fix: Correctly configure non-mirror registry certificates #1039
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CA certificates are now written to `/etc/containerd/certs.d/<registryHost>/ca.crt` as required. Remove non-mirror registry config from `/etc/containerd/certs.d/_default/hosts.toml` which was causing all registries to be configured as mirror registry.
|
Thanks! I think this makes If that's correct, can I can push a commit that removes it, and related test code? |
No this is still used in https://github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/blob/jimmi/fix-registry-ca-certs/pkg/handlers/generic/mutation/mirrors/inject.go#L124-L131 |
dlipovetsky
reviewed
Feb 10, 2025
|
I configured my test docker cluster like: And the resulting KCP includes an extra file: (still trying to actually test and pull images) |
|
This is confirmed to work for a single configured registry. There are issues with two or more configured registries, but we'll address that in a follow-up PR. |
Use for existing CCs.
dkoshkin
approved these changes
Feb 11, 2025
|
@jimmidyson Can you update the PR description, please? I think we'll have two different patches ( |
|
Updated PR description. |
This was referenced Feb 11, 2025
|
I verified the configuration, and functionality using a Docker cluster. |
dlipovetsky
approved these changes
Feb 11, 2025
dlipovetsky
pushed a commit
that referenced
this pull request
Feb 12, 2025
**What problem does this PR solve?**: Now that we're fixing how the `_default` file is being generated just for mirrors, we should skip creating the file if only registries are provided. Depends on #1039. **Which issue(s) this PR fixes**: Fixes # **How Has This Been Tested?**: <!-- Please describe the tests that you ran to verify your changes. Provide output from the tests and any manual steps needed to replicate the tests. --> **Special notes for your reviewer**: <!-- Use this to provide any additional information to the reviewers. This may include: - Best way to review the PR. - Where the author wants the most review attention on. - etc. -->
dlipovetsky
pushed a commit
that referenced
this pull request
Feb 12, 2025
Only allowed a single configuration per provider binary so match up the image hosts per binary in the config. Depends on #1039.
Merged
jimmidyson
added a commit
that referenced
this pull request
Feb 12, 2025
🤖 I have created a release *beep* *boop* --- ## 0.27.0 (2025-02-12) <!-- Release notes generated using configuration in .github/release.yaml at main --> ## What's Changed ### Exciting New Features 🎉 * feat: Update COSI controller Addon by @dlipovetsky in #1043 * feat: Build with Go 1.24.0 by @jimmidyson in #1047 ### Fixes 🔧 * fix: Specify PriorityClass for Node Feature Discovery components by @dlipovetsky in #1041 * fix: Correctly configure non-mirror registry certificates by @jimmidyson in #1039 * fix: Configure priorityClassName for Cilium Hubble by @dlipovetsky in #1045 * fix: don't generate empty _default containerd mirror file by @dkoshkin in #1042 * fix: set priority class name for metallb by @supershal in #1046 * fix: Correctly configure dynamic credential provider by @jimmidyson in #1040 **Full Changelog**: v0.26.0...v0.27.0 --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the runtime extensions to include two mutation handlers for Nutanix clusters:
nutanixclusterconfigpatch-gp.cluster-api-runtime-extensions-nutanix- original name and original (buggy functionality). This will still be referenced from existing CCs and so must retain the same name.nutanixclusterv2configpatch-gp.cluster-api-runtime-extensions-nutanix- new name with fixed functionality. This is now referenced from the example CC in this project and can be used by existing clusters by rebasing on a CC that references this handler name.The new handler fixes are:
/etc/containerd/certs.d/<registryHost>/ca.crtas per https://github.com/containerd/containerd/blob/main/docs/hosts.md#support-for-dockers-certificate-file-pattern. This does not require a
hosts.tomlfile for configuration, although that explicit configuration may be preferred (can do in future if so)./etc/containerd/certs.d/_default/hosts.tomlwhich was causing all registries to be configured as mirror registry.