f95feaf..17a4fa23 100644 --- a/builtin/core/playbooks/init_os.yaml +++ b/builtin/core/playbooks/init_os.yaml @@ -1,11 +1,14 @@ --- +- hosts: + - all + roles: + - native/root # Load default variables and perform prechecks on all hosts - hosts: - all gather_facts: true roles: - defaults - - native/root # Download all required software and generate certificates on the localhost - hosts: diff --git a/builtin/core/playbooks/init_registry.yaml b/builtin/core/playbooks/init_registry.yaml index ada86a0f..4e990d9f 100644 --- a/builtin/core/playbooks/init_registry.yaml +++ b/builtin/core/playbooks/init_registry.yaml @@ -1,4 +1,8 @@ --- +- hosts: + - all + roles: + - native/root # Load default variables and perform prechecks on all hosts - hosts: - all @@ -6,7 +10,6 @@ gather_facts: true roles: - defaults - - native/root # Download all required software and generate certificates on the localhost @@ -16,6 +19,7 @@ roles: - role: certs/init - role: download + - role: certs/check # Initialize all nodes and install necessary software packages - hosts: diff --git a/builtin/core/playbooks/precheck.yaml b/builtin/core/playbooks/precheck.yaml index 4e7e5f28..600a50b8 100644 --- a/builtin/core/playbooks/precheck.yaml +++ b/builtin/core/playbooks/precheck.yaml @@ -1,4 +1,8 @@ --- +- hosts: + - all + roles: + - native/root # Load default variables and perform prechecks on all hosts - hosts: - all @@ -6,4 +10,3 @@ roles: - defaults - precheck - - native/root diff --git a/builtin/core/roles/certs/check/tasks/main.yaml b/builtin/core/roles/certs/check/tasks/main.yaml new file mode 100644 index 00000000..8b07610b --- /dev/null +++ b/builtin/core/roles/certs/check/tasks/main.yaml @@ -0,0 +1,57 @@ + +- name: Cert | Copy check shell + template: + src: check.sh + dest: /etc/kubekey/scripts/check.sh + mode: 0755 + +- name: Cert | Set cert check command + set_fact: + cri: + cert: + check: + cmd: >- + /etc/kubekey/scripts/check.sh {{ .image_registry.auth.registry }} + {{- if .image_registry.auth.insecure -}} + {{ printf " --insecure " }} + {{- end -}} + {{- if .image_registry.auth.ca_file | empty | not -}} + {{ printf " --ca-file %s " .image_registry.auth.ca_file }} + {{- end -}} + {{- if .image_registry.auth.cert_file | empty | not -}} + {{ printf " --cert-file %s .image_registry.auth.cert_file " }} + {{- end -}} + {{- if .image_registry.auth.key_file | empty | not -}} + {{ printf " --key-file %s " .image_registry.auth.key_file }} + {{- end -}} + +- name: Cert | Exec check shell with input certs + register: cert_check_input_cert_result + command: | + if {{ .cri.cert.check.cmd }} ; then + echo "true" + else + echo "false" + fi + +- name: Cert | Exec check shell with local certs + when: .cert_check_input_cert_result.stdout | eq "false" + register: cert_check_self_cert_result + command: | + if /etc/kubekey/scripts/check.sh {{ .image_registry.auth.registry }} --ca-file {{ .binary_dir }}/pki/root.crt --cert-file {{ .binary_dir }}/pki/image_registry.crt --key-file {{ .binary_dir }}/pki/image_registry.key ; then + echo "true" + else + echo "false" + fi + +- name: Cert | Set auth ca + ignore_error: true + when: .cert_check_self_cert_result.stdout | eq "true" + add_hostvars: + hosts: all + vars: + image_registry: + auth: + ca_file: "{{ .binary_dir }}/pki/root.crt" + cert_file: "{{ .binary_dir }}/pki/image_registry.crt" + key_file: "{{ .binary_dir }}/pki/image_registry.key" \ No newline at end of file diff --git a/builtin/core/roles/certs/check/templates/check.sh b/builtin/core/roles/certs/check/templates/check.sh new file mode 100644 index 00000000..15e14a27 --- /dev/null +++ b/builtin/core/roles/certs/check/templates/check.sh @@ -0,0 +1,150 @@ +#!/bin/bash + +# example +# ./check_registry.sh registry.example.com [options] +# return: 0 (success) or 1 (fail) + +REGISTRY_HOST="" +REGISTRY_PORT=443 +CA_FILE="" +CERT_FILE="" +KEY_FILE="" +INSECURE=false + +parse_arguments() { + REGISTRY_HOST=$1 + shift + while [[ $# -gt 0 ]]; do + case $1 in + -p|--port) + REGISTRY_PORT="$2" + shift 2 + ;; + --ca-file) + CA_FILE="$2" + shift 2 + ;; + --cert-file) + CERT_FILE="$2" + shift 2 + ;; + --key-file) + KEY_FILE="$2" + shift 2 + ;; + -k|--insecure) + INSECURE=true + shift + ;; + -h|--help) + exit 0 + ;; + *) + exit 1 + ;; + esac + done + if [ -z "$REGISTRY_HOST" ]; then + exit 1 + fi +} + +# verify input ca cert key +validate_cert_files() { + if [ -n "$CA_FILE" ] && [ ! -f "$CA_FILE" ]; then + return 1 + fi + if [ -n "$CERT_FILE" ] && [ ! -f "$CERT_FILE" ]; then + return 1 + fi + if [ -n "$KEY_FILE" ] && [ ! -f "$KEY_FILE" ]; then + return 1 + fi + return 0 +} + +# verify port accessible +check_port_connectivity() { + local host=$1 + local port=$2 + + if command -v nc >/dev/null 2>&1; then + if nc -z -w 5 "$host" "$port" >/dev/null 2>&1; then + return 0 + else + return 1 + fi + elif command -v timeout >/dev/null 2>&1; then + if timeout 5 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null; then + return 0 + else + return 1 + fi + else + return 0 + fi +} + +# check Registry API usable +check_registry_api() { + local host=$1 + local port=$2 + local ca_file=$3 + local cert_file=$4 + local key_file=$5 + local insecure=$6 + + if ! command -v curl >/dev/null 2>&1; then + return 1 + fi + + local curl_cmd="curl -s --max-time 10" + + if [ -n "$ca_file" ]; then + curl_cmd="$curl_cmd --cacert $ca_file" + elif [ "$insecure" = true ]; then + curl_cmd="$curl_cmd --insecure" + fi + + if [ -n "$cert_file" ] && [ -n "$key_file" ]; then + curl_cmd="$curl_cmd --cert $cert_file --key $key_file" + fi + + local protocol="https" + if [ "$port" = "80" ] || [ "$insecure" = true ]; then + protocol="http" + fi + + if eval "$curl_cmd $protocol://$host:$port/v2/" >/dev/null 2>&1; then + return 0 + fi + + if [ "$protocol" = "https" ] && [ "$insecure" = true ]; then + if eval "$curl_cmd http://$host:$port/v2/" >/dev/null 2>&1; then + return 0 + fi + fi + + local response + response=$(eval "$curl_cmd -I $protocol://$host:$port/ 2>/dev/null | head -n 1 | cut -d' ' -f2") + + if [ -n "$response" ]; then + return 0 + fi + + return 1 +} + +main() { + parse_arguments "$@" || exit 1 + + validate_cert_files || exit 1 + + check_port_connectivity "$REGISTRY_HOST" "$REGISTRY_PORT" || exit 1 + + check_registry_api "$REGISTRY_HOST" "$REGISTRY_PORT" "$CA_FILE" "$CERT_FILE" "$KEY_FILE" "$INSECURE" || exit 1 + + exit 0 +} + +main "$@" 2>/dev/null \ No newline at end of file diff --git a/builtin/core/roles/cri/containerd/templates/config.toml b/builtin/core/roles/cri/containerd/templates/config.toml index acbeb607..3d3afe98 100644 --- a/builtin/core/roles/cri/containerd/templates/config.toml +++ b/builtin/core/roles/cri/containerd/templates/config.toml @@ -47,7 +47,6 @@ state = "/run/containerd" max_conf_num = 1 conf_template = "" [plugins."io.containerd.grpc.v1.cri".registry] - config_path = "/etc/containerd/certs.d" [plugins."io.containerd.grpc.v1.cri".registry.mirrors] {{- if .cri.registry.mirrors | empty | not }} [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] @@ -64,6 +63,15 @@ state = "/run/containerd" username = "{{ .image_registry.auth.username }}" password = "{{ .image_registry.auth.password }}" [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ .image_registry.auth.registry }}".tls] +{{- if .image_registry.auth.ca_file | empty | not }} + ca_file = "/etc/containerd/certs.d/{{ .image_registry.auth.registry }}/ca.crt" +{{- end }} +{{- if .image_registry.auth.cert_file | empty | not }} + cert_file = "/etc/containerd/certs.d/{{ .image_registry.auth.registry }}/server.crt" +{{- end }} +{{- if .image_registry.auth.key_file | empty | not }} + key_file = "/etc/containerd/certs.d/{{ .image_registry.auth.registry }}/server.key" +{{- end }} insecure_skip_verify = {{ .image_registry.auth.insecure | default true }} {{- if .cri.registry.auths | empty | not }} {{- range .cri.registry.auths }} diff --git a/builtin/core/roles/image-registry/harbor/tasks/main.yaml b/builtin/core/roles/image-registry/harbor/tasks/main.yaml index 4ed47b2e..2d5e8153 100644 --- a/builtin/core/roles/image-registry/harbor/tasks/main.yaml +++ b/builtin/core/roles/image-registry/harbor/tasks/main.yaml @@ -27,7 +27,7 @@ - name: Harbor | Synchronize self signed ca cert to remote host copy: src: >- - {{ .binary_dir }}/pki/ca.crt + {{ .binary_dir }}/pki/root.crt dest: >- /opt/harbor/{{ .image_registry.harbor_version }}/ssl/ca.crt