feat: add proxy_all_registries option to dfinit containerd module

[bumarcell]

Follow-up to #1792 / closes #1791.

Motivation

Without explicit per-registry configuration, containerd sends all pulls directly to upstream registries, bypassing dfdaemon. Listing every registry in registries: ahead of time is impractical in environments where users can pull from arbitrary registries (e.g. Kubernetes clusters with ad-hoc image sources).

Per @gaius-qi's suggestion in #1791, this adds a config option that enables proxying all registries through dfdaemon by writing a catch-all _default/hosts.toml.

Changes

• Adds proxyAllRegistries: bool to dfinit::Containerd, defaulting to true.
• When enabled, dfinit writes <config_path>/_default/hosts.toml pointing at dfdaemon, with capabilities = ["pull", "resolve"] and no top-level server/X-Dragonfly-Registry header — dfdaemon infers the upstream registry from the ns= query parameter (support added in feat: infer upstream registry from containerd ns= query parameter #1792).
• Explicitly configured entries in registries: still get their own hosts.toml under <host_namespace>/ and take precedence over the _default fallback.
• Works for both code paths (config_path present in containerd.toml, or injected by dfinit when missing).

Example rendered config

# /etc/containerd/certs.d/_default/hosts.toml
[host."http://127.0.0.1:65001"]
capabilities = ["pull", "resolve"]

Tests

Two new unit tests added alongside the existing test_containerd_config_with_v2/v3_config_path:

• test_containerd_config_with_proxy_all_registries — asserts that both the explicit docker.io/hosts.toml (with X-Dragonfly-Registry header) and _default/hosts.toml (without header or server) are written when proxy_all_registries: true.
• test_containerd_config_without_proxy_all_registries — asserts _default/hosts.toml is absent when disabled.

Existing v2/v3 tests were updated to set proxy_all_registries: false to preserve their original assertions.

Compatibility notes

• Default is true, which is a behavior change for existing users on upgrade: installs that today rely on dfinit not touching registries outside the configured list will suddenly see all pulls routed through dfdaemon. Operators who need the old behavior can set proxyAllRegistries: false in their dfinit YAML. Happy to flip the default to false if that's the project preference.

Closes #1791.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.47%. Comparing base (0e06349) to head (2d317df).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1803      +/-   ##
==========================================
+ Coverage   43.21%   43.47%   +0.25%     
==========================================
  Files          92       92              
  Lines       26868    26972     +104     
==========================================
+ Hits        11612    11726     +114     
+ Misses      15256    15246      -10     

Files with missing lines	Coverage Δ
dragonfly-client-config/src/dfinit.rs	91.75% <100.00%> (+1.42%)	⬆️
...ly-client-init/src/container_runtime/containerd.rs	98.32% <100.00%> (+1.04%)	⬆️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[BraveY]

LGTM

[gaius-qi]

LGTM