Update crio.conf.j2 template for registries

CRI-O 1.11 and above picks up the default registries from
/etc/containers/registries.conf. Updated the the crio.conf.j2
template to reflect that.
A registries.conf already exists in roles/container-runtimes/templates
that ends up in /etc/containers/registries.conf when the playbook is ran.

Signed-off-by: umohnani8 <umohnani@redhat.com>

roles/container_runtime/tasks/package_crio.yml

@@ -77,6 +77,11 @@
     dest: /etc/sysconfig/crio-network
     src: crio-network.j2
 
+- name: Place registries.conf in /etc/containers/registries.conf
+  template:
+    dest: "{{ containers_registries_conf_path }}"
+    src: registries.conf.j2
+
 - name: Start the CRI-O service
   systemd:
     name: "cri-o"

roles/container_runtime/tasks/package_docker.yml

@@ -71,7 +71,7 @@
 - name: Place additional/blocked/insecure registries in /etc/containers/registries.conf
   template:
     dest: "{{ containers_registries_conf_path }}"
-    src: registries.conf
+    src: registries.conf.j2
   when: openshift_docker_use_etc_containers | bool
   notify:
   - restart container runtime

roles/container_runtime/templates/crio.conf.j2

@@ -141,16 +141,18 @@ signature_policy = ""
 # The valid values are mkdir and ignore.
 image_volumes = "mkdir"
 
+# CRI-O reads its configured registries defaults from the containers/image configuration
+# file, /etc/containers/registries.conf. Modify registries.conf if you want to
+# change default registries for all tools that use containers/image.  If you
+# want to modify just crio, you can change the registies configuration in this
+# file.
+
 # insecure_registries is used to skip TLS verification when pulling images.
-insecure_registries = [
-{{ l_insecure_crio_registries|default("") }}
-]
+# insecure_registries = []
 
 # registries is used to specify a comma separated list of registries to be used
 # when pulling an unqualified image (e.g. fedora:rawhide).
-registries = [
-{{ l_additional_crio_registries|default("") }}
-]
+# registries = []
 
 # The "crio.network" table contains settings pertaining to the
 # management of CNI plugins.

roles/container_runtime/templates/registries.conf

@@ -1,46 +0,0 @@
-# {{ ansible_managed }}
-# This is a system-wide configuration file used to
-# keep track of registries for various container backends.
-# It adheres to YAML format and does not support recursive
-# lists of registries.
-
-# The default location for this configuration file is /etc/containers/registries.conf.
-
-# The only valid categories are: 'registries', 'insecure_registries',
-# and 'block_registries'.
-
-
-#registries:
-#  - registry.redhat.io
-
-{% if l2_docker_additional_registries %}
-registries:
-{% for reg in l2_docker_additional_registries %}
-  - {{ reg }}
-{% endfor %}
-{% endif %}
-
-# If you need to access insecure registries, uncomment the section below
-# and add the registries fully-qualified name. An insecure registry is one
-# that does not have a valid SSL certificate or only does HTTP.
-#insecure_registries:
-#  -
-
-{% if l2_docker_insecure_registries %}
-insecure_registries:
-{% for reg in l2_docker_insecure_registries %}
-  - {{ reg }}
-{% endfor %}
-{% endif %}
-
-# If you need to block pull access from a registry, uncomment the section below
-# and add the registries fully-qualified name.
-#block_registries:
-# -
-
-{% if l2_docker_blocked_registries %}
-block_registries:
-{% for reg in l2_docker_blocked_registries %}
-  - {{ reg }}
-{% endfor %}
-{% endif %}

roles/container_runtime/templates/registries.conf.j2

@@ -0,0 +1,27 @@
+# {{ ansible_managed }}
+# This is a system-wide configuration file used to
+# keep track of registries for various container backends.
+# It adheres to TOML format and does not support recursive
+# lists of registries.
+
+# The default location for this configuration file is /etc/containers/registries.conf.
+
+# The only valid categories are: 'registries.search', 'registries.insecure',
+# and 'registries.block'.
+
+[registries.search]
+registries = [{{ l_additional_crio_registries|default("") }}]
+
+
+# If you need to access insecure registries, add the registry's fully-qualified name.
+# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
+[registries.insecure]
+registries = [{{ l_insecure_crio_registries|default("") }}]
+
+
+# If you need to block pull access from a registry, uncomment the section below
+# and add the registries fully-qualified name.
+#
+# Docker only
+[registries.block]
+registries = {{ l2_docker_blocked_registries | to_json }}