fix: Correctly configure non-mirror registry certificates

CA certificates are now written to `/etc/containerd/certs.d/<registryHost>/ca.crt`
as required.

Remove non-mirror registry config from `/etc/containerd/certs.d/_default/hosts.toml`
which was causing all registries to be configured as mirror registry.

Author: jimmidyson

pkg/handlers/generic/mutation/mirrors/containerd_files.go

@@ -26,7 +26,7 @@ var (
 	//go:embed templates/hosts.toml.gotmpl
 	containerdHostsConfiguration []byte
 
-	containerdHostsConfigurationTemplate = template.Must(
+	containerdDefaultHostsConfigurationTemplate = template.Must(
 		template.New("").Parse(string(containerdHostsConfiguration)),
 	)
 
@@ -36,7 +36,7 @@ var (
 		"registry-config.toml",
 	)
 
-	mirrorCACertPathOnRemoteFmt = "/etc/certs/%s.pem"
+	caCertPathOnRemoteFmt = "/etc/containerd/certs.d/%s/ca.crt"
 )
 
 type containerdConfig struct {
@@ -54,14 +54,7 @@ func (c containerdConfig) filePathFromURL() (string, error) {
 		return "", fmt.Errorf("failed parsing registry URL: %w", err)
 	}
 
-	registryHostWithPath := registryURL.Host
-	if registryURL.Path != "" {
-		registryHostWithPath = path.Join(registryURL.Host, registryURL.Path)
-	}
-
-	replaced := strings.ReplaceAll(registryHostWithPath, "/", "-")
-
-	return fmt.Sprintf(mirrorCACertPathOnRemoteFmt, replaced), nil
+	return fmt.Sprintf(caCertPathOnRemoteFmt, registryURL.Host), nil
 }
 
 // Return true if configuration is a mirror or has a CA certificate.
@@ -76,7 +69,7 @@ func (c containerdConfig) needContainerdConfiguration() bool {
 //     https://github.com/containerd/containerd/blob/main/docs/hosts.md#setup-default-mirror-for-all-registries
 //
 //  2. Setting CA certificate for global image registry mirror and image registries.
-func generateContainerdHostsFile(
+func generateContainerdDefaultHostsFile(
 	configs []containerdConfig,
 ) (*cabpkv1.File, error) {
 	if len(configs) == 0 {
@@ -86,13 +79,12 @@ func generateContainerdHostsFile(
 	type templateInput struct {
 		URL        string
 		CACertPath string
-		Mirror     bool
 	}
 
 	inputs := make([]templateInput, 0, len(configs))
 
 	for _, config := range configs {
-		if !config.needContainerdConfiguration() {
+		if !config.Mirror {
 			continue
 		}
 
@@ -102,14 +94,12 @@ func generateContainerdHostsFile(
 		}
 
 		input := templateInput{
-			URL:    formattedURL,
-			Mirror: config.Mirror,
+			URL: formattedURL,
 		}
 		// CA cert is optional for mirror registry.
 		// i.e. registry is using signed certificates. Insecure registry will not be allowed.
 		if config.CACert != "" {
-			var registryCACertPathOnRemote string
-			registryCACertPathOnRemote, err = config.filePathFromURL()
+			registryCACertPathOnRemote, err := config.filePathFromURL()
 			if err != nil {
 				return nil, fmt.Errorf(
 					"failed generating CA certificate file path from URL: %w",
@@ -123,7 +113,7 @@ func generateContainerdHostsFile(
 	}
 
 	var b bytes.Buffer
-	err := containerdHostsConfigurationTemplate.Execute(&b, inputs)
+	err := containerdDefaultHostsConfigurationTemplate.Execute(&b, inputs)
 	if err != nil {
 		return nil, fmt.Errorf("failed executing template for Containerd hosts.toml file: %w", err)
 	}

pkg/handlers/generic/mutation/mirrors/containerd_files_test.go

@@ -11,7 +11,7 @@ import (
 	cabpkv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 )
 
-func Test_generateContainerdHostsFile(t *testing.T) {
+func Test_generateContainerdDefaultHostsFile(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name    string
@@ -85,7 +85,7 @@ func Test_generateContainerdHostsFile(t *testing.T) {
 				Append:      false,
 				Content: `[host."https://mymirror.com/v2"]
   capabilities = ["pull", "resolve"]
-  ca = "/etc/certs/mymirror.com.pem"
+  ca = "/etc/containerd/certs.d/mymirror.com/ca.crt"
   # don't rely on Containerd to add the v2/ suffix
   # there is a bug where it is added incorrectly for mirrors with a path
   override_path = true
@@ -118,14 +118,10 @@ func Test_generateContainerdHostsFile(t *testing.T) {
 				Append:      false,
 				Content: `[host."https://mymirror.com/v2"]
   capabilities = ["pull", "resolve"]
-  ca = "/etc/certs/mymirror.com.pem"
+  ca = "/etc/containerd/certs.d/mymirror.com/ca.crt"
   # don't rely on Containerd to add the v2/ suffix
   # there is a bug where it is added incorrectly for mirrors with a path
   override_path = true
-[host."https://myregistry.com/v2"]
-  ca = "/etc/certs/myregistry.com.pem"
-[host."https://172.100.0.10:5000/v2/myproject"]
-  ca = "/etc/certs/172.100.0.10:5000-myproject.pem"
 `,
 			},
 			wantErr: nil,
@@ -144,8 +140,7 @@ func Test_generateContainerdHostsFile(t *testing.T) {
 				Permissions: "0600",
 				Encoding:    "",
 				Append:      false,
-				Content: `[host."https://myregistry.com/v2"]
-  ca = "/etc/certs/myregistry.com.pem"
+				Content: `
 `,
 			},
 			wantErr: nil,
@@ -155,7 +150,7 @@ func Test_generateContainerdHostsFile(t *testing.T) {
 		tt := tests[idx]
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
-			file, err := generateContainerdHostsFile(tt.configs)
+			file, err := generateContainerdDefaultHostsFile(tt.configs)
 			require.ErrorIs(t, err, tt.wantErr)
 			assert.Equal(t, tt.want, file)
 		})
@@ -190,7 +185,7 @@ func Test_generateRegistryCACertFiles(t *testing.T) {
 			},
 			want: []cabpkv1.File{
 				{
-					Path:        "/etc/certs/registry.example.com.pem",
+					Path:        "/etc/containerd/certs.d/registry.example.com/ca.crt",
 					Owner:       "",
 					Permissions: "0600",
 					Encoding:    "",

pkg/handlers/generic/mutation/mirrors/inject.go

@@ -239,7 +239,7 @@ func generateFiles(
 ) ([]bootstrapv1.File, error) {
 	var files []bootstrapv1.File
 	// generate default registry mirror file
-	containerdHostsFile, err := generateContainerdHostsFile(registriesWithOptionalCA)
+	containerdHostsFile, err := generateContainerdDefaultHostsFile(registriesWithOptionalCA)
 	if err != nil {
 		return nil, err
 	}

pkg/handlers/generic/mutation/mirrors/inject_test.go

@@ -99,7 +99,7 @@ var _ = Describe("Generate Global mirror patches", func() {
 							"path", "/etc/containerd/certs.d/_default/hosts.toml",
 						),
 						gomega.HaveKeyWithValue(
-							"path", "/etc/certs/registry.example.com.pem",
+							"path", "/etc/containerd/certs.d/registry.example.com/ca.crt",
 						),
 						gomega.HaveKeyWithValue(
 							"path", "/etc/caren/containerd/patches/registry-config.toml",
@@ -166,7 +166,7 @@ var _ = Describe("Generate Global mirror patches", func() {
 							"path", "/etc/containerd/certs.d/_default/hosts.toml",
 						),
 						gomega.HaveKeyWithValue(
-							"path", "/etc/certs/registry.example.com.pem",
+							"path", "/etc/containerd/certs.d/registry.example.com/ca.crt",
 						),
 						gomega.HaveKeyWithValue(
 							"path", "/etc/caren/containerd/patches/registry-config.toml",
@@ -244,7 +244,7 @@ var _ = Describe("Generate Global mirror patches", func() {
 							"path", "/etc/containerd/certs.d/_default/hosts.toml",
 						),
 						gomega.HaveKeyWithValue(
-							"path", "/etc/certs/registry.example.com.pem",
+							"path", "/etc/containerd/certs.d/registry.example.com/ca.crt",
 						),
 						gomega.HaveKeyWithValue(
 							"path", "/etc/caren/containerd/patches/registry-config.toml",
@@ -299,7 +299,7 @@ var _ = Describe("Generate Global mirror patches", func() {
 				capitest.VariableWithValue(
 					v1alpha1.ClusterConfigVariableName,
 					[]v1alpha1.ImageRegistry{{
-						URL: "https://registry.example.com",
+						URL: "https://registry.example.com:5050",
 						Credentials: &v1alpha1.RegistryCredentials{
 							SecretRef: &v1alpha1.LocalObjectReference{
 								Name: validMirrorCASecretName,
@@ -327,7 +327,7 @@ var _ = Describe("Generate Global mirror patches", func() {
 							"path", "/etc/containerd/certs.d/_default/hosts.toml",
 						),
 						gomega.HaveKeyWithValue(
-							"path", "/etc/certs/registry.example.com.pem",
+							"path", "/etc/containerd/certs.d/registry.example.com:5050/ca.crt",
 						),
 						gomega.HaveKeyWithValue(
 							"path", "/etc/caren/containerd/patches/registry-config.toml",

pkg/handlers/generic/mutation/mirrors/templates/hosts.toml.gotmpl

@@ -1,5 +1,4 @@
 {{- range . }}
-{{- if .Mirror }}
 [host."{{ .URL }}"]
   capabilities = ["pull", "resolve"]
   {{- if .CACertPath }}
@@ -8,8 +7,4 @@
   # don't rely on Containerd to add the v2/ suffix
   # there is a bug where it is added incorrectly for mirrors with a path
   override_path = true
-{{- else }}
-[host."{{ .URL }}"]
-  ca = "{{ .CACertPath }}"
-{{- end }}
 {{- end }}