Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update tls template config for containerd 1.3.x #34

Merged
merged 1 commit into from Apr 6, 2020
Merged

update tls template config for containerd 1.3.x #34

merged 1 commit into from Apr 6, 2020

Conversation

kwmonroe
Copy link
Member

@kwmonroe kwmonroe commented Apr 4, 2020

https://bugs.launchpad.net/charm-containerd/+bug/1853653

Containerd updated the config.toml sections related to tls in 1.3.x:

containerd/cri#1227

This affects our ability to relate containerd units to docker-registry units that have tls enabled. This PR updates the config template to use the current 1.3.x syntax.

Without this:

$ sudo ./crictl --runtime-endpoint=unix:///var/run/containerd/containerd.sock pull 172.31.20.67:5000/defaultbackend-amd64:1.5
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to pull and unpack image "172.31.20.67:5000/defaultbackend-amd64:1.5": failed to resolve reference "172.31.20.67:5000/defaultbackend-amd64:1.5": failed to do request: Head https://172.31.20.67:5000/v2/defaultbackend-amd64/manifests/1.5: remote error: tls: bad certificate

With it:

$ sudo ./crictl --runtime-endpoint=unix:///var/run/containerd/containerd.sock pull 172.31.20.67:5000/defaultbackend-amd64:1.5
Image is up to date for sha256:b5af743e598496e8ebd7a6eb3fea76a6464041581520d1c2315c95f993287303

Note 1: Afaict, containerd-1.2.x (which ships with xenial) never supported custom tls with a registry. Even with these tls bits in the config.toml of a xenial deployment, they don't appear in the runtime config:

$ sudo grep cdk /etc/containerd/config.toml
        ca_file   = "/root/cdk/ca.crt"
        cert_file = "/root/cdk/server.crt"
        key_file  = "/root/cdk/server.key"
$ sudo ./crictl --runtime-endpoint=unix:///var/run/containerd/containerd.sock info | grep cdk
$

We could introduce a new template variable based on the apt version and only render 1.3 bits when running 1.3. I didn't do that here because it seemed unnecessary since invalid config is silently ignored.

Note 2: The auths section of the config.toml has also had a syntax change; the old syntax is deprecated, but still works for 1.3.x. I opted to leave the old syntax in place to ensure any xenial (containerd 1.2.x) deployments would continue to work if upgraded to this charm.

@Cynerva
Copy link
Contributor

Cynerva commented Apr 6, 2020

LGTM 👍

@Cynerva Cynerva merged commit a77f8a2 into master Apr 6, 2020
@Cynerva Cynerva deleted the lp1853653/fix-template-tls branch April 6, 2020 20:36
Cynerva pushed a commit that referenced this pull request Jun 1, 2020
@kwmonroe
update auth/tls template config for containerd 1.3.x (#34)
29ebcf9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@kwmonroe @Cynerva