Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix remaining corner cases in containerd certs.d support #9341

Closed
brandond opened this issue Feb 2, 2024 · 1 comment
Closed

Fix remaining corner cases in containerd certs.d support #9341

brandond opened this issue Feb 2, 2024 · 1 comment
Assignees
@brandond @ShylajaDevadiga
Milestone
v1.29.3+k3s1

Comments

@brandond
Copy link
Contributor

brandond commented Feb 2, 2024
edited
Loading

There are a couple remaining issues with the new containerd registries.yaml -> certs.d transition:

  1. If the last registry in the endpoint list is the default, the registry overrides for that registry are not used - k3s will skip generating a certs.d/<registry>/hosts.toml for that registry and as a result containerd will not attempt to use the provided registry endpoints, it will always go out to the default.
mirrors:
  docker.io:
    endpoint:
      - registry.example.com
      - docker.io

This is kind of a strange thing to do anyway, so I doubt anyone is doing this.

  1. Default TLS config from the wildcard entry is not honored:
configs:
  "*":
    tls:
      insecure_skip_verify: true

The docs do not cover use of the wildcard default registry for either mirrors or configs, and I don't know if it even worked for configs previously to begin with, and the upstream docs on this are not clear as to whether or not it is expected to work: https://github.com/containerd/containerd/blob/main/docs/hosts.md
UPDATE: It appears that containerd doesn't support loading tls config from the _default entry.
@brandond brandond self-assigned this Feb 2, 2024
@brandond brandond added this to the v1.29.2+k3s1 milestone Feb 2, 2024
@brandond brandond modified the milestones: v1.29.2+k3s1, v1.29.3+k3s1 Feb 15, 2024
@brandond brandond mentioned this issue Feb 23, 2024
Merged
This was referenced Mar 4, 2024
Closed
Closed
Closed
Closed
@ShylajaDevadiga
Copy link
Contributor

  1. If the last registry in the endpoint list is the default, the registry overrides for that registry are not used

Validated using k3s version v1.28.8-rc1+k3s1

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
Ubuntu 22.04

$ cat /etc/rancher/k3s/registries.yaml 
---
mirrors:
  docker.io:
    endpoint:
      - https://registry.example.com/
      - docker.io
  k8s.gcr.io:
    endpoint:
      - https://registry.example.com/
      - k8s.gcr.io
configs:
  registry.example.com:
    auth:
      username: testusername
      password: testpassword
    tls:
      ca_file: /home/ubuntu/ca.pem

Steps to validate

  1. Configure private registry
  2. Create the registries.yaml with the last registry in the endpoint list as the default to /etc/rancher/k3s
  3. Install k3s.
  4. Validate certs.d//hosts.toml is generated

Results from reproducing the issue:

ubuntu@ip-172-31-6-82:~$ k3s -v
k3s version v1.29.2+k3s1 (86f10213)
go version go1.21.7

$ sudo cat  /var/lib/rancher/k3s/agent/etc/containerd/certs.d/docker.io/hosts.toml
cat: /var/lib/rancher/k3s/agent/etc/containerd/certs.d/docker.io/hosts.toml: No such file or directory

Results from validating the issue:

ubuntu@ip-172-31-12-26:~$ k3s -v
k3s version v1.29.3-rc1+k3s1 (8aecc26b)
go version go1.21.8

$ sudo cat  /var/lib/rancher/k3s/agent/etc/containerd/certs.d/k8s.gcr.io/hosts.toml
# File generated by k3s. DO NOT EDIT.

server = "https://k8s.gcr.io/v2"
capabilities = ["pull", "resolve", "push"]



[host."https://registry.example.com/v2"]
  capabilities = ["pull", "resolve"]
  ca = ["/home/ubuntu/ca.pem"]

$ sudo cat  /var/lib/rancher/k3s/agent/etc/containerd/certs.d/docker.io/hosts.toml
# File generated by k3s. DO NOT EDIT.

server = "https://registry-1.docker.io/v2"
capabilities = ["pull", "resolve", "push"]



[host."https://registry.example.com/v2"]
  capabilities = ["pull", "resolve"]
  ca = ["/home/ubuntu/ca.pem"]
  1. As Brad mentioned containerd doesn't support loading tls config from the _default entry

Passing CA cert or with insecure_skip_verify doesn’t support loading tls config from the _default/* entry.

ubuntu@ip-172-31-11-245:~$ cat /etc/rancher/k3s/registries.yaml 
---
mirrors:
  docker.io:
    endpoint:
      - registry.example.com
  k8s.gcr.io:
    endpoint:
      - registry.example.com
configs:
  "*":
    tls:
      insecure_skip_verify: true

$ sudo cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/_default/hosts.toml
# File generated by k3s. DO NOT EDIT.

skip_verify = true

Mar 22 17:18:04 ip-172-31-11-245 k3s[2055]: E0322 17:18:04.159884    2055 kuberuntime_manager.go:1171] "CreatePodSandbox for pod failed" err="rpc error: code = Unknown desc = failed to get sandbox image \"rancher/mirrored-pause:3.6\": failed to pull image \"rancher/mirrored-pause:3.6\": failed to pull and unpack image \"docker.io/rancher/mirrored-pause:3.6\": failed to resolve reference \"docker.io/rancher/mirrored-pause:3.6\": failed to do request: Head \"https://registry.example.com/v2/rancher/mirrored-pause/manifests/3.6?ns=docker.io\": tls: failed to verify certificate: x509: certificate signed by unknown authority" pod="kube-system/helm-install-traefik-crd-zrvm7"

@intrand intrand mentioned this issue Mar 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@ShylajaDevadiga ShylajaDevadiga

Labels
None yet
Projects
K3s Development
Status: Done Issue
Milestone
v1.29.3+k3s1
Development

No branches or pull requests
2 participants
@brandond @ShylajaDevadiga