RKE2 support for docker registry addon (#1084)

* RKE2 support for docker registry addon
replicatedhq · Feb 1, 2021 · ccd5d79 · ccd5d79
1 parent 0387d61
commit ccd5d79
Show file tree

Hide file tree

Showing 12 changed files with 195 additions and 194 deletions.
diff --git a/addons/containerd/1.3.7/install.sh b/addons/containerd/1.3.7/install.sh
@@ -16,9 +16,9 @@ function containerd_install() {
         containerd_configure_proxy
     fi
 
-    if [ -n "$DOCKER_REGISTRY_IP" ]; then
-        containerd_configure_registry "$DOCKER_REGISTRY_IP"
-        if [ "$CONTAINERD_REGISTRY_CA_ADDED" = "1" ]; then
+    if commandExists registry_containerd_configure && [ -n "$DOCKER_REGISTRY_IP" ]; then
+        registry_containerd_configure "$DOCKER_REGISTRY_IP"
+        if [ "$REGISTRY_CONTAINERD_CA_ADDED" = "1" ]; then
             restart_containerd
         fi
     fi
@@ -39,9 +39,9 @@ EOF
 
     # Always set for joining nodes since it's passed as a flag in the generated join script, but not
     # usually set for the initial install. For initial installs the registry will be configured from
-    # containerd_registry_init.
-    if [ -n "$DOCKER_REGISTRY_IP" ]; then
-        containerd_configure_registry "$DOCKER_REGISTRY_IP"
+    # registry_containerd_init.
+    if commandExists registry_containerd_configure && [ -n "$DOCKER_REGISTRY_IP" ]; then
+        registry_containerd_configure "$DOCKER_REGISTRY_IP"
     fi
     systemctl restart containerd
 }
@@ -56,38 +56,6 @@ function containerd_configure_ctl() {
     cp "$src/crictl.yaml" /etc/crictl.yaml
 }
 
-function containerd_registry_init() {
-    if [ -z "$REGISTRY_VERSION" ]; then
-        return 0
-    fi
-
-    local registryIP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}' 2>/dev/null || true)
-    if [ -z "$registryIP" ]; then
-        kubectl -n kurl create service clusterip registry --tcp=443:443
-        registryIP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}')
-    fi
-
-    containerd_configure_registry "$registryIP"
-    systemctl restart containerd
-}
-
-CONTAINERD_REGISTRY_CA_ADDED=0
-function containerd_configure_registry() {
-    local registryIP="$1"
-
-    if grep -q "plugins.\"io.containerd.grpc.v1.cri\".registry.configs.\"${registryIP}\".tls" /etc/containerd/config.toml; then
-        echo "Registry ${registryIP} TLS already configured for containerd"
-        return 0
-    fi
-
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".registry.configs."${registryIP}".tls]
-  ca_file = "/etc/kubernetes/pki/ca.crt"
-EOF
-
-    CONTAINERD_REGISTRY_CA_ADDED=1
-}
-
 containerd_configure_proxy() {
     local previous_proxy="$(cat /etc/systemd/system/containerd.service.d/http-proxy.conf 2>/dev/null | grep -io 'https*_proxy=[^\" ]*' | awk 'BEGIN { FS="=" }; { print $2 }')"
     local previous_no_proxy="$(cat /etc/systemd/system/containerd.service.d/http-proxy.conf 2>/dev/null | grep -io 'no_proxy=[^\" ]*' | awk 'BEGIN { FS="=" }; { print $2 }')"

diff --git a/addons/containerd/1.3.9/install.sh b/addons/containerd/1.3.9/install.sh
@@ -16,9 +16,9 @@ function containerd_install() {
         containerd_configure_proxy
     fi
 
-    if [ -n "$DOCKER_REGISTRY_IP" ]; then
-        containerd_configure_registry "$DOCKER_REGISTRY_IP"
-        if [ "$CONTAINERD_REGISTRY_CA_ADDED" = "1" ]; then
+    if commandExists registry_containerd_configure && [ -n "$DOCKER_REGISTRY_IP" ]; then
+        registry_containerd_configure "$DOCKER_REGISTRY_IP"
+        if [ "$REGISTRY_CONTAINERD_CA_ADDED" = "1" ]; then
             restart_containerd
         fi
     fi
@@ -39,9 +39,9 @@ EOF
 
     # Always set for joining nodes since it's passed as a flag in the generated join script, but not
     # usually set for the initial install. For initial installs the registry will be configured from
-    # containerd_registry_init.
-    if [ -n "$DOCKER_REGISTRY_IP" ]; then
-        containerd_configure_registry "$DOCKER_REGISTRY_IP"
+    # registry_containerd_init.
+    if commandExists registry_containerd_configure && [ -n "$DOCKER_REGISTRY_IP" ]; then
+        registry_containerd_configure "$DOCKER_REGISTRY_IP"
     fi
     systemctl restart containerd
 }
@@ -56,38 +56,6 @@ function containerd_configure_ctl() {
     cp "$src/crictl.yaml" /etc/crictl.yaml
 }
 
-function containerd_registry_init() {
-    if [ -z "$REGISTRY_VERSION" ]; then
-        return 0
-    fi
-
-    local registryIP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}' 2>/dev/null || true)
-    if [ -z "$registryIP" ]; then
-        kubectl -n kurl create service clusterip registry --tcp=443:443
-        registryIP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}')
-    fi
-
-    containerd_configure_registry "$registryIP"
-    systemctl restart containerd
-}
-
-CONTAINERD_REGISTRY_CA_ADDED=0
-function containerd_configure_registry() {
-    local registryIP="$1"
-
-    if grep -q "plugins.\"io.containerd.grpc.v1.cri\".registry.configs.\"${registryIP}\".tls" /etc/containerd/config.toml; then
-        echo "Registry ${registryIP} TLS already configured for containerd"
-        return 0
-    fi
-
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".registry.configs."${registryIP}".tls]
-  ca_file = "/etc/kubernetes/pki/ca.crt"
-EOF
-
-    CONTAINERD_REGISTRY_CA_ADDED=1
-}
-
 containerd_configure_proxy() {
     local previous_proxy="$(cat /etc/systemd/system/containerd.service.d/http-proxy.conf 2>/dev/null | grep -io 'https*_proxy=[^\" ]*' | awk 'BEGIN { FS="=" }; { print $2 }')"
     local previous_no_proxy="$(cat /etc/systemd/system/containerd.service.d/http-proxy.conf 2>/dev/null | grep -io 'no_proxy=[^\" ]*' | awk 'BEGIN { FS="=" }; { print $2 }')"

diff --git a/addons/containerd/1.4.3/install.sh b/addons/containerd/1.4.3/install.sh
@@ -16,9 +16,9 @@ function containerd_install() {
         containerd_configure_proxy
     fi
 
-    if [ -n "$DOCKER_REGISTRY_IP" ]; then
-        containerd_configure_registry "$DOCKER_REGISTRY_IP"
-        if [ "$CONTAINERD_REGISTRY_CA_ADDED" = "1" ]; then
+    if commandExists registry_containerd_configure && [ -n "$DOCKER_REGISTRY_IP" ]; then
+        registry_containerd_configure "$DOCKER_REGISTRY_IP"
+        if [ "$REGISTRY_CONTAINERD_CA_ADDED" = "1" ]; then
             restart_containerd
         fi
     fi
@@ -39,9 +39,9 @@ EOF
 
     # Always set for joining nodes since it's passed as a flag in the generated join script, but not
     # usually set for the initial install. For initial installs the registry will be configured from
-    # containerd_registry_init.
-    if [ -n "$DOCKER_REGISTRY_IP" ]; then
-        containerd_configure_registry "$DOCKER_REGISTRY_IP"
+    # registry_containerd_init.
+    if commandExists registry_containerd_configure && [ -n "$DOCKER_REGISTRY_IP" ]; then
+        registry_containerd_configure "$DOCKER_REGISTRY_IP"
     fi
     systemctl restart containerd
 }
@@ -56,38 +56,6 @@ function containerd_configure_ctl() {
     cp "$src/crictl.yaml" /etc/crictl.yaml
 }
 
-function containerd_registry_init() {
-    if [ -z "$REGISTRY_VERSION" ]; then
-        return 0
-    fi
-
-    local registryIP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}' 2>/dev/null || true)
-    if [ -z "$registryIP" ]; then
-        kubectl -n kurl create service clusterip registry --tcp=443:443
-        registryIP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}')
-    fi
-
-    containerd_configure_registry "$registryIP"
-    systemctl restart containerd
-}
-
-CONTAINERD_REGISTRY_CA_ADDED=0
-function containerd_configure_registry() {
-    local registryIP="$1"
-
-    if grep -q "plugins.\"io.containerd.grpc.v1.cri\".registry.configs.\"${registryIP}\".tls" /etc/containerd/config.toml; then
-        echo "Registry ${registryIP} TLS already configured for containerd"
-        return 0
-    fi
-
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".registry.configs."${registryIP}".tls]
-  ca_file = "/etc/kubernetes/pki/ca.crt"
-EOF
-
-    CONTAINERD_REGISTRY_CA_ADDED=1
-}
-
 containerd_configure_proxy() {
     local previous_proxy="$(cat /etc/systemd/system/containerd.service.d/http-proxy.conf 2>/dev/null | grep -io 'https*_proxy=[^\" ]*' | awk 'BEGIN { FS="=" }; { print $2 }')"
     local previous_no_proxy="$(cat /etc/systemd/system/containerd.service.d/http-proxy.conf 2>/dev/null | grep -io 'no_proxy=[^\" ]*' | awk 'BEGIN { FS="=" }; { print $2 }')"

diff --git a/addons/containerd/template/base/install.sh b/addons/containerd/template/base/install.sh
@@ -16,9 +16,9 @@ function containerd_install() {
         containerd_configure_proxy
     fi
 
-    if [ -n "$DOCKER_REGISTRY_IP" ]; then
-        containerd_configure_registry "$DOCKER_REGISTRY_IP"
-        if [ "$CONTAINERD_REGISTRY_CA_ADDED" = "1" ]; then
+    if commandExists registry_containerd_configure && [ -n "$DOCKER_REGISTRY_IP" ]; then
+        registry_containerd_configure "$DOCKER_REGISTRY_IP"
+        if [ "$REGISTRY_CONTAINERD_CA_ADDED" = "1" ]; then
             restart_containerd
         fi
     fi
@@ -39,9 +39,9 @@ EOF
 
     # Always set for joining nodes since it's passed as a flag in the generated join script, but not
     # usually set for the initial install. For initial installs the registry will be configured from
-    # containerd_registry_init.
-    if [ -n "$DOCKER_REGISTRY_IP" ]; then
-        containerd_configure_registry "$DOCKER_REGISTRY_IP"
+    # registry_containerd_init.
+    if commandExists registry_containerd_configure && [ -n "$DOCKER_REGISTRY_IP" ]; then
+        registry_containerd_configure "$DOCKER_REGISTRY_IP"
     fi
     systemctl restart containerd
 }
@@ -56,38 +56,6 @@ function containerd_configure_ctl() {
     cp "$src/crictl.yaml" /etc/crictl.yaml
 }
 
-function containerd_registry_init() {
-    if [ -z "$REGISTRY_VERSION" ]; then
-        return 0
-    fi
-
-    local registryIP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}' 2>/dev/null || true)
-    if [ -z "$registryIP" ]; then
-        kubectl -n kurl create service clusterip registry --tcp=443:443
-        registryIP=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}')
-    fi
-
-    containerd_configure_registry "$registryIP"
-    systemctl restart containerd
-}
-
-CONTAINERD_REGISTRY_CA_ADDED=0
-function containerd_configure_registry() {
-    local registryIP="$1"
-
-    if grep -q "plugins.\"io.containerd.grpc.v1.cri\".registry.configs.\"${registryIP}\".tls" /etc/containerd/config.toml; then
-        echo "Registry ${registryIP} TLS already configured for containerd"
-        return 0
-    fi
-
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".registry.configs."${registryIP}".tls]
-  ca_file = "/etc/kubernetes/pki/ca.crt"
-EOF
-
-    CONTAINERD_REGISTRY_CA_ADDED=1
-}
-
 containerd_configure_proxy() {
     local previous_proxy="$(cat /etc/systemd/system/containerd.service.d/http-proxy.conf 2>/dev/null | grep -io 'https*_proxy=[^\" ]*' | awk 'BEGIN { FS="=" }; { print $2 }')"
     local previous_no_proxy="$(cat /etc/systemd/system/containerd.service.d/http-proxy.conf 2>/dev/null | grep -io 'no_proxy=[^\" ]*' | awk 'BEGIN { FS="=" }; { print $2 }')"

diff --git a/addons/registry/2.7.1/install.sh b/addons/registry/2.7.1/install.sh
@@ -103,9 +103,28 @@ function registry_docker_ca() {
     fi
 
     if [ -n "$DOCKER_VERSION" ]; then
+        local ca_crt="$(${K8S_DISTRO}_get_server_ca)"
+
         mkdir -p /etc/docker/certs.d/$DOCKER_REGISTRY_IP
-        ln -s --force /etc/kubernetes/pki/ca.crt /etc/docker/certs.d/$DOCKER_REGISTRY_IP/ca.crt
+        ln -s --force "${ca_crt}" /etc/docker/certs.d/$DOCKER_REGISTRY_IP/ca.crt
+    fi
+}
+
+function registry_containerd_init() {
+    local registry_ip=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}' 2>/dev/null || true)
+    if [ -z "$registry_ip" ]; then
+        kubectl -n kurl create service clusterip registry --tcp=443:443
+        registry_ip=$(kubectl -n kurl get service registry -o=jsonpath='{@.spec.clusterIP}')
     fi
+
+    registry_containerd_configure "$registry_ip"
+    ${K8S_DISTRO}_containerd_restart
+}
+
+REGISTRY_CONTAINERD_CA_ADDED=0
+function registry_containerd_configure() {
+    local registry_ip="$1"
+    ${K8S_DISTRO}_registry_containerd_configure "${registry_ip}"
 }
 
 function registry_pki_secret() {
@@ -156,8 +175,11 @@ EOF
         fi
     fi
 
+    local ca_crt="$(${K8S_DISTRO}_get_server_ca)"
+    local ca_key="$(${K8S_DISTRO}_get_server_ca_key)"
+
     openssl req -newkey rsa:2048 -nodes -keyout registry.key -out registry.csr -config registry.cnf
-    openssl x509 -req -days 365 -in registry.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out registry.crt -extensions v3_ext -extfile registry.cnf
+    openssl x509 -req -days 365 -in registry.csr -CA "${ca_crt}" -CAkey "${ca_key}" -CAcreateserial -out registry.crt -extensions v3_ext -extfile registry.cnf
 
     # rotate the cert and restart the pod every time
     kubectl -n kurl delete secret registry-pki &>/dev/null || true

diff --git a/scripts/common/plugins.sh b/scripts/common/plugins.sh
@@ -2,9 +2,9 @@ export KUBECTL_PLUGINS_PATH=/usr/local/bin
 
 function install_plugins() {
     pushd "$DIR/krew"
-    tar xzvf outdated.tar.gz && mv outdated /usr/local/bin/kubectl-outdated
-    tar xzvf preflight.tar.gz && mv preflight /usr/local/bin/kubectl-preflight
-    tar xzvf support-bundle.tar.gz && mv support-bundle /usr/local/bin/kubectl-support_bundle
+    tar xzf outdated.tar.gz && mv outdated /usr/local/bin/kubectl-outdated
+    tar xzf preflight.tar.gz && mv preflight /usr/local/bin/kubectl-preflight
+    tar xzf support-bundle.tar.gz && mv support-bundle /usr/local/bin/kubectl-support_bundle
     popd
 
     # uninstall system-wide krew from old versions of kurl