Configure registry mirrors on workload-cluster nodes;Test ansible collection paths #2

.drone.yml

@@ -41,7 +41,7 @@ steps:
   - |
     ansible-galaxy collection install \
       -r ansible/requirements.yml \
-      -p ./ansible
+      -p ./ansible/collections
   volumes:
   - name: scratch
     path: /scratch

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml

@@ -82,6 +82,10 @@
       rootca: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
       runcmds:
         - update-ca-certificates
+      registries:
+        # This should obviously be a dynamic list, but testing first!
+        - docker.io
+        - gcr.io
 
 - name: Store custom cluster-template
   ansible.builtin.copy:

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/kustomization.cluster-template.j2

@@ -47,6 +47,21 @@ patchesStrategicMerge:
       template:
         spec:
           files:
+          - content: |
+                [plugins."io.containerd.grpc.v1.cri".registry]
+                  config_path = "/etc/containerd/certs.d"
+            append: true
+            path: /etc/containerd/config.toml
+{% for registry in _template.registries %}
+          - content: |
+              server = "https://{{ registry }}"
+
+              [host."https://registry.{{ _template.network.fqdn }}/v2/library/{{ registry }}"]
+                capabilities = ["pull", "resolve"]
+                override_path = true
+            owner: root:root
+            path: /etc/containerd/certs.d/{{ registry }}/hosts.toml
+{% endfor %}
           - content: |
               network: {config: disabled}
             owner: root:root
@@ -103,6 +118,27 @@ patchesJson6902:
       kind: KubeadmControlPlane
       name: .*
     patch: |-
+      - op: add
+        path: /spec/kubeadmConfigSpec/files/-
+        value:
+          content: |
+              [plugins."io.containerd.grpc.v1.cri".registry]
+                config_path = "/etc/containerd/certs.d"
+          append: true
+          path: /etc/containerd/config.toml
+{% for registry in _template.registries %}
+      - op: add
+        path: /spec/kubeadmConfigSpec/files/-
+        value:
+          content: |
+            server = "https://{{ registry }}"
+
+            [host."https://registry.{{ _template.network.fqdn }}/v2/library/{{ registry }}"]
+              capabilities = ["pull", "resolve"]
+              override_path = true
+          owner: root:root
+          path: /etc/containerd/certs.d/{{ registry }}/hosts.toml
+{% endfor %}
       - op: add
         path: /spec/kubeadmConfigSpec/files/-
         value:

packer/build.pkr.hcl

@@ -34,6 +34,7 @@ build {
       "PYTHONUNBUFFERED=1"
     ]
     use_proxy        = "false"
+    collections_path = "ansible/collections"
 
     extra_arguments  = [
       "--extra-vars", "appliancetype=${source.name}",