Merge pull request #32 from cyclops-k8s/ec-mirrors

Add mirrors to proxy hosts and configure containerd bug fix

Author: EdwardCooke

.gitignore

@@ -50,3 +50,4 @@ override.tf.json
 terraform.rc
 
 # End of https://www.toptal.com/developers/gitignore/api/ansible,terraform
+!test.tfvars

example-hooks/install-calico/post-cluster-init/install-calico.yaml

@@ -11,12 +11,7 @@
     executable: /usr/bin/bash
 
 - name: Wait for calico to be ready
-  loop:
-  - {namespace: kube-system, app: calico-node}
-  loop_control:
-    label: "{{ k8s_app.app }}"
-    loop_var: k8s_app
   register: calico_ready
   retries: 12
   until: calico_ready.rc == 0
-  ansible.builtin.command: kubectl --kubeconfig /etc/kubernetes/admin.conf wait --for=condition=Ready pod -l k8s-app={{ k8s_app.app }} --timeout=5s --namespace {{ k8s_app.namespace }}
+  ansible.builtin.command: kubectl --kubeconfig /etc/kubernetes/admin.conf wait --for=condition=Ready pod -l k8s-app=calico-node --timeout=5s --namespace kube-system

example-hooks/proxy-on-control-planes/pre_control_planes/proxy-on-control-planes.yaml

@@ -56,7 +56,7 @@
     sysctl_file: /etc/sysctl.d/99-non-local-bind.conf
     value: '1'
     state: present
-    reload: yes
+    reload: true
 
 - name: Post proxy configuration hooks
   ansible.builtin.include_tasks: "{{ item }}"

example-hooks/registry-mirrors/post-proxies/add-containerd-mirrors.yaml

@@ -0,0 +1,56 @@
+# execute the containerd roles
+- name: Setup mirrors
+  when: registry_mirrors | default([]) | length > 0
+  block:
+  - name: Include containerd role
+    vars:
+      containerd_registry_mirrors: "{{ proxy_mirrors | default([]) }}"
+    ansible.builtin.include_role:
+      name: containerd
+
+  # unhold containerd.io package if it was held previously
+  - name: Unhold containerd.io package so it can be updated during normal patching cycles
+    ansible.builtin.dpkg_selections:
+      name: containerd.io
+      selection: install
+
+  - name: Install Docker engine
+    ansible.builtin.package:
+      name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-buildx-plugin
+      - docker-compose-plugin
+      state: present
+
+  - name: Create mirror configuration directory
+    ansible.builtin.file:
+      path: "{{ registry_mirror_config_path }}"
+      state: directory
+      owner: root
+      group: root
+      mode: '0755'
+
+  - name: Create mirror script directory
+    ansible.builtin.file:
+      path: "{{ registry_mirror_service_path | default(registry_mirror_config_path) }}"
+      state: directory
+      owner: root
+      group: root
+      mode: '0755'
+
+  - name: Copy the service.sh file to the mirror scripts directory
+    ansible.builtin.copy:
+      src: "service.sh"
+      dest: "{{ registry_mirror_service_path | default(registry_mirror_config_path) }}/service.sh"
+      owner: root
+      group: root
+      mode: '0755'
+
+  - name: Create mirrors
+    loop_control:
+      label: "{{ mirror.registry }}"
+      loop_var: mirror
+    loop: "{{ registry_mirrors }}"
+    ansible.builtin.include_tasks: create-mirror-container.yaml

example-hooks/registry-mirrors/post-proxies/create-mirror-container.yaml

@@ -0,0 +1,29 @@
+- name: Setting sanitized mirror name fact
+  ansible.builtin.set_fact:
+    sanitized_mirror_name: "{{ mirror.registry | regex_replace('[^a-zA-Z0-9\\.]', '-') }}"
+
+- name: Create mirror configuration file
+  ansible.builtin.template:
+    src: "mirror-config.yaml.j2"
+    dest: "{{ mirror.config_path | default(registry_mirror_config_path + '/' + sanitized_mirror_name + '.yaml') }}"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Create systemd unit file for mirror registry
+  ansible.builtin.template:
+    src: "mirror-systemd.unit.j2"
+    dest: "/etc/systemd/system/mirror-{{ sanitized_mirror_name }}.service"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Reload systemd to pick up new mirror service
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Enable and start mirror registry service
+  ansible.builtin.systemd:
+    name: "mirror-{{ sanitized_mirror_name }}.service"
+    enabled: true
+    state: started

example-hooks/registry-mirrors/post-proxies/files/service.sh

@@ -0,0 +1,155 @@
+#!/bin/bash
+
+set -euo pipefail
+
+usage()
+{
+  echo "Usage: $0
+
+  -c | --config     Path to the configuration file.
+  -d | --data-path  Path to the data directory.
+  -g | --gid        GID to run the container as.
+  -i | --image      Docker image to use.
+  -n | --name       Name of the container.
+  -p | --port       Port to expose the container on.
+  -s | --state      State of the container (start|stop).
+  -u | --uid        UID to run the container as.
+"
+  exit 1
+}
+
+# Store the command line arguments as a variable
+PARSED_ARGUMENTS=$(getopt -a -n "$0" -o c:d:g:i:n:p:s:u: --long config:,data-path:,gid:,image:,name:,port:,state:,uid: -- "$@")
+VALID_ARGUMENTS=$?
+
+# Make sure some arguments were passed in
+if [ "$VALID_ARGUMENTS" != "0" ]
+then
+  usage
+fi
+
+eval set -- "$PARSED_ARGUMENTS"
+
+CONFIG="${CONFIG:-}"
+PORT="${PORT:-}"
+IMAGE="${IMAGE:-}"
+MIRROR_UID="${MIRROR_UID:-}"
+MIRROR_GID="${MIRROR_GID:-}"
+DATA_PATH="${DATA_PATH:-}"
+STATE="${STATE:-}"
+NAME="${NAME:-}"
+
+while :
+do
+  case "$1" in
+    -c | --config) CONFIG="$2"; shift 2 ;;
+    -d | --data-path) DATA_PATH="$2"; shift 2 ;;
+    -g | --gid) MIRROR_GID="$2"; shift 2 ;;
+    -i | --image) IMAGE="$2"; shift 2 ;;
+    -n | --name) NAME="$2"; shift 2 ;;
+    -p | --port) PORT="$2"; shift 2 ;;
+    -s | --state) STATE="$2"; shift 2 ;;
+    -u | --uid) MIRROR_UID="$2"; shift 2 ;;
+    -h | --help) usage;;
+    --) shift; break ;;
+    *) usage;;
+  esac
+done
+
+if [ -z "${PORT}" ] || \
+   [ -z "${IMAGE}" ] || \
+   [ -z "${MIRROR_UID}" ] || \
+   [ -z "${MIRROR_GID}" ] || \
+   [ -z "${DATA_PATH}" ] || \
+   [ -z "${CONFIG}" ] || \
+   [ -z "${STATE}" ] || \
+   [ -z "${NAME}" ]
+then
+  usage
+fi
+
+if ! [[ "${MIRROR_UID}" =~ ^[0-9]+$ ]]
+then
+  echo "UID must be a number"
+  exit 1
+fi
+
+if ! [[ "${MIRROR_GID}" =~ ^[0-9]+$ ]]
+then
+  echo "GID must be a number"
+  exit 1
+fi
+
+if ! [[ "${PORT}" =~ ^[0-9]+$ ]]
+then
+  echo "Port must be a number"
+  exit 1
+fi
+
+if [ -f "${CONFIG}" ]
+then
+  echo "The config file specified with --config does not exist: ${CONFIG}"
+  exit 1
+fi
+
+if [ ! -d "${DATA_PATH}" ]
+then
+  echo "Data path ${DATA_PATH} does not exist"
+  mkdir -p "${DATA_PATH}"
+  echo "Created data path ${DATA_PATH}"
+  echo "Setting permissions on data path ${DATA_PATH} to ${MIRROR_UID}:${MIRROR_GID}"
+  chown -R "${MIRROR_UID}:${MIRROR_GID}" "${DATA_PATH}"
+fi
+
+if [ "${STATE}" == "start" ]
+then
+  /usr/bin/docker stop "${NAME}" || true
+  /usr/bin/docker rm "${NAME}" || true
+  echo "******************* Starting mirror container ${NAME} on port ${PORT} *******************"
+
+  docker run -d --name "${NAME}" \
+    -e OTEL_TRACES_EXPORTER=none \
+    -v "${DATA_PATH}:/var/lib/registry" \
+    -v "${CONFIG}:/etc/distribution/config.yml:ro" \
+    -p "127.0.0.1:${PORT}:5000" \
+    --user "${MIRROR_UID}:${MIRROR_GID}" \
+    --read-only \
+    "${IMAGE}"
+
+  echo "******************* Waiting for mirror container ${NAME} on port ${PORT} to start *******************"
+  # wait for the container to be ready
+  until curl "http://127.0.0.1:${PORT}/v2/" -f --silent --max-time 2 >/dev/null 2>&1
+  do
+    sleep 1
+  done
+  echo "******************* Started mirror container ${NAME} on port ${PORT} *******************"
+
+  systemd-notify --ready --status="Mirror ${NAME} is running on port ${PORT}"
+
+  # Start a background process to send watchdog notifications as long as we can curl the container
+  bash -c "
+    while true
+    do
+      if curl \"http://localhost:${PORT}/v2/\" -f --silent --max-time 2 >/dev/null 2>&1
+      then
+        systemd-notify WATCHDOG=1 || echo \"Failed to send watchdog notification for mirror ${NAME}\"
+      else
+        echo \"Mirror ${NAME} on ${PORT} is not responding\"
+      fi
+      sleep 10
+    done
+  " &
+  HEALTHCHECK_PID=$!
+
+  # Trap to clean up background health check on exit
+  trap 'kill ${HEALTHCHECK_PID} 2>/dev/null || true' EXIT TERM INT
+
+  docker logs -f --since 30s "${NAME}" # This should run for the lifetime of the container and send the logs to journald
+elif [ "${STATE}" == "stop" ]
+then
+  docker stop "${NAME}" || true
+  docker rm "${NAME}" || true
+else
+  echo "Invalid state: ${STATE}"
+  exit 1
+fi

example-hooks/registry-mirrors/post-proxies/templates/haproxy.cfg.j2

@@ -0,0 +1,71 @@
+global
+    log /dev/log local0
+    log /dev/log local1 notice
+    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+    user haproxy
+    group haproxy
+    daemon
+    stats timeout 30s
+    nbthread 4
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+listen stats
+    bind :1936
+    mode http
+    log global
+    stats enable
+    stats refresh 30s
+    stats show-node
+    stats uri /haproxy?stats
+    http-request use-service prometheus-exporter if { path /metrics }
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+
+defaults
+    log     global
+    mode    http
+    option  dontlognull
+
+listen controlplane-in
+    bind {{ kubernetes_proxy_bind_address }}:{{ kubernetes_proxy_port }}
+    mode tcp
+    timeout client  5000
+    timeout connect 5000
+    timeout server  5000
+    option httpchk
+    http-check send meth GET uri /readyz
+{% for host in groups['control_planes'] %}
+    server {{ hostvars[host]['ansible_host'] }} {{ hostvars[host]['kubernetes_api_server_bind_address'] | default(query('community.dns.lookup', hostvars[host]['ansible_host'])[0]) }}:{{ hostvars[host]['kubernetes_api_server_port'] }} check check-ssl inter {{ kubernetes_control_plane_check_interval | default('250ms') }} verify none
+{% endfor %}
+
+listen registry-router
+    bind :{{ registry_mirror_port | default(5000) }}
+    mode http
+
+{% for mirror in registry_mirrors %}
+    acl ns_{{ mirror.registry | regex_replace('[^a-zA-Z0-9]', '-') }} urlp(ns) -m str {{ mirror.registry }}
+{% endfor %}
+
+    # Reject requests without valid ns parameter
+    http-request deny deny_status 400 unless {% for mirror in registry_mirrors %}ns_{{ mirror.registry | regex_replace('[^a-zA-Z0-9]', '-') }}{% if not loop.last %} or {% endif %}{% endfor %}
+
+{% for mirror in registry_mirrors %}
+    server {{ mirror.registry | regex_replace('[^a-zA-Z0-9]', '-') }} 127.0.0.1:{{ mirror.port }} check port {{ mirror.port }}
+{% endfor %}
+
+{% for mirror in registry_mirrors %}
+    use-server {{ mirror.registry | regex_replace('[^a-zA-Z0-9]', '-') }} if ns_{{ mirror.registry | regex_replace('[^a-zA-Z0-9]', '-') }}
+{% endfor %}
+
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000

example-hooks/registry-mirrors/post-proxies/templates/mirror-config.yaml.j2

@@ -0,0 +1,24 @@
+version: 0.1
+log:
+  fields:
+    service: registry
+
+storage:
+  filesystem:
+    rootdirectory: /var/lib/registry
+
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+
+delete:
+  enabled: true
+
+proxy:
+  remoteurl: "{{ mirror.remote_url | default('https://' + mirror.registry) }}"
+{% if mirror.username is defined and mirror.password is defined %}
+  username: {{ mirror.username | to_yaml }}
+  password: {{ mirror.password | to_yaml }}
+{% endif %}
+  ttl: {{ mirror.ttl | default('336h0m0s') }}

example-hooks/registry-mirrors/post-proxies/templates/mirror-systemd.unit.j2

@@ -0,0 +1,23 @@
+[Unit]
+Description=Distribution registry
+After=docker.service
+Requires=docker.service
+
+[Service]
+NotifyAccess=all
+Type=notify
+WatchdogSec=30s
+Environment="CONFIG={{ mirror.config_path | default(registry_mirror_config_path + '/' + sanitized_mirror_name + '.yaml') }}"
+Environment="DATA_PATH={{ mirror.data_path }}"
+Environment="IMAGE={{ mirror.image | default('registry:3') }}"
+Environment="MIRROR_GID={{ mirror.group_id | default(1000) }}"
+Environment="MIRROR_UID={{ mirror.user_id | default(1000) }}"
+Environment="PORT={{ mirror.port }}"
+Environment="NAME=mirror-{{ sanitized_mirror_name }}"
+Environment="OTEL_TRACES_EXPORTER=none"
+Restart=always
+ExecStart={{ registry_mirror_service_path | default(registry_mirror_config_path) }}/service.sh --state "start"
+ExecStop={{ registry_mirror_service_path | default(registry_mirror_config_path) }}/service.sh --state "stop"
+
+[Install]
+WantedBy=multi-user.target