Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch: Generic Containerd mirror support #203

Closed
dkoshkin opened this issue Oct 2, 2023 · 6 comments · Fixed by #292
Closed

Patch: Generic Containerd mirror support #203

dkoshkin opened this issue Oct 2, 2023 · 6 comments · Fixed by #292
Assignees
@supershal

Comments

@dkoshkin
Copy link
Contributor

dkoshkin commented Oct 2, 2023
edited by supershal
Loading

Extend the image registries API to also enable Containerd mirror.

spec:
  topology:
    variables:
      - name: clusterConfig
        value:
          imageRegistries:
            credentials: 
              - url: https://my-registry.io
                secretRef:
                    name: <optional ref to a Secret that holds the credentials>
                mirror:
                    caSecretRef:
                      name: <optional ref to a Secret that holds a self signed CA>

A an image registry can either be configured to pass credentials (already implemented), a Containerd mirror or both.

  1. Just a Containerd mirror, see here. Note how the server is removed since we want to still fallback to upstream registry if image not found in the mirror:
$ tree /etc/containerd/certs.d
/etc/containerd/certs.d
└── _default
    └── hosts.toml

$ cat /etc/containerd/certs.d/_default/hosts.toml

[host."https://my-registry.io"]
  capabilities = ["pull", "resolve"]
  1. Both a Containerd mirror and credentials provider:
    Configure same as above for 1 and after here add
          mirror:
            endpoint: "my-registry.io"
            credentialsStrategy: MirrorCredentialsOnly

Pay special attention to the format the URL is expected in, e.g. with port, with path, etc.
@supershal supershal self-assigned this Oct 11, 2023
@supershal
Copy link
Contributor

assigned to myself.

@supershal
Copy link
Contributor

@dkoshkin are we adding caSecretRef as part of this issue? if so, what would be format of the secret ref and suggested path on the host to store the secret?

@dkoshkin
Copy link
Contributor Author

Yes @supershal we should add the caSecretRef. Maybe we can just be super generic and read all keys from the Secret and set them as files in /etc/containerd/? Here is what the config looks like https://github.com/containerd/containerd/blob/main/docs/hosts.md#ca-field

@supershal
Copy link
Contributor

updated description of the issue to reflect current schema for image registry. https://github.com/d2iq-labs/capi-runtime-extensions/blob/main/docs/content/customization/generic/image-registries.md

@supershal supershal mentioned this issue Jan 17, 2024
Merged
@jimmidyson
Copy link
Member

Can we close this now @dkoshkin @supershal ?

@dkoshkin
Copy link
Contributor Author

Yes closed with #292

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@supershal supershal

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@jimmidyson @dkoshkin @supershal