-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set [plugins."io.containerd.grpc.v1.cri".registry].config_path
by default
#6485
Comments
cc @adisky |
This is not defaulted because it is a new option which is replacing older options. |
Would it be reasonable to default it if older options are not set? I'd be happy to do a PR proposal if that would make it easier. I'm trying to write up provider-independent directions and tutorials for an on-cluster or local build chain, so I'm hoping for a default that would work across providers. 😁 |
That seems reasonable to me. |
What is the problem you're trying to solve
I'm trying to add a new private registry (with a self-signed CA) to an existing Kubernetes cluster, where I may not have ssh access (but I do have
cluster-admin
).Describe the solution you'd like
When using docker, something like the following suffices to add a selfsigned CA:
According the containerd documentation, loading registry certificates after startup requires the following key to be set in
config.toml
:Adding this entry isn't sufficient, however, because you also need to restart containerd. Users end up with solutions like this:
http://hypernephelist.com/2021/03/23/kubernetes-containerd-certificate.html
Note that this solution is debian (
update-ca-certificates
) / systemd (systemctl
) specific, and actually modifies the entire set of trust roots for the host, rather than modifying theconfig.toml
programatically (because that seems dangerous)It would be much cleaner if
[plugins."io.containerd.grpc.v1.cri".registry].config_path
defaulted to either:"/etc/containerd/certs.d"
"/etc/containerd/certs.d:/etc/docker/certs.d"
My preference would be for 2, because it would allow scripts that worked with Docker to also work with containerd, but would still prefer certs in
/etc/containerd
if present.Additional context
No response
The text was updated successfully, but these errors were encountered: