feat: implement new registry configuration

Move to using multi-doc registry configuration.

Fixes #12120

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

Author: smira

api/lock.binpb

@@ -19,7 +19,8 @@ message ImageCacheConfigSpec {
 // RegistriesConfigSpec describes status of rendered secrets.
 message RegistriesConfigSpec {
   map<string, RegistryMirrorConfig> registry_mirrors = 1;
-  map<string, RegistryConfig> registry_config = 2;
+  map<string, RegistryAuthConfig> registry_auths = 2;
+  map<string, RegistryTLSConfig> registry_tl_ss = 3;
 }
 
 // RegistryAuthConfig specifies authentication configuration for a registry.
@@ -30,12 +31,6 @@ message RegistryAuthConfig {
   string registry_identity_token = 4;
 }
 
-// RegistryConfig specifies auth & TLS config per registry.
-message RegistryConfig {
-  RegistryTLSConfig registry_tls = 1;
-  RegistryAuthConfig registry_auth = 2;
-}
-
 // RegistryEndpointConfig represents a single registry endpoint.
 message RegistryEndpointConfig {
   string endpoint_endpoint = 1;

api/resource/definitions/cri/cri.proto

@@ -20,6 +20,7 @@ import (
 
 	"github.com/siderolabs/talos/pkg/machinery/config/encoder"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/block"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/cri"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/hardware"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/runtime"
@@ -140,6 +141,10 @@ var docsCmd = &cobra.Command{
 					name:    "hardware",
 					fileDoc: hardware.GetFileDoc(),
 				},
+				{
+					name:    "cri",
+					fileDoc: cri.GetFileDoc(),
+				},
 			} {
 				path := filepath.Join(dir, pkg.name)
 

cmd/talosctl/cmd/docs.go

@@ -162,6 +162,13 @@ When `volumeType = "directory"`:
 
 Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
 It should not be used for workloads requiring predictable storage quotas.
+"""
+
+    [notes.registry-configuration]
+        title = "CRI Registry Configuration"
+        description = """\
+The CRI registry configuration in v1apha1 legacy machine configuration under `.machine.registries` is now deprecated, but still supported for backwards compatibility.
+New configuration documents `RegistryMirrorConfig`, `RegistryAuthConfig` and `RegistryTLSConfig`  should be used instead.
 """
 
 [make_deps]

hack/release.toml

@@ -2,20 +2,27 @@ machine:
   features:
     imageCache:
       localEnabled: true
-  registries:
-    mirrors:
-      "*":
-        skipFallback: true
-        endpoints:
-        - http://172.20.0.251:65000
-      k8s.gcr.io:
-        skipFallback: true
-        endpoints:
-        - http://172.20.0.251:65000
-      registry.k8s.io:
-        skipFallback: true
-        endpoints:
-        - http://172.20.0.251:65000
+---
+apiVersion: v1alpha1
+kind: RegistryMirrorConfig
+name: '*'
+skipFallback: true
+endpoints:
+  - url: http://172.20.0.251:65000
+---
+apiVersion: v1alpha1
+kind: RegistryMirrorConfig
+name: k8s.gcr.io
+skipFallback: true
+endpoints:
+  - url: http://172.20.0.251:65000
+---
+apiVersion: v1alpha1
+kind: RegistryMirrorConfig
+name: registry.k8s.io
+skipFallback: true
+endpoints:
+  - url: http://172.20.0.251:65000
 ---
 apiVersion: v1alpha1
 kind: VolumeConfig

hack/test/patches/image-cache.yaml

@@ -1,7 +1,6 @@
-machine:
-  registries:
-    mirrors:
-      registry.dev.siderolabs.io:
-        skipFallback: true
-        endpoints:
-        - https://172.20.1.1:8004
+apiVersion: v1alpha1
+kind: RegistryMirrorConfig
+name: registry.dev.siderolabs.io
+skipFallback: true
+endpoints:
+  - url: https://172.20.1.1:8004

hack/test/patches/proxied-registry.yaml

@@ -13,10 +13,9 @@ import (
 	"github.com/cosi-project/runtime/pkg/state"
 	"github.com/siderolabs/gen/optional"
 	"github.com/siderolabs/gen/xslices"
-	"github.com/siderolabs/go-pointer"
 	"go.uber.org/zap"
 
-	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
+	config2 "github.com/siderolabs/talos/pkg/machinery/config/config"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/cri"
@@ -83,30 +82,40 @@ func (ctrl *RegistriesConfigController) Run(ctx context.Context, r controller.Ru
 		if err := safe.WriterModify(ctx, r, cri.NewRegistriesConfig(), func(res *cri.RegistriesConfig) error {
 			spec := res.TypedSpec()
 
-			spec.RegistryConfig = clearInit(spec.RegistryConfig)
+			spec.RegistryAuths = clearInit(spec.RegistryAuths)
 			spec.RegistryMirrors = clearInit(spec.RegistryMirrors)
+			spec.RegistryTLSs = clearInit(spec.RegistryTLSs)
 
-			if cfg != nil && cfg.Config().Machine() != nil {
-				// This is breaking our interface abstraction, but we need to get the underlying types for protobuf
-				// encoding to work correctly.
-				mr := cfg.Provider().RawV1Alpha1().MachineConfig.MachineRegistries
-
-				for k, v := range mr.RegistryConfig {
-					spec.RegistryConfig[k] = makeRegistryConfig(v)
-				}
-
-				for k, v := range mr.RegistryMirrors {
+			if cfg != nil {
+				for k, v := range cfg.Config().RegistryMirrorConfigs() {
 					spec.RegistryMirrors[k] = &cri.RegistryMirrorConfig{
 						MirrorEndpoints: xslices.Map(
-							v.MirrorEndpoints,
-							func(endpoint string) cri.RegistryEndpointConfig {
+							v.Endpoints(),
+							func(endpoint config2.RegistryEndpointConfig) cri.RegistryEndpointConfig {
 								return cri.RegistryEndpointConfig{
-									EndpointEndpoint:     endpoint,
-									EndpointOverridePath: pointer.SafeDeref(v.MirrorOverridePath),
+									EndpointEndpoint:     endpoint.Endpoint(),
+									EndpointOverridePath: endpoint.OverridePath(),
 								}
 							},
 						),
-						MirrorSkipFallback: v.MirrorSkipFallback,
+						MirrorSkipFallback: v.SkipFallback(),
+					}
+				}
+
+				for k, v := range cfg.Config().RegistryAuthConfigs() {
+					spec.RegistryAuths[k] = &cri.RegistryAuthConfig{
+						RegistryUsername:      v.Username(),
+						RegistryPassword:      v.Password(),
+						RegistryAuth:          v.Auth(),
+						RegistryIdentityToken: v.IdentityToken(),
+					}
+				}
+
+				for k, v := range cfg.Config().RegistryTLSConfigs() {
+					spec.RegistryTLSs[k] = &cri.RegistryTLSConfig{
+						TLSCA:                 v.CA(),
+						TLSInsecureSkipVerify: v.InsecureSkipVerify(),
+						TLSClientIdentity:     v.ClientIdentity(),
 					}
 				}
 			}
@@ -146,26 +155,3 @@ func clearInit[M ~map[K]V, K comparable, V any](m M) M {
 
 	return m
 }
-
-func makeRegistryConfig(cfg *v1alpha1.RegistryConfig) *cri.RegistryConfig {
-	result := &cri.RegistryConfig{}
-
-	if rtls := cfg.RegistryTLS; rtls != nil {
-		result.RegistryTLS = &cri.RegistryTLSConfig{
-			TLSClientIdentity:     rtls.TLSClientIdentity,
-			TLSCA:                 rtls.TLSCA,
-			TLSInsecureSkipVerify: rtls.TLSInsecureSkipVerify,
-		}
-	}
-
-	if rauth := cfg.RegistryAuth; rauth != nil {
-		result.RegistryAuth = &cri.RegistryAuthConfig{
-			RegistryUsername:      rauth.RegistryUsername,
-			RegistryPassword:      rauth.RegistryPassword,
-			RegistryAuth:          rauth.RegistryAuth,
-			RegistryIdentityToken: rauth.RegistryIdentityToken,
-		}
-	}
-
-	return result
-}