From dce1e71da280560d1718737afcfcd9210d012606 Mon Sep 17 00:00:00 2001
From: liujian <joyceliu@yunify.com>
Date: Fri, 16 May 2025 10:45:13 +0800
Subject: [PATCH] fix: configurable sandbox image (#2571)

Signed-off-by: joyceliu <joyceliu@yunify.com>
---
 builtin/capkk/roles/install/cri/defaults/main.yaml            | 3 +--
 builtin/capkk/roles/install/cri/templates/containerd.config   | 2 +-
 .../roles/install/cri/{files => templates}/cri_docker.service | 2 +-
 builtin/core/defaults/config/v1.23.15.yaml                    | 4 +++-
 builtin/core/roles/install/cri/templates/containerd.config    | 2 +-
 .../roles/install/cri/{files => templates}/cri_docker.service | 2 +-
 .../init-kubernetes/templates/kubeadm/kubeadm-init.v1beta2    | 1 +
 .../init-kubernetes/templates/kubeadm/kubeadm-init.v1beta3    | 1 +
 .../join-kubernetes/templates/kubeadm/kubeadm-join.v1beta2    | 1 +
 .../join-kubernetes/templates/kubeadm/kubeadm-join.v1beta3    | 1 +
 10 files changed, 12 insertions(+), 7 deletions(-)
 rename builtin/capkk/roles/install/cri/{files => templates}/cri_docker.service (95%)
 rename builtin/core/roles/install/cri/{files => templates}/cri_docker.service (95%)

diff --git a/builtin/capkk/roles/install/cri/defaults/main.yaml b/builtin/capkk/roles/install/cri/defaults/main.yaml
index 6d778c2b..6c93c48b 100644
--- a/builtin/capkk/roles/install/cri/defaults/main.yaml
+++ b/builtin/capkk/roles/install/cri/defaults/main.yaml
@@ -1,8 +1,7 @@
 cri:
   # support: systemd, cgroupfs
   cgroup_driver: systemd
-  sandbox_image: |
-    {{ .k8s_registry }}/pause:3.5
+  sandbox_image_tag: 3.5
   # support: containerd,docker,crio
   # the endpoint of containerd
   cri_socket: |
diff --git a/builtin/capkk/roles/install/cri/templates/containerd.config b/builtin/capkk/roles/install/cri/templates/containerd.config
index 40e8bec6..98aef552 100644
--- a/builtin/capkk/roles/install/cri/templates/containerd.config
+++ b/builtin/capkk/roles/install/cri/templates/containerd.config
@@ -36,7 +36,7 @@ state = "/run/containerd"
 
 [plugins]
   [plugins."io.containerd.grpc.v1.cri"]
-    sandbox_image = "{{ .cri.sandbox_image }}"
+    sandbox_image = "{{ .k8s_registry }}/pause:{{ .cri.sandbox_image_tag }}"
     [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
       runtime_type = "io.containerd.runc.v2"
       [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
diff --git a/builtin/capkk/roles/install/cri/files/cri_docker.service b/builtin/capkk/roles/install/cri/templates/cri_docker.service
similarity index 95%
rename from builtin/capkk/roles/install/cri/files/cri_docker.service
rename to builtin/capkk/roles/install/cri/templates/cri_docker.service
index 8de02ba1..0a131b7d 100644
--- a/builtin/capkk/roles/install/cri/files/cri_docker.service
+++ b/builtin/capkk/roles/install/cri/templates/cri_docker.service
@@ -4,7 +4,7 @@ Documentation=https://docs.mirantis.com
 
 [Service]
 Type=notify
-ExecStart=/usr/local/bin/cri-dockerd --pod-infra-container-image {{ .SandBoxImage }}
+ExecStart=/usr/local/bin/cri-dockerd --pod-infra-container-image "{{ .k8s_registry }}/pause:{{ .cri.sandbox_image_tag }}"
 ExecReload=/bin/kill -s HUP $MAINPID
 TimeoutSec=0
 RestartSec=2
diff --git a/builtin/core/defaults/config/v1.23.15.yaml b/builtin/core/defaults/config/v1.23.15.yaml
index 1ccc7635..ff27af9d 100644
--- a/builtin/core/defaults/config/v1.23.15.yaml
+++ b/builtin/core/defaults/config/v1.23.15.yaml
@@ -45,4 +45,6 @@ spec:
   kubernetes: 
     controller_manager:
       extra_args:
-        cluster-signing-duration: 87600h
\ No newline at end of file
+        cluster-signing-duration: 87600h
+  cri:
+    sandbox_image_tag: 3.5
\ No newline at end of file
diff --git a/builtin/core/roles/install/cri/templates/containerd.config b/builtin/core/roles/install/cri/templates/containerd.config
index 32a6333d..435d0795 100644
--- a/builtin/core/roles/install/cri/templates/containerd.config
+++ b/builtin/core/roles/install/cri/templates/containerd.config
@@ -36,7 +36,7 @@ state = "/run/containerd"
 
 [plugins]
   [plugins."io.containerd.grpc.v1.cri"]
-    sandbox_image = "{{ .cri.sandbox_image }}"
+    sandbox_image = "{{ .k8s_registry }}/pause:{{ .cri.sandbox_image_tag }}"
     [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
       runtime_type = "io.containerd.runc.v2"
       [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
diff --git a/builtin/core/roles/install/cri/files/cri_docker.service b/builtin/core/roles/install/cri/templates/cri_docker.service
similarity index 95%
rename from builtin/core/roles/install/cri/files/cri_docker.service
rename to builtin/core/roles/install/cri/templates/cri_docker.service
index 8de02ba1..0a131b7d 100644
--- a/builtin/core/roles/install/cri/files/cri_docker.service
+++ b/builtin/core/roles/install/cri/templates/cri_docker.service
@@ -4,7 +4,7 @@ Documentation=https://docs.mirantis.com
 
 [Service]
 Type=notify
-ExecStart=/usr/local/bin/cri-dockerd --pod-infra-container-image {{ .SandBoxImage }}
+ExecStart=/usr/local/bin/cri-dockerd --pod-infra-container-image "{{ .k8s_registry }}/pause:{{ .cri.sandbox_image_tag }}"
 ExecReload=/bin/kill -s HUP $MAINPID
 TimeoutSec=0
 RestartSec=2
diff --git a/builtin/core/roles/kubernetes/init-kubernetes/templates/kubeadm/kubeadm-init.v1beta2 b/builtin/core/roles/kubernetes/init-kubernetes/templates/kubeadm/kubeadm-init.v1beta2
index eb6f36d0..f796c58f 100644
--- a/builtin/core/roles/kubernetes/init-kubernetes/templates/kubeadm/kubeadm-init.v1beta2
+++ b/builtin/core/roles/kubernetes/init-kubernetes/templates/kubeadm/kubeadm-init.v1beta2
@@ -160,6 +160,7 @@ nodeRegistration:
   criSocket: {{ .cri.cri_socket }}
   kubeletExtraArgs:
     cgroup-driver: {{ .cri.cgroup_driver }}
+    pod-infra-container-image: "{{ .k8s_registry }}/pause:{{ .cri.sandbox_image_tag }}"
 
 ---
 apiVersion: kubeproxy.config.k8s.io/v1alpha1
diff --git a/builtin/core/roles/kubernetes/init-kubernetes/templates/kubeadm/kubeadm-init.v1beta3 b/builtin/core/roles/kubernetes/init-kubernetes/templates/kubeadm/kubeadm-init.v1beta3
index 48093f52..096eca11 100644
--- a/builtin/core/roles/kubernetes/init-kubernetes/templates/kubeadm/kubeadm-init.v1beta3
+++ b/builtin/core/roles/kubernetes/init-kubernetes/templates/kubeadm/kubeadm-init.v1beta3
@@ -159,6 +159,7 @@ nodeRegistration:
   criSocket: {{ .cri.cri_socket }}
   kubeletExtraArgs:
     cgroup-driver: {{ .cri.cgroup_driver }}
+    pod-infra-container-image: "{{ .k8s_registry }}/pause:{{ .cri.sandbox_image_tag }}"
 
 ---
 apiVersion: kubeproxy.config.k8s.io/v1alpha1
diff --git a/builtin/core/roles/kubernetes/join-kubernetes/templates/kubeadm/kubeadm-join.v1beta2 b/builtin/core/roles/kubernetes/join-kubernetes/templates/kubeadm/kubeadm-join.v1beta2
index 9ec1c05b..36ff4d7e 100644
--- a/builtin/core/roles/kubernetes/join-kubernetes/templates/kubeadm/kubeadm-join.v1beta2
+++ b/builtin/core/roles/kubernetes/join-kubernetes/templates/kubeadm/kubeadm-join.v1beta2
@@ -23,3 +23,4 @@ nodeRegistration:
   criSocket: {{ .cri.cri_socket }}
   kubeletExtraArgs:
     cgroup-driver: {{ .cri.cgroup_driver }}
+    pod-infra-container-image: "{{ .k8s_registry }}/pause:{{ .cri.sandbox_image_tag }}"
diff --git a/builtin/core/roles/kubernetes/join-kubernetes/templates/kubeadm/kubeadm-join.v1beta3 b/builtin/core/roles/kubernetes/join-kubernetes/templates/kubeadm/kubeadm-join.v1beta3
index 98c9e5e6..444dbb1c 100644
--- a/builtin/core/roles/kubernetes/join-kubernetes/templates/kubeadm/kubeadm-join.v1beta3
+++ b/builtin/core/roles/kubernetes/join-kubernetes/templates/kubeadm/kubeadm-join.v1beta3
@@ -23,3 +23,4 @@ nodeRegistration:
   criSocket: {{ .cri.cri_socket }}
   kubeletExtraArgs:
     cgroup-driver: {{ .cri.cgroup_driver }}
+    pod-infra-container-image: "{{ .k8s_registry }}/pause:{{ .cri.sandbox_image_tag }}"