docs: update docs with mirror information

Author: supershal

docs/content/customization/generic/image-registries.md

@@ -33,11 +33,71 @@ spec:
       - name: clusterConfig
         value:
           imageRegistries:
-            credentials:
-              - url: https://my-registry.io
+            - url: https://my-registry.io
+              credentials:
                 secretRef:
                   name: my-registry-credentials
 ```
 
 Applying this configuration will result in new files and preKubeadmCommands
 on the `KubeadmControlPlaneTemplate` and `KubeadmConfigTemplate`.
+
+To use a image registry as mirror with CA certificate, specify the following configuration:
+
+If your registry mirror requires self signed CA certifate, create a Kubernetes Secret with keys for `ca.crt`:
+
+```shell
+kubectl create secret generic my-mirror-ca-cert-secret \
+  --from-file=ca.crt=registry-ca.crt
+```
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          imageRegistries:
+            - url: https://my-registry.io
+              credentials:
+                secretRef:
+                  name: my-registry-credentials
+              mirror:
+                secretRef:
+                  name: my-mirror-ca-cert-secret
+```
+
+Applying this configuration will result in following new files on the
+`KubeadmControlPlaneTemplate` and `KubeadmConfigTemplate`
+
+- `/etc/containerd/certs.d/_default/hosts.toml`
+- `/etc/certs/mirror.pem`
+
+To use a public hosted image registry (ex. ECR) as mirror, specify the following configuration:
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          imageRegistries:
+            - url: https://123456789.dkr.ecr.us-east-1.amazonaws.com
+              credentials:
+                secretRef:
+                  name: my-registry-credentials
+              mirror: {}
+```
+
+Applying this configuration will result in following new files on the
+`KubeadmControlPlaneTemplate` and `KubeadmConfigTemplate`
+
+- `/etc/containerd/certs.d/_default/hosts.toml`

pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files.go

@@ -52,7 +52,10 @@ func (c providerConfig) isCredentialsEmpty() bool {
 		c.Password == ""
 }
 
-func templateFilesForImageCredentialProviderConfigs(config providerConfig, mirror *mirrorConfig) ([]cabpkv1.File, error) {
+func templateFilesForImageCredentialProviderConfigs(
+	config providerConfig,
+	mirror *mirrorConfig,
+) ([]cabpkv1.File, error) {
 	var files []cabpkv1.File
 
 	kubeletCredentialProviderConfigFile, err := templateKubeletCredentialProviderConfig()

pkg/handlers/generic/mutation/imageregistries/credentials/tests/generate_patches.go

@@ -492,7 +492,6 @@ func newRegistryCredentialsSecret(name, namespace string) *corev1.Secret {
 	secretData := map[string][]byte{
 		"username": []byte("myuser"),
 		"password": []byte("mypassword"),
-		"ca.crt":   []byte("myCACert"),
 	}
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@@ -507,6 +506,7 @@ func newRegistryCredentialsSecret(name, namespace string) *corev1.Secret {
 		Type: corev1.SecretTypeOpaque,
 	}
 }
+
 func newMirrorSecret(name, namespace string) *corev1.Secret {
 	secretData := map[string][]byte{
 		"ca.crt": []byte("myCACert"),