From aeae26711f26e84254aee65fd16991b04e329b23 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 29 Jun 2026 22:30:48 +1000 Subject: [PATCH] Convert RKE2 registries to template, disable default endpoints (#474) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Replace static `registries.yaml` with EPP template driven by `rke2::registries` hash - Add `disable-default-registry-endpoint: true` to all mirrors — RKE2 will only use artifactapi and never fall back to upstream registries - Registry configuration now fully managed via hiera data (`roles/infra/k8s.yaml`) Reviewed-on: https://git.unkin.net/unkin/puppet-prod/pulls/474 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- hieradata/roles/infra/k8s.yaml | 55 ++++++++++++++++++++++ modules/rke2/files/registries.yaml | 38 --------------- modules/rke2/manifests/config.pp | 3 +- modules/rke2/manifests/init.pp | 1 + modules/rke2/manifests/params.pp | 1 + modules/rke2/templates/registries.yaml.epp | 20 ++++++++ 6 files changed, 79 insertions(+), 39 deletions(-) delete mode 100644 modules/rke2/files/registries.yaml create mode 100644 modules/rke2/templates/registries.yaml.epp diff --git a/hieradata/roles/infra/k8s.yaml b/hieradata/roles/infra/k8s.yaml index 0f70d46..d8c9bcb 100644 --- a/hieradata/roles/infra/k8s.yaml +++ b/hieradata/roles/infra/k8s.yaml @@ -12,6 +12,61 @@ hiera_include: rke2::bootstrap_node: prodnxsr0001.main.unkin.net rke2::join_url: https://join-k8s.service.consul:9345 rke2::manage_registries: true +rke2::registries: + docker.io: + endpoint: + - "https://artifactapi.k8s.syd1.au.unkin.net" + rewrite: + "^(.*)$": "dockerhub/$1" + disable-default-registry-endpoint: true + ghcr.io: + endpoint: + - "https://artifactapi.k8s.syd1.au.unkin.net" + rewrite: + "^(.*)$": "ghcr/$1" + disable-default-registry-endpoint: true + quay.io: + endpoint: + - "https://artifactapi.k8s.syd1.au.unkin.net" + rewrite: + "^(.*)$": "quay/$1" + disable-default-registry-endpoint: true + registry.k8s.io: + endpoint: + - "https://artifactapi.k8s.syd1.au.unkin.net" + rewrite: + "^(.*)$": "k8s-registry/$1" + disable-default-registry-endpoint: true + registry.gitlab.com: + endpoint: + - "https://artifactapi.k8s.syd1.au.unkin.net" + rewrite: + "^(.*)$": "gitlab/$1" + disable-default-registry-endpoint: true + docker.elastic.co: + endpoint: + - "https://artifactapi.k8s.syd1.au.unkin.net" + rewrite: + "^(.*)$": "elastic/$1" + disable-default-registry-endpoint: true + gcr.io: + endpoint: + - "https://artifactapi.k8s.syd1.au.unkin.net" + rewrite: + "^(.*)$": "gcr/$1" + disable-default-registry-endpoint: true + docker.litellm.ai: + endpoint: + - "https://artifactapi.k8s.syd1.au.unkin.net" + rewrite: + "^(.*)$": "litellm/$1" + disable-default-registry-endpoint: true + public.ecr.aws: + endpoint: + - "https://artifactapi.k8s.syd1.au.unkin.net" + rewrite: + "^(.*)$": "ecr-public/$1" + disable-default-registry-endpoint: true rke2::config_hash: bind-address: "%{hiera('networking_loopback0_ip')}" node-ip: "%{hiera('networking_loopback0_ip')}" diff --git a/modules/rke2/files/registries.yaml b/modules/rke2/files/registries.yaml deleted file mode 100644 index d05d914..0000000 --- a/modules/rke2/files/registries.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# DO NOT MODIFY - MANAGED BY PUPPET -mirrors: - docker.io: - endpoint: - - "https://artifactapi.k8s.syd1.au.unkin.net" - rewrite: - "^(.*)$": "dockerhub/$1" - ghcr.io: - endpoint: - - "https://artifactapi.k8s.syd1.au.unkin.net" - rewrite: - "^(.*)$": "ghcr/$1" - quay.io: - endpoint: - - "https://artifactapi.k8s.syd1.au.unkin.net" - rewrite: - "^(.*)$": "quay/$1" - registry.k8s.io: - endpoint: - - "https://artifactapi.k8s.syd1.au.unkin.net" - rewrite: - "^(.*)$": "k8s-registry/$1" - registry.gitlab.com: - endpoint: - - "https://artifactapi.k8s.syd1.au.unkin.net" - rewrite: - "^(.*)$": "gitlab/$1" - docker.elastic.co: - endpoint: - - "https://artifactapi.k8s.syd1.au.unkin.net" - rewrite: - "^(.*)$": "elastic/$1" - gcr.io: - endpoint: - - "https://artifactapi.k8s.syd1.au.unkin.net" - rewrite: - "^(.*)$": "gcr/$1" diff --git a/modules/rke2/manifests/config.pp b/modules/rke2/manifests/config.pp index 427d3d9..6157f22 100644 --- a/modules/rke2/manifests/config.pp +++ b/modules/rke2/manifests/config.pp @@ -8,6 +8,7 @@ class rke2::config ( String $node_token = $rke2::node_token, Array[String[1]] $extra_config_files = $rke2::extra_config_files, Boolean $manage_registries = $rke2::manage_registries, + Hash $registries = $rke2::registries, ){ # if its not the bootstrap node, add join path to config @@ -35,7 +36,7 @@ class rke2::config ( owner => 'root', group => 'root', mode => '0644', - source => 'puppet:///modules/rke2/registries.yaml', + content => epp('rke2/registries.yaml.epp', { registries => $registries }), require => Package["rke2-${node_type}"], notify => Service["rke2-${node_type}"], } diff --git a/modules/rke2/manifests/init.pp b/modules/rke2/manifests/init.pp index 434733f..8aae079 100644 --- a/modules/rke2/manifests/init.pp +++ b/modules/rke2/manifests/init.pp @@ -13,6 +13,7 @@ class rke2 ( Array[String[1]] $extra_config_files = $rke2::params::extra_config_files, Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source, Boolean $manage_registries = $rke2::params::manage_registries, + Hash $registries = $rke2::params::registries, ) inherits rke2::params { include rke2::install diff --git a/modules/rke2/manifests/params.pp b/modules/rke2/manifests/params.pp index a8e08b6..4c110dc 100644 --- a/modules/rke2/manifests/params.pp +++ b/modules/rke2/manifests/params.pp @@ -13,4 +13,5 @@ class rke2::params ( Array[String[1]] $extra_config_files = [], Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download', Boolean $manage_registries = false, + Hash $registries = {}, ) {} diff --git a/modules/rke2/templates/registries.yaml.epp b/modules/rke2/templates/registries.yaml.epp new file mode 100644 index 0000000..2f30d22 --- /dev/null +++ b/modules/rke2/templates/registries.yaml.epp @@ -0,0 +1,20 @@ +<%- | Hash $registries | -%> +--- +# DO NOT MODIFY - MANAGED BY PUPPET +mirrors: +<%- $registries.each |$registry, $config| { -%> + <%= $registry %>: + endpoint: +<%- $config['endpoint'].each |$ep| { -%> + - "<%= $ep %>" +<%- } -%> +<%- if $config['rewrite'] { -%> + rewrite: +<%- $config['rewrite'].each |$pattern, $replacement| { -%> + "<%= $pattern %>": "<%= $replacement %>" +<%- } -%> +<%- } -%> +<%- if $config['disable-default-registry-endpoint'] { -%> + disable-default-registry-endpoint: true +<%- } -%> +<%- } -%>