From 4e3a92acec59a9198791ea6fa845ed11e0a6945a Mon Sep 17 00:00:00 2001 From: zuoxuesong-worker Date: Fri, 21 Nov 2025 17:23:50 +0800 Subject: [PATCH 1/4] feat: update some default config values (#2866) feat: update some default config values Signed-off-by: xuesongzuo@yunify.com --- .../core/roles/defaults/defaults/main/01-cluster_require.yaml | 2 ++ builtin/core/roles/defaults/defaults/main/03-kubernetes.yaml | 4 ++-- builtin/core/roles/defaults/vars/10-download.yaml | 4 ++++ builtin/core/roles/precheck/etcd/tasks/main.yaml | 2 +- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/builtin/core/roles/defaults/defaults/main/01-cluster_require.yaml b/builtin/core/roles/defaults/defaults/main/01-cluster_require.yaml index 6e27c0c2..12ff29a0 100644 --- a/builtin/core/roles/defaults/defaults/main/01-cluster_require.yaml +++ b/builtin/core/roles/defaults/defaults/main/01-cluster_require.yaml @@ -10,6 +10,8 @@ cluster_require: - '"ubuntu"' - centos - '"centos"' + - kylin + - '"kylin"' # Required network plugins require_network_plugin: ['calico', 'flannel', 'cilium', 'hybridnet', 'kube-ovn'] # Minimum supported Kubernetes version diff --git a/builtin/core/roles/defaults/defaults/main/03-kubernetes.yaml b/builtin/core/roles/defaults/defaults/main/03-kubernetes.yaml index e23f8797..f650e1d5 100644 --- a/builtin/core/roles/defaults/defaults/main/03-kubernetes.yaml +++ b/builtin/core/roles/defaults/defaults/main/03-kubernetes.yaml @@ -82,7 +82,7 @@ kubernetes: mode: ARP image: registry: >- - {{ .dockerio_registry }} + {{ .image_registry.dockerio_registry }} repository: plndr/kube-vip tag: v0.7.2 haproxy: @@ -91,7 +91,7 @@ kubernetes: health_port: 8081 image: registry: >- - {{ .dockerio_registry }} + {{ .image_registry.dockerio_registry }} repository: library/haproxy tag: 2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/10-download.yaml b/builtin/core/roles/defaults/vars/10-download.yaml index ebf716b4..ef95c7b2 100644 --- a/builtin/core/roles/defaults/vars/10-download.yaml +++ b/builtin/core/roles/defaults/vars/10-download.yaml @@ -235,6 +235,10 @@ download: - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/debian-11-debs-arm64.iso" - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/kylin-v10SP3-rpms-amd64.iso" - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/kylin-v10SP3-rpms-arm64.iso" + - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/kylin-v10SP2-rpms-amd64.iso" + - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/kylin-v10SP2-rpms-arm64.iso" + - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/kylin-v10SP1-rpms-amd64.iso" + - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/kylin-v10SP1-rpms-arm64.iso" - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/ubuntu-18.04-debs-amd64.iso" - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/ubuntu-18.04-debs-arm64.iso" - "{{ .download.iso_url.base_path }}/kubesphere/kubekey/releases/download/iso-latest/ubuntu-20.04-debs-amd64.iso" diff --git a/builtin/core/roles/precheck/etcd/tasks/main.yaml b/builtin/core/roles/precheck/etcd/tasks/main.yaml index 99d890cc..72bac5bd 100644 --- a/builtin/core/roles/precheck/etcd/tasks/main.yaml +++ b/builtin/core/roles/precheck/etcd/tasks/main.yaml @@ -26,7 +26,7 @@ register_type: json - name: ETCD | Assert disk fsync latency meets requirements assert: - that: (index (.fio_result.stdout.jobs | first) "sync" "lat_ns" "percentile" "90.000000") | le .cluster_require.etcd_disk_wal_fysnc_duration_seconds + that: (index (.fio_result.stdout.jobs | first) "sync" "lat_ns" "percentile" "90.000000") | ge .cluster_require.etcd_disk_wal_fysnc_duration_seconds fail_msg: >- The 90th percentile fsync latency is {{ index (.fio_result.stdout.jobs | first) "sync" "lat_ns" "percentile" "90.000000" }}ns, which exceeds the maximum allowed: {{ .cluster_require.etcd_disk_wal_fysnc_duration_seconds }}ns. always: From 976a80771170616695541e180ba9cd369b2a6841 Mon Sep 17 00:00:00 2001 From: zuoxuesong-worker Date: Tue, 25 Nov 2025 16:01:42 +0800 Subject: [PATCH 2/4] bugfix: fix artifact image tag set func (#2870) Signed-off-by: xuesongzuo@yunify.com --- cmd/kk/app/options/builtin/artifact.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cmd/kk/app/options/builtin/artifact.go b/cmd/kk/app/options/builtin/artifact.go index b1b8e856..09d7f5c6 100644 --- a/cmd/kk/app/options/builtin/artifact.go +++ b/cmd/kk/app/options/builtin/artifact.go @@ -143,13 +143,16 @@ func (o *ArtifactImagesOptions) Complete(cmd *cobra.Command, args []string) (*kk } o.Playbook = args[0] - var tags = []string{"image_registry"} + var tags = make([]string, 0) if o.Push { tags = append(tags, "push") } if o.Pull { tags = append(tags, "pull") } + if !o.Pull && !o.Push { + tags = append(tags, "image_registry") + } playbook.Spec = kkcorev1.PlaybookSpec{ Playbook: o.Playbook, From fc12d7b30217a3b1da0ec5b63c31d257bf54b90e Mon Sep 17 00:00:00 2001 From: zuoxuesong-worker Date: Tue, 25 Nov 2025 16:02:42 +0800 Subject: [PATCH 3/4] feat: k8s add haproxy image default value (#2869) Signed-off-by: xuesongzuo@yunify.com --- builtin/core/defaults/config/v1.23.yaml | 1 + builtin/core/defaults/config/v1.24.yaml | 1 + builtin/core/defaults/config/v1.25.yaml | 1 + builtin/core/defaults/config/v1.26.yaml | 1 + builtin/core/defaults/config/v1.27.yaml | 1 + builtin/core/defaults/config/v1.28.yaml | 1 + builtin/core/defaults/config/v1.29.yaml | 1 + builtin/core/defaults/config/v1.30.yaml | 1 + builtin/core/defaults/config/v1.31.yaml | 1 + builtin/core/defaults/config/v1.32.yaml | 1 + builtin/core/defaults/config/v1.33.yaml | 1 + builtin/core/roles/defaults/vars/v1.23.yaml | 1 + builtin/core/roles/defaults/vars/v1.24.yaml | 1 + builtin/core/roles/defaults/vars/v1.25.yaml | 1 + builtin/core/roles/defaults/vars/v1.26.yaml | 1 + builtin/core/roles/defaults/vars/v1.27.yaml | 1 + builtin/core/roles/defaults/vars/v1.28.yaml | 1 + builtin/core/roles/defaults/vars/v1.29.yaml | 1 + builtin/core/roles/defaults/vars/v1.30.yaml | 1 + builtin/core/roles/defaults/vars/v1.31.yaml | 1 + builtin/core/roles/defaults/vars/v1.32.yaml | 1 + builtin/core/roles/defaults/vars/v1.33.yaml | 1 + 22 files changed, 22 insertions(+) diff --git a/builtin/core/defaults/config/v1.23.yaml b/builtin/core/defaults/config/v1.23.yaml index b3fa171b..f50ea896 100644 --- a/builtin/core/defaults/config/v1.23.yaml +++ b/builtin/core/defaults/config/v1.23.yaml @@ -95,3 +95,4 @@ spec: - docker.io/openebs/linux-utils:3.3.0 - docker.io/openebs/provisioner-localpv:3.3.0 - quay.io/tigera/operator:v1.28.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.24.yaml b/builtin/core/defaults/config/v1.24.yaml index 210fb4be..fe6f931d 100644 --- a/builtin/core/defaults/config/v1.24.yaml +++ b/builtin/core/defaults/config/v1.24.yaml @@ -96,3 +96,4 @@ spec: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.29.3 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.25.yaml b/builtin/core/defaults/config/v1.25.yaml index f5341602..2cb795b5 100644 --- a/builtin/core/defaults/config/v1.25.yaml +++ b/builtin/core/defaults/config/v1.25.yaml @@ -96,3 +96,4 @@ spec: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.29.3 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.26.yaml b/builtin/core/defaults/config/v1.26.yaml index 115f530a..0de00c0a 100644 --- a/builtin/core/defaults/config/v1.26.yaml +++ b/builtin/core/defaults/config/v1.26.yaml @@ -96,3 +96,4 @@ spec: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.30.4 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.27.yaml b/builtin/core/defaults/config/v1.27.yaml index 373aa771..d6f3dc59 100644 --- a/builtin/core/defaults/config/v1.27.yaml +++ b/builtin/core/defaults/config/v1.27.yaml @@ -96,3 +96,4 @@ spec: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.30.4 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.28.yaml b/builtin/core/defaults/config/v1.28.yaml index 6b2b953c..daff4155 100644 --- a/builtin/core/defaults/config/v1.28.yaml +++ b/builtin/core/defaults/config/v1.28.yaml @@ -96,3 +96,4 @@ spec: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.29.yaml b/builtin/core/defaults/config/v1.29.yaml index 1b3a416d..0530e0d1 100644 --- a/builtin/core/defaults/config/v1.29.yaml +++ b/builtin/core/defaults/config/v1.29.yaml @@ -96,3 +96,4 @@ spec: - docker.io/openebs/linux-utils:3.5.0 - docker.io/openebs/provisioner-localpv:3.5.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.30.yaml b/builtin/core/defaults/config/v1.30.yaml index bb5e56a1..d40340ad 100644 --- a/builtin/core/defaults/config/v1.30.yaml +++ b/builtin/core/defaults/config/v1.30.yaml @@ -96,3 +96,4 @@ spec: - docker.io/openebs/linux-utils:4.0.0 - docker.io/openebs/provisioner-localpv:4.0.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.31.yaml b/builtin/core/defaults/config/v1.31.yaml index ef7e0746..ef70d86e 100644 --- a/builtin/core/defaults/config/v1.31.yaml +++ b/builtin/core/defaults/config/v1.31.yaml @@ -96,3 +96,4 @@ spec: - docker.io/openebs/linux-utils:4.1.0 - docker.io/openebs/provisioner-localpv:4.1.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.32.yaml b/builtin/core/defaults/config/v1.32.yaml index 596481ee..918bf7a1 100644 --- a/builtin/core/defaults/config/v1.32.yaml +++ b/builtin/core/defaults/config/v1.32.yaml @@ -96,3 +96,4 @@ spec: - docker.io/openebs/linux-utils:4.2.0 - docker.io/openebs/provisioner-localpv:4.2.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/defaults/config/v1.33.yaml b/builtin/core/defaults/config/v1.33.yaml index 4bad40bc..b19617d0 100644 --- a/builtin/core/defaults/config/v1.33.yaml +++ b/builtin/core/defaults/config/v1.33.yaml @@ -97,3 +97,4 @@ spec: - docker.io/openebs/linux-utils:4.2.0 - docker.io/openebs/provisioner-localpv:4.2.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.23.yaml b/builtin/core/roles/defaults/vars/v1.23.yaml index cfa4e77e..9716a245 100644 --- a/builtin/core/roles/defaults/vars/v1.23.yaml +++ b/builtin/core/roles/defaults/vars/v1.23.yaml @@ -88,3 +88,4 @@ image_manifests: - docker.io/openebs/linux-utils:3.3.0 - docker.io/openebs/provisioner-localpv:3.3.0 - quay.io/tigera/operator:v1.28.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.24.yaml b/builtin/core/roles/defaults/vars/v1.24.yaml index fbd05bcb..20a60de0 100644 --- a/builtin/core/roles/defaults/vars/v1.24.yaml +++ b/builtin/core/roles/defaults/vars/v1.24.yaml @@ -91,3 +91,4 @@ image_manifests: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.29.3 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.25.yaml b/builtin/core/roles/defaults/vars/v1.25.yaml index 884c76a8..a4d2c651 100644 --- a/builtin/core/roles/defaults/vars/v1.25.yaml +++ b/builtin/core/roles/defaults/vars/v1.25.yaml @@ -91,3 +91,4 @@ image_manifests: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.29.3 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.26.yaml b/builtin/core/roles/defaults/vars/v1.26.yaml index b5e8d339..ce8ff0d1 100644 --- a/builtin/core/roles/defaults/vars/v1.26.yaml +++ b/builtin/core/roles/defaults/vars/v1.26.yaml @@ -91,3 +91,4 @@ image_manifests: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.30.4 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.27.yaml b/builtin/core/roles/defaults/vars/v1.27.yaml index 2b26370f..8cfc5e28 100644 --- a/builtin/core/roles/defaults/vars/v1.27.yaml +++ b/builtin/core/roles/defaults/vars/v1.27.yaml @@ -88,3 +88,4 @@ image_manifests: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.30.4 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.28.yaml b/builtin/core/roles/defaults/vars/v1.28.yaml index 94f7fdca..b80fba9a 100644 --- a/builtin/core/roles/defaults/vars/v1.28.yaml +++ b/builtin/core/roles/defaults/vars/v1.28.yaml @@ -89,3 +89,4 @@ image_manifests: - docker.io/openebs/linux-utils:3.4.0 - docker.io/openebs/provisioner-localpv:3.4.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.29.yaml b/builtin/core/roles/defaults/vars/v1.29.yaml index 27b2bf03..5a42367a 100644 --- a/builtin/core/roles/defaults/vars/v1.29.yaml +++ b/builtin/core/roles/defaults/vars/v1.29.yaml @@ -89,3 +89,4 @@ image_manifests: - docker.io/openebs/linux-utils:3.5.0 - docker.io/openebs/provisioner-localpv:3.5.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.30.yaml b/builtin/core/roles/defaults/vars/v1.30.yaml index 6fc15754..6af128dd 100644 --- a/builtin/core/roles/defaults/vars/v1.30.yaml +++ b/builtin/core/roles/defaults/vars/v1.30.yaml @@ -89,3 +89,4 @@ image_manifests: - docker.io/openebs/linux-utils:4.0.0 - docker.io/openebs/provisioner-localpv:4.0.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.31.yaml b/builtin/core/roles/defaults/vars/v1.31.yaml index 711c8002..036b5315 100644 --- a/builtin/core/roles/defaults/vars/v1.31.yaml +++ b/builtin/core/roles/defaults/vars/v1.31.yaml @@ -89,4 +89,5 @@ image_manifests: - docker.io/openebs/linux-utils:4.1.0 - docker.io/openebs/provisioner-localpv:4.1.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.32.yaml b/builtin/core/roles/defaults/vars/v1.32.yaml index 8ba89876..9fbfb3a9 100644 --- a/builtin/core/roles/defaults/vars/v1.32.yaml +++ b/builtin/core/roles/defaults/vars/v1.32.yaml @@ -91,3 +91,4 @@ image_manifests: - docker.io/openebs/linux-utils:4.2.0 - docker.io/openebs/provisioner-localpv:4.2.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine diff --git a/builtin/core/roles/defaults/vars/v1.33.yaml b/builtin/core/roles/defaults/vars/v1.33.yaml index c7022f05..9c7875fa 100644 --- a/builtin/core/roles/defaults/vars/v1.33.yaml +++ b/builtin/core/roles/defaults/vars/v1.33.yaml @@ -91,3 +91,4 @@ image_manifests: - docker.io/openebs/linux-utils:4.2.0 - docker.io/openebs/provisioner-localpv:4.2.0 - quay.io/tigera/operator:v1.34.5 + - docker.io/library/haproxy:2.9.6-alpine From 4985395a4d7e06e81c6e253e54b7b80a8a796eb2 Mon Sep 17 00:00:00 2001 From: LiYang <771232186@qq.com> Date: Thu, 27 Nov 2025 12:45:23 +0800 Subject: [PATCH 4/4] =?UTF-8?q?feat:=20kk=204.0=20=E5=88=B6=E5=93=81?= =?UTF-8?q?=E5=AF=BC=E5=87=BA=20=E6=94=AF=E6=8C=81skip=5Ftls=5Fverify=20?= =?UTF-8?q?=E7=A7=81=E4=BB=93=E9=95=9C=E5=83=8F=20#2854=20(#2855)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: kk 4.0 制品导出 支持skip_tls_verify 私仓镜像 #2854 * feat: update image skip tls verify func Signed-off-by: xuesongzuo@yunify.com * feat: update image skip tls verify func Signed-off-by: xuesongzuo@yunify.com * feat: update image skip tls verify func Signed-off-by: xuesongzuo@yunify.com --------- Signed-off-by: xuesongzuo@yunify.com Co-authored-by: xuesongzuo@yunify.com --- builtin/core/playbooks/artifact_images.yaml | 1 + builtin/core/roles/defaults/vars/v1.23.yaml | 2 + builtin/core/roles/defaults/vars/v1.24.yaml | 2 + builtin/core/roles/defaults/vars/v1.25.yaml | 2 + builtin/core/roles/defaults/vars/v1.26.yaml | 2 + builtin/core/roles/defaults/vars/v1.27.yaml | 2 + builtin/core/roles/defaults/vars/v1.28.yaml | 2 + builtin/core/roles/defaults/vars/v1.29.yaml | 2 + builtin/core/roles/defaults/vars/v1.30.yaml | 2 + builtin/core/roles/defaults/vars/v1.31.yaml | 2 + builtin/core/roles/defaults/vars/v1.32.yaml | 2 + builtin/core/roles/defaults/vars/v1.33.yaml | 2 + docs/zh/modules/image.md | 12 ++-- pkg/modules/image.go | 78 ++++++++++++++------- 14 files changed, 84 insertions(+), 29 deletions(-) diff --git a/builtin/core/playbooks/artifact_images.yaml b/builtin/core/playbooks/artifact_images.yaml index 8163da27..2f9b9040 100644 --- a/builtin/core/playbooks/artifact_images.yaml +++ b/builtin/core/playbooks/artifact_images.yaml @@ -21,6 +21,7 @@ images_dir: >- {{ .binary_dir }}/images/ manifests: "{{ .image_manifests | toJson }}" + skip_tls_verify: "{{ .cri.skip_tls_verify | default false }}" when: - .image_manifests | default list | empty | not - .download.download_image diff --git a/builtin/core/roles/defaults/vars/v1.23.yaml b/builtin/core/roles/defaults/vars/v1.23.yaml index 9716a245..7736fc3e 100644 --- a/builtin/core/roles/defaults/vars/v1.23.yaml +++ b/builtin/core/roles/defaults/vars/v1.23.yaml @@ -33,6 +33,8 @@ cri: containerd_version: v1.6.8 # runc binary runc_version: v1.1.4 + # skip tls verify when pulling images + skip_tls_verify: false cni: multus: image: diff --git a/builtin/core/roles/defaults/vars/v1.24.yaml b/builtin/core/roles/defaults/vars/v1.24.yaml index 20a60de0..e0af7d7b 100644 --- a/builtin/core/roles/defaults/vars/v1.24.yaml +++ b/builtin/core/roles/defaults/vars/v1.24.yaml @@ -36,6 +36,8 @@ cri: containerd_version: v1.6.16 # runc binary runc_version: v1.1.4 + # skip tls verify when pulling images + skip_tls_verify: false cni: multus: image: diff --git a/builtin/core/roles/defaults/vars/v1.25.yaml b/builtin/core/roles/defaults/vars/v1.25.yaml index a4d2c651..24c62a30 100644 --- a/builtin/core/roles/defaults/vars/v1.25.yaml +++ b/builtin/core/roles/defaults/vars/v1.25.yaml @@ -34,6 +34,8 @@ cri: containerd_version: v1.6.19 # runc binary runc_version: v1.1.4 + # skip tls verify when pulling images + skip_tls_verify: false cni: type: calico ipv6_support: false diff --git a/builtin/core/roles/defaults/vars/v1.26.yaml b/builtin/core/roles/defaults/vars/v1.26.yaml index ce8ff0d1..6e604f1a 100644 --- a/builtin/core/roles/defaults/vars/v1.26.yaml +++ b/builtin/core/roles/defaults/vars/v1.26.yaml @@ -34,6 +34,8 @@ cri: containerd_version: v1.6.21 # runc binary runc_version: v1.1.5 + # skip tls verify when pulling images + skip_tls_verify: false cni: type: calico ipv6_support: false diff --git a/builtin/core/roles/defaults/vars/v1.27.yaml b/builtin/core/roles/defaults/vars/v1.27.yaml index 8cfc5e28..9ca7578d 100644 --- a/builtin/core/roles/defaults/vars/v1.27.yaml +++ b/builtin/core/roles/defaults/vars/v1.27.yaml @@ -34,6 +34,8 @@ cri: containerd_version: v1.7.2 # runc binary runc_version: v1.1.7 + # skip tls verify when pulling images + skip_tls_verify: false cni: multus: image: diff --git a/builtin/core/roles/defaults/vars/v1.28.yaml b/builtin/core/roles/defaults/vars/v1.28.yaml index b80fba9a..f868db4b 100644 --- a/builtin/core/roles/defaults/vars/v1.28.yaml +++ b/builtin/core/roles/defaults/vars/v1.28.yaml @@ -34,6 +34,8 @@ cri: containerd_version: v1.7.3 # runc binary runc_version: v1.1.7 + # skip tls verify when pulling images + skip_tls_verify: false cni: multus: image: diff --git a/builtin/core/roles/defaults/vars/v1.29.yaml b/builtin/core/roles/defaults/vars/v1.29.yaml index 5a42367a..f7889620 100644 --- a/builtin/core/roles/defaults/vars/v1.29.yaml +++ b/builtin/core/roles/defaults/vars/v1.29.yaml @@ -34,6 +34,8 @@ cri: containerd_version: v1.7.6 # runc binary runc_version: v1.1.7 + # skip tls verify when pulling images + skip_tls_verify: false cni: multus: image: diff --git a/builtin/core/roles/defaults/vars/v1.30.yaml b/builtin/core/roles/defaults/vars/v1.30.yaml index 6af128dd..fd9ca170 100644 --- a/builtin/core/roles/defaults/vars/v1.30.yaml +++ b/builtin/core/roles/defaults/vars/v1.30.yaml @@ -34,6 +34,8 @@ cri: containerd_version: v1.7.6 # runc binary runc_version: v1.1.7 + # skip tls verify when pulling images + skip_tls_verify: false cni: multus: image: diff --git a/builtin/core/roles/defaults/vars/v1.31.yaml b/builtin/core/roles/defaults/vars/v1.31.yaml index 036b5315..58d6860d 100644 --- a/builtin/core/roles/defaults/vars/v1.31.yaml +++ b/builtin/core/roles/defaults/vars/v1.31.yaml @@ -34,6 +34,8 @@ cri: containerd_version: v1.7.6 # runc binary runc_version: v1.1.7 + # skip tls verify when pulling images + skip_tls_verify: false cni: multus: image: diff --git a/builtin/core/roles/defaults/vars/v1.32.yaml b/builtin/core/roles/defaults/vars/v1.32.yaml index 9fbfb3a9..67f19002 100644 --- a/builtin/core/roles/defaults/vars/v1.32.yaml +++ b/builtin/core/roles/defaults/vars/v1.32.yaml @@ -34,6 +34,8 @@ cri: containerd_version: v1.7.6 # runc binary runc_version: v1.1.7 + # skip tls verify when pulling images + skip_tls_verify: false cni: type: calico ipv6_support: false diff --git a/builtin/core/roles/defaults/vars/v1.33.yaml b/builtin/core/roles/defaults/vars/v1.33.yaml index 9c7875fa..58c46c6b 100644 --- a/builtin/core/roles/defaults/vars/v1.33.yaml +++ b/builtin/core/roles/defaults/vars/v1.33.yaml @@ -34,6 +34,8 @@ cri: containerd_version: v1.7.6 # runc binary runc_version: v1.1.7 + # skip tls verify when pulling images + skip_tls_verify: false cni: type: calico ipv6_support: false diff --git a/docs/zh/modules/image.md b/docs/zh/modules/image.md index 55a6aa55..cbef274c 100644 --- a/docs/zh/modules/image.md +++ b/docs/zh/modules/image.md @@ -13,13 +13,17 @@ image模块允许用户下载镜像到本地目录或上传镜像到远程目录 | pull.auths.repo | 用于认证远程仓库的地址 | 字符串 | 否 | - | | pull.auths.username | 用于认证远程仓库的用户名 | 字符串 | 否 | - | | pull.auths.password | 用于认证远程仓库的密码 | 字符串 | 否 | - | +| pull.auths.insecure | 是否跳过当前远程仓库的tls认证 | bool | 否 | - | | pull.platform | 镜像的架构信息 | 字符串 | 否 | - | -| pull.skip_tls_verify | 是否跳过远程仓库的tls认证 | bool | 否 | - | +| pull.skip_tls_verify | 默认的是否跳过远程仓库的tls认证 | bool | 否 | - | | push | 从本地目录中推送镜像到远程仓库 | map | 否 | - | | push.images_dir | 镜像存放的本地目录 | 字符串 | 否 | - | -| push.username | 用于认证远程仓库的用户 | 字符串 | 否 | - | -| push.password | 用于认证远程仓库的密码 | 字符串 | 否 | - | -| push.skip_tls_verify | 是否跳过远程仓库的tls认证 | bool | 否 | - | +| push.auths | 远程仓库的认证信息 | Object数组 | 否 | - | +| push.auths.repo | 用于认证远程仓库的地址 | 字符串 | 否 | - | +| push.auths.username | 用于认证远程仓库的用户名 | 字符串 | 否 | - | +| push.auths.password | 用于认证远程仓库的密码 | 字符串 | 否 | - | +| push.auths.insecure | 是否跳过当前远程仓库的tls认证 | bool | 否 | - | +| push.skip_tls_verify | 默认的是否跳过远程仓库的tls认证 | bool | 否 | - | | push.src_pattern | 正则表达式,过滤本地目录中存放的镜像 | map | 否 | - | | push.dest | 模版语法,从本地目录镜像推送到的远程仓库镜像 | map | 否 | - | diff --git a/pkg/modules/image.go b/pkg/modules/image.go index 4173349b..ab9a3895 100644 --- a/pkg/modules/image.go +++ b/pkg/modules/image.go @@ -59,16 +59,20 @@ image: pull: # optional: pull configuration manifests: []string # required: list of image manifests to pull images_dir: string # required: directory to store pulled images - skipTLSVerify: bool # optional: skip TLS verification + skipTLSVerify: bool # optional: default skip TLS verification autus: # optional: target image repo access information, slice type - repo: string # optional: target image repo username: string # optional: target image repo access username password: string # optional: target image repo access password + insecure: bool # optional: skip TLS verification for current repo push: # optional: push configuration - username: string # optional: registry username - password: string # optional: registry password + autus: # optional: target image repo access information, slice type + - repo: string # optional: target image repo + username: string # optional: target image repo access username + password: string # optional: target image repo access password + insecure: bool # optional: skip TLS verification for current repo images_dir: string # required: directory containing images to push - skipTLSVerify: bool # optional: skip TLS verification + skipTLSVerify: bool # optional: default skip TLS verification src_pattern: string # optional: source image pattern to push (regex supported). If not specified, all images in images_dir will be pushed dest: string # required: destination registry and image name. Supports template syntax for dynamic values @@ -97,8 +101,13 @@ Usage Examples in Playbook Tasks: - name: Push images to private registry image: push: - username: admin - password: secret + auths: + - repo: docker.io + username: MyDockerAccount + password: my_password + - repo: registry.example.com + username: admin + password: secret namespace_override: custom-ns images_dir: /path/to/images dest: registry.example.com/{{ . }} @@ -124,19 +133,21 @@ type imagePullArgs struct { manifests []string skipTLSVerify *bool platform string - auths []imagePullAuth + auths []imageAuth } -type imagePullAuth struct { +type imageAuth struct { Repo string `json:"repo"` Username string `json:"username"` Password string `json:"password"` + Insecure *bool `json:"insecure"` } // pull retrieves images from a remote registry and stores them locally func (i imagePullArgs) pull(ctx context.Context, platform string) error { for _, img := range i.manifests { - src, err := remote.NewRepository(normalizeImageNameSimple(img)) + img = normalizeImageNameSimple(img) + src, err := remote.NewRepository(img) if err != nil { return errors.Wrapf(err, "failed to get remote image %s", img) } @@ -144,12 +155,12 @@ func (i imagePullArgs) pull(ctx context.Context, platform string) error { Client: &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ - InsecureSkipVerify: *i.skipTLSVerify, + InsecureSkipVerify: skipTlsVerifyFunc(img, i.auths, *i.skipTLSVerify), }, }, }, Cache: auth.NewCache(), - Credential: i.pullAuthFunc(), + Credential: authFunc(i.auths), } dst, err := newLocalRepository(filepath.Join(src.Reference.Registry, src.Reference.Repository)+":"+src.Reference.Reference, i.imagesDir) @@ -175,9 +186,9 @@ func (i imagePullArgs) pull(ctx context.Context, platform string) error { return nil } -func (i imagePullArgs) pullAuthFunc() func(ctx context.Context, hostport string) (auth.Credential, error) { +func authFunc(auths []imageAuth) func(ctx context.Context, hostport string) (auth.Credential, error) { var creds = make(map[string]auth.Credential) - for _, inputAuth := range i.auths { + for _, inputAuth := range auths { var rp = inputAuth.Repo if rp == "docker.io" || rp == "" { rp = "registry-1.docker.io" @@ -196,6 +207,20 @@ func (i imagePullArgs) pullAuthFunc() func(ctx context.Context, hostport string) } } +func skipTlsVerifyFunc(img string, auths []imageAuth, defaults bool) bool { + imgHost := strings.Split(img, "/")[0] + for _, a := range auths { + if imgHost == a.Repo { + if a.Insecure != nil { + return *a.Insecure + } else { + return defaults + } + } + } + return defaults +} + // parse platform string to ocispec.Platform func parsePlatform(platformStr string) (imagev1.Platform, error) { parts := strings.Split(platformStr, "/") @@ -222,8 +247,7 @@ type imagePushArgs struct { skipTLSVerify *bool srcPattern *regexp.Regexp destTmpl string - username string - password string + auths []imageAuth } // push uploads local images to a remote registry @@ -263,15 +287,12 @@ func (i imagePushArgs) push(ctx context.Context, hostVars map[string]any) error Client: &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ - InsecureSkipVerify: *i.skipTLSVerify, + InsecureSkipVerify: skipTlsVerifyFunc(dest, i.auths, *i.skipTLSVerify), }, }, }, - Cache: auth.NewCache(), - Credential: auth.StaticCredential(dst.Reference.Registry, auth.Credential{ - Username: i.username, - Password: i.password, - }), + Cache: auth.NewCache(), + Credential: authFunc(i.auths), } if _, err = oras.Copy(ctx, src, src.Reference.Reference, dst, dst.Reference.Reference, oras.DefaultCopyOptions); err != nil { @@ -296,8 +317,8 @@ func newImageArgs(_ context.Context, raw runtime.RawExtension, vars map[string]a } ipl := &imagePullArgs{} ipl.manifests, _ = variable.StringSliceVar(vars, pull, "manifests") - ipl.auths = make([]imagePullAuth, 0) - pullAuths := make([]imagePullAuth, 0) + ipl.auths = make([]imageAuth, 0) + pullAuths := make([]imageAuth, 0) _ = variable.AnyVar(vars, pull, &pullAuths, "auths") for _, a := range pullAuths { a.Repo, _ = tmpl.ParseFunc(vars, a.Repo, func(b []byte) string { return string(b) }) @@ -332,8 +353,15 @@ func newImageArgs(_ context.Context, raw runtime.RawExtension, vars map[string]a } ips := &imagePushArgs{} - ips.username, _ = variable.StringVar(vars, push, "username") - ips.password, _ = variable.StringVar(vars, push, "password") + ips.auths = make([]imageAuth, 0) + pullAuths := make([]imageAuth, 0) + _ = variable.AnyVar(vars, push, &pullAuths, "auths") + for _, a := range pullAuths { + a.Repo, _ = tmpl.ParseFunc(vars, a.Repo, func(b []byte) string { return string(b) }) + a.Username, _ = tmpl.ParseFunc(vars, a.Username, func(b []byte) string { return string(b) }) + a.Password, _ = tmpl.ParseFunc(vars, a.Password, func(b []byte) string { return string(b) }) + ips.auths = append(ips.auths, a) + } ips.imagesDir, _ = variable.StringVar(vars, push, "images_dir") srcPattern, _ := variable.StringVar(vars, push, "src_pattern") destTmpl, _ := variable.PrintVar(push, "dest")