Merge pull request #4321 from sskaje/T7092

T7092: Add Container Registry Mirror

Author: dmbaturin

data/templates/container/registries.conf.j2

@@ -28,4 +28,14 @@
 {%         set _ = registry_list.append(r) %}
 {%     endfor %}
 unqualified-search-registries = {{ registry_list }}
+{%     for r, r_options in registry.items() if r_options.disable is not vyos_defined %}
+[[registry]]
+{%         if r_options.mirror is vyos_defined %}
+location = "{{ r_options.mirror.host_name if r_options.mirror.host_name is vyos_defined else r_options.mirror.address }}{{ ":" + r_options.mirror.port if r_options.mirror.port is vyos_defined }}{{ r_options.mirror.path if r_options.mirror.path is vyos_defined }}"
+{%         else %}
+location = "{{ r }}"
+{%         endif %}
+insecure = {{ 'true' if r_options.insecure is vyos_defined else 'false' }}
+prefix = "{{ r }}"
+{%     endfor %}
 {% endif %}

interface-definitions/container.xml.in

@@ -571,6 +571,54 @@
         <children>
           #include <include/interface/authentication.xml.i>
           #include <include/generic-disable-node.xml.i>
+          <leafNode name="insecure">
+            <properties>
+              <help>Allow registry access over unencrypted HTTP or TLS connections with untrusted certificates</help>
+              <valueless/>
+            </properties>
+          </leafNode>
+          <node name="mirror">
+            <properties>
+              <help>Registry mirror, use host-name|address[:port][/path]</help>
+            </properties>
+            <children>
+              <leafNode name="address">
+                <properties>
+                  <help>IP address of container registry mirror</help>
+                  <valueHelp>
+                    <format>ipv4</format>
+                    <description>IPv4 address of container registry mirror</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>IPv6 address of container registry mirror</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ip-address"/>
+                    <validator name="ipv6-link-local"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="host-name">
+                <properties>
+                  <help>Hostname of container registry mirror</help>
+                  <valueHelp>
+                    <format>hostname</format>
+                    <description>FQDN of container registry mirror</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="fqdn"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              #include <include/port-number.xml.i>
+              <leafNode name="path">
+                <properties>
+                  <help>Path of container registry mirror, optional, must be start with '/' if not empty</help>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
         </children>
       </tagNode>
     </children>

src/conf_mode/container.py

@@ -289,6 +289,13 @@ def verify(container):
 
     if 'registry' in container:
         for registry, registry_config in container['registry'].items():
+            if 'mirror' in registry_config:
+                if 'host_name' in registry_config['mirror'] and 'address' in registry_config['mirror']:
+                    raise ConfigError(f'Container registry mirror address/host-name are mutually exclusive!')
+
+                if 'path' in registry_config['mirror'] and not registry_config['mirror']['path'].startswith('/'):
+                    raise ConfigError('Container registry mirror path must start with "/"!')
+
             if 'authentication' not in registry_config:
                 continue
             if not {'username', 'password'} <= set(registry_config['authentication']):