Set [plugins."io.containerd.grpc.v1.cri".registry].config_path by default
#6485
Labels
Milestone
Comments
|
cc @adisky |
|
This is not defaulted because it is a new option which is replacing older options. |
|
Would it be reasonable to default it if older options are not set? I'd be happy to do a PR proposal if that would make it easier. I'm trying to write up provider-independent directions and tutorials for an on-cluster or local build chain, so I'm hoping for a default that would work across providers. 😁 |
That seems reasonable to me. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is the problem you're trying to solve
I'm trying to add a new private registry (with a self-signed CA) to an existing Kubernetes cluster, where I may not have ssh access (but I do have
cluster-admin).Describe the solution you'd like
When using docker, something like the following suffices to add a selfsigned CA:
According the containerd documentation, loading registry certificates after startup requires the following key to be set in
config.toml:Adding this entry isn't sufficient, however, because you also need to restart containerd. Users end up with solutions like this:
http://hypernephelist.com/2021/03/23/kubernetes-containerd-certificate.html
Note that this solution is debian (
update-ca-certificates) / systemd (systemctl) specific, and actually modifies the entire set of trust roots for the host, rather than modifying theconfig.tomlprogramatically (because that seems dangerous)It would be much cleaner if
[plugins."io.containerd.grpc.v1.cri".registry].config_pathdefaulted to either:"/etc/containerd/certs.d""/etc/containerd/certs.d:/etc/docker/certs.d"My preference would be for 2, because it would allow scripts that worked with Docker to also work with containerd, but would still prefer certs in
/etc/containerdif present.Additional context
No response
The text was updated successfully, but these errors were encountered: