diff --git a/images/base/files/etc/containerd/config.toml b/images/base/files/etc/containerd/config.toml index 94ee2f5002..767d4dac26 100644 --- a/images/base/files/etc/containerd/config.toml +++ b/images/base/files/etc/containerd/config.toml @@ -40,3 +40,6 @@ version = 2 tolerate_missing_hugepages_controller = true # restrict_oom_score_adj needs to be true when running inside UserNS (rootless) restrict_oom_score_adj = false + +[plugins."io.containerd.grpc.v1.cri".registry] + config_path = "/etc/containerd/certs.d" diff --git a/pkg/cluster/nodeutils/util_test.go b/pkg/cluster/nodeutils/util_test.go index e16851b3c0..253d8cb5ee 100644 --- a/pkg/cluster/nodeutils/util_test.go +++ b/pkg/cluster/nodeutils/util_test.go @@ -150,15 +150,7 @@ func TestParseSnapshotter(t *testing.T) { key_model = "node" [plugins."io.containerd.grpc.v1.cri".registry] - config_path = "" - - [plugins."io.containerd.grpc.v1.cri".registry.auths] - - [plugins."io.containerd.grpc.v1.cri".registry.configs] - - [plugins."io.containerd.grpc.v1.cri".registry.headers] - - [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + config_path = "/etc/containerd/certs.d" [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming] tls_cert_file = "" diff --git a/site/content/docs/user/private-registries.md b/site/content/docs/user/private-registries.md index d0bdeb1464..6fa721a37e 100644 --- a/site/content/docs/user/private-registries.md +++ b/site/content/docs/user/private-registries.md @@ -91,8 +91,8 @@ See Google's [upstream docs][keyFileAuthentication] on key file authentication f #### Use a Certificate If you have a registry authenticated with certificates, and both certificates and keys -reside on your host folder, it is possible to mount and use them into the `containerd` plugin -patching the default configuration, like in the example: +reside on your host folder, it is possible to mount to docker config which is compatible +with containerd, like in this example: {{< codeFromInline lang="yaml" >}} kind: Cluster @@ -100,13 +100,13 @@ apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane # This option mounts the host docker registry folder into - # the control-plane node, allowing containerd to access them. + # the control-plane node, allowing containerd to access them. extraMounts: - containerPath: /etc/docker/certs.d/registry.dev.example.com - hostPath: /etc/docker/certs.d/registry.dev.example.com -containerdConfigPatches: - - |- - [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.dev.example.com".tls] - cert_file = "/etc/docker/certs.d/registry.dev.example.com/ba_client.cert" - key_file = "/etc/docker/certs.d/registry.dev.example.com/ba_client.key" -{{< /codeFromInline >}} \ No newline at end of file + hostPath: /etc/containerd/certs.d/registry.dev.example.com +{{< /codeFromInline >}} + +Note that if you have a hosts.toml file inside the registry configuration, this file needs +to explicitly mention the TLS certificates/keys, see the [CRI documentation][criDocumentation] + +[criDocumentation]: https://github.com/containerd/containerd/blob/main/docs/hosts.md diff --git a/site/static/examples/kind-with-registry.sh b/site/static/examples/kind-with-registry.sh index 9fe55a821a..115310f4d3 100755 --- a/site/static/examples/kind-with-registry.sh +++ b/site/static/examples/kind-with-registry.sh @@ -10,24 +10,7 @@ if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true registry:2 fi -# 2. Create kind cluster with containerd registry config dir enabled -# TODO: kind will eventually enable this by default and this patch will -# be unnecessary. -# -# See: -# https://github.com/kubernetes-sigs/kind/issues/2875 -# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration -# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md -cat <