salt,build: Mark the pause image as pod infra container image

We mark the `pause` image used by containerD as `pod infra container
image` for kubelet, so that kubelet does not remove this image.

We also put `pause` image in the embedded registry, so that we are sure
that node does not fetch this image from the internet.

NOTE: Since we fetch the pause image from the embedded registry we no
longer need to import it manually with salt on every node but only for
the registry node

Fixes: #3601

CHANGELOG.md

@@ -69,6 +69,13 @@
   highly-available when we have multiple Prometheus instances
   (PR[#3573](https://github.com/scality/metalk8s/pull/3573))
 
+## Bug fixes
+
+- [#3601](https://github.com/scality/metalk8s/issues/3601) - Mark
+  the `pause` image used by ContainerD as `pod infra container image`
+  so that kubelet does not remove it
+  (PR[#3624](https://github.com/scality/metalk8s/pull/3624))
+
 ## Release 2.10.6 (in development)
 ## Enhancements
 

buildchain/buildchain/image.py

@@ -195,6 +195,7 @@ def _operator_image(name: str, **kwargs: Any) -> targets.OperatorImage:
         "kube-proxy",
         "kube-scheduler",
         "nginx-ingress-defaultbackend-amd64",
+        "pause",
     ],
     constants.GRAFANA_REPOSITORY: [
         "grafana",
@@ -235,7 +236,7 @@ def _operator_image(name: str, **kwargs: Any) -> targets.OperatorImage:
 }
 
 SAVE_AS: Dict[str, List[targets.ImageSaveFormat]] = {
-    "pause": [targets.SaveAsTar()],
+    "pause": [targets.SaveAsTar(), targets.SaveAsLayers()],
     "nginx": [targets.SaveAsTar(), targets.SaveAsLayers()],
 }
 

buildchain/buildchain/salt_tree.py

@@ -16,15 +16,13 @@
 └──────────┘ ╲───>│  copy files     │
                   └─────────────────┘
 
-                   ┌─────────────────┐
-              ╱───>│render templates │
-             ╱     └─────────────────┘
-┌──────────┐╱      ┌─────────────────┐
-│  deploy  │──────>│  copy files     │
-│  salt/*  │╲      └─────────────────┘
-└──────────┘ ╲     ┌─────────────────┐
-              ╲───>│pull pause.tar   │
-                   └─────────────────┘
+                  ┌─────────────────┐
+             ╱───>│render templates │
+┌──────────┐╱     └─────────────────┘
+│  deploy  │
+│  salt/*  │╲     ┌─────────────────┐
+└──────────┘ ╲───>│  copy files     │
+                  └─────────────────┘
 """
 
 
@@ -467,7 +465,6 @@ def task(self) -> types.TaskDict:
     Path("salt/metalk8s/backup/deployed/secret-tls.sls"),
     Path("salt/metalk8s/backup/deployed/service.sls"),
     Path("salt/metalk8s/beacon/certificates.sls"),
-    Path("salt/metalk8s/container-engine/containerd/configured.sls"),
     Path("salt/metalk8s/container-engine/containerd/files/50-metalk8s.conf.j2"),
     Path("salt/metalk8s/container-engine/containerd/init.sls"),
     Path("salt/metalk8s/container-engine/containerd/installed.sls"),
@@ -709,17 +706,6 @@ def task(self) -> types.TaskDict:
     Path("salt/_utils/metalk8s_utils.py"),
     Path("salt/_utils/pillar_utils.py"),
     Path("salt/_utils/volume_utils.py"),
-    # This image is defined here and not in the `image` module since it is
-    # saved into the `salt/` tree.
-    targets.RemoteImage(
-        name="pause",
-        version=versions.CONTAINER_IMAGES_MAP["pause"].version,
-        digest=versions.CONTAINER_IMAGES_MAP["pause"].digest,
-        repository=constants.GOOGLE_REPOSITORY,
-        save_as=[targets.SaveAsTar()],
-        destination=constants.ISO_ROOT
-        / "salt/metalk8s/container-engine/containerd/files",
-    ),
     CommonStaticContainerRegistry(
         destination=Path(
             constants.ISO_ROOT,

salt/metalk8s/container-engine/containerd/init.sls

@@ -1,2 +1,2 @@
 include:
-  - .configured
+  - .installed

salt/metalk8s/container-engine/containerd/installed.sls

@@ -4,6 +4,7 @@
 {%- from "metalk8s/map.jinja" import repo with context %}
 {%- from "metalk8s/map.jinja" import networks with context %}
 {%- from "metalk8s/map.jinja" import proxies with context %}
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
 
 {%- set registry_eps = [] %}
 {%- set pillar_endpoints = metalk8s.endpoints.repositories %}
@@ -107,6 +108,9 @@ Configure registry IP in containerd conf:
     - contents: |
         version = 2
 
+        [plugins."io.containerd.grpc.v1.cri"]
+        sandbox_image = "{{ build_image_name("pause") }}"
+
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ repo.registry_endpoint }}"]
         endpoint = [{{ registry_eps | join(",") }}]
 

salt/metalk8s/kubernetes/kubelet/standalone.sls

@@ -1,5 +1,6 @@
 {%- from "metalk8s/map.jinja" import kubelet with context %}
 {%- from "metalk8s/map.jinja" import metalk8s with context %}
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
 
 {%- set cluster_dns_ip = salt.metalk8s_network.get_cluster_dns_ip() %}
 
@@ -25,6 +26,7 @@ Create kubelet service environment file:
           node-ip: {{ grains['metalk8s']['control_plane_ip'] }}
           hostname-override: {{ grains['id'] }}
           cgroup-driver: systemd
+          pod-infra-container-image: {{ build_image_name("pause") }}
           v: {{ 2 if metalk8s.debug else 0 }}
     - require:
       - metalk8s_package_manager: Install kubelet

salt/metalk8s/repo/installed.sls

@@ -11,7 +11,7 @@
 
 {%- set image_version = repo.images.get(image_name, {}).get('version') %}
 {%- if not image_version %}
-  {{ raise('Missing version information for "nginx"') }}
+  {{ raise('Missing version information for "' ~ image_name ~ '"') }}
 {%- endif %}
 
 {%- set image_fullname = build_image_name(image_name) %}
@@ -20,6 +20,15 @@ include:
   - .configured
   - metalk8s.container-engine.running
 
+# We really need to inject those images only for the first registry as for others nodes
+# those images are available from remote MetalK8s registry
+Inject pause image:
+  containerd.image_managed:
+    - name: {{ build_image_name("pause") }}
+    - archive_path: {{ archives[saltenv].path }}/images/pause-{{ repo.images.pause.version }}.tar
+    - require:
+      - sls: metalk8s.container-engine.running
+
 Inject nginx image:
   containerd.image_managed:
     - name: {{ image_fullname }}