Add CRI-O registry mirror config for zot pull-through cache

Configures minikube's CRI-O to use zot on indri as a pull-through cache for docker.io, ghcr.io, and quay.io. Uses host.containers.internal:5050 which is stable across restarts. This reduces external bandwidth, speeds up pulls, and provides resilience if upstream registries are unreachable. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 09:49:53 -08:00 · 2026-01-19 08:37:01 -08:00 · 2026-01-19 08:37:01 -08:00
commit 1c172702ec
3 changed files with 71 additions and 0 deletions
--- a/ansible/roles/minikube/files/zot-mirror.conf
+++ b/ansible/roles/minikube/files/zot-mirror.conf
@ -0,0 +1,27 @@
+# Zot pull-through cache on indri
+# Uses host.containers.internal which is stable across restarts
+# Applied by ansible minikube role
+
+[[registry]]
+prefix = "docker.io"
+location = "docker.io"
+
+[[registry.mirror]]
+location = "host.containers.internal:5050/docker.io"
+insecure = true
+
+[[registry]]
+prefix = "ghcr.io"
+location = "ghcr.io"
+
+[[registry.mirror]]
+location = "host.containers.internal:5050/ghcr.io"
+insecure = true
+
+[[registry]]
+prefix = "quay.io"
+location = "quay.io"
+
+[[registry.mirror]]
+location = "host.containers.internal:5050/quay.io"
+insecure = true
--- a/ansible/roles/minikube/handlers/main.yml
+++ b/ansible/roles/minikube/handlers/main.yml
@ -7,3 +7,8 @@
    minikube stop 2>/dev/null || true
    minikube start
  changed_when: true
+
+- name: Restart CRI-O in minikube
+  ansible.builtin.command:
+    cmd: minikube ssh "sudo systemctl restart crio"
+  changed_when: true
--- a/ansible/roles/minikube/tasks/main.yml
+++ b/ansible/roles/minikube/tasks/main.yml
@ -56,3 +56,42 @@
  ansible.builtin.debug:
    msg: "WARNING: minikube may not have started properly. Run 'minikube start' manually on indri if needed. Status: {{ minikube_final_status.stdout | default('unknown') }}"
  when: minikube_final_status.rc != 0 or 'Running' not in minikube_final_status.stdout
+
+# Configure CRI-O to use zot as pull-through cache
+- name: Copy zot mirror config to temp location
+  ansible.builtin.copy:
+    src: zot-mirror.conf
+    dest: /tmp/zot-mirror.conf
+    mode: "0644"
+  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
+
+- name: Check if zot mirror config exists in minikube
+  ansible.builtin.command:
+    cmd: minikube ssh "cat /etc/containers/registries.conf.d/zot-mirror.conf 2>/dev/null || echo ''"
+  register: minikube_existing_zot_config
+  changed_when: false
+  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
+
+- name: Read local zot mirror config
+  ansible.builtin.slurp:
+    src: /tmp/zot-mirror.conf
+  register: minikube_local_zot_config
+  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
+
+- name: Apply zot mirror config to minikube
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      cat /tmp/zot-mirror.conf | minikube ssh "sudo tee /etc/containers/registries.conf.d/zot-mirror.conf > /dev/null"
+    executable: /bin/bash
+  changed_when: true
+  when:
+    - minikube_final_status.rc == 0
+    - "'Running' in minikube_final_status.stdout"
+    - minikube_existing_zot_config.stdout != (minikube_local_zot_config.content | b64decode)
+  notify: Restart CRI-O in minikube
+
+- name: Clean up temp config file
+  ansible.builtin.file:
+    path: /tmp/zot-mirror.conf
+    state: absent