CRI: remove deprecated config properties (auths, configs, mirrors)

AkihiroSuda · AkihiroSuda · commit 8313a1c90c4b · 2024-02-06T14:53:58.000+09:00
Remove the following config properties in `/etc/containerd/config.toml`:

| Property Group                                  | Property   | Deprecation release | Target release for removal | Recommendation         |
|-------------------------------------------------|------------|---------------------|----------------------------|------------------------|
|`[plugins."io.containerd.grpc.v1.cri".registry]` | `auths`    | containerd v1.3     | containerd v2.0 ✅         | Use `ImagePullSecrets` |
|`[plugins."io.containerd.grpc.v1.cri".registry]` | `configs`  | containerd v1.5     | containerd v2.0 ✅         | Use `config_path`      |
|`[plugins."io.containerd.grpc.v1.cri".registry]` | `mirrors`  | containerd v1.5     | containerd v2.0 ✅         | Use `config_path`      |

The toml properties are still kept for printing human-readable errors,
but the properties will be completely removed in v2.1.

Signed-off-by: Akihiro Suda &lt;akihiro.suda.cz@hco.ntt.co.jp&gt;
diff --git a/RELEASES.md b/RELEASES.md
@@ -420,9 +420,9 @@ The deprecated properties in [`config.toml`](./docs/cri/config.md) are shown in
 |`[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.*]`         | `runtime_engine`             | containerd v1.3     | containerd v2.0 ✅         | Use runtime v2                                  |
 |`[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.*]`         | `runtime_root`               | containerd v1.3     | containerd v2.0 ✅         | Use `options.Root`                              |
 |`[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.*.options]` | `CriuPath`                   | containerd v1.7     | containerd v2.0 ✅         | Set `$PATH` to the `criu` binary                |
-|`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `auths`                      | containerd v1.3     | containerd v2.0            | Use [`ImagePullSecrets`](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). See also [#8228](https://github.com/containerd/containerd/issues/8228). |
-|`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `configs`                    | containerd v1.5     | containerd v2.0            | Use [`config_path`](./docs/hosts.md)            |
-|`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `mirrors`                    | containerd v1.5     | containerd v2.0            | Use [`config_path`](./docs/hosts.md)            |
+|`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `auths`                      | containerd v1.3     | containerd v2.0 ✅         | Use [`ImagePullSecrets`](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). See also [#8228](https://github.com/containerd/containerd/issues/8228). |
+|`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `configs`                    | containerd v1.5     | containerd v2.0 ✅         | Use [`config_path`](./docs/hosts.md)            |
+|`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `mirrors`                    | containerd v1.5     | containerd v2.0 ✅         | Use [`config_path`](./docs/hosts.md)            |
 
 > **Note**
 >
diff --git a/integration/image_pull_timeout_test.go b/integration/image_pull_timeout_test.go
@@ -276,17 +276,6 @@ func testCRIImagePullTimeoutByNoDataTransferred(t *testing.T) {
 		{
 			ConfigPath: filepath.Dir(hostCfgDir),
 		},
-		// TODO(fuweid):
-		//
-		// Both Mirrors and Configs are deprecated in the future. And
-		// this registryCfg should also be removed at that time.
-		{
-			Mirrors: map[string]criconfig.Mirror{
-				mirrorURL.Host: {
-					Endpoints: []string{mirrorURL.String()},
-				},
-			},
-		},
 	} {
 		criService, err := initLocalCRIImageService(cli, tmpDir, registryCfg)
 		assert.NoError(t, err)
diff --git a/internal/cri/config/config.go b/internal/cri/config/config.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net/url"
 	goruntime "runtime"
 	"strconv"
 	"time"
@@ -212,57 +211,25 @@ type CniConfig struct {
 	IPPreference string `toml:"ip_pref" json:"ipPref"`
 }
 
-// Mirror contains the config related to the registry mirror
-type Mirror struct {
-	// Endpoints are endpoints for a namespace. CRI plugin will try the endpoints
-	// one by one until a working one is found. The endpoint must be a valid url
-	// with host specified.
-	// The scheme, host and path from the endpoint URL will be used.
-	Endpoints []string `toml:"endpoint" json:"endpoint"`
-}
-
-// AuthConfig contains the config related to authentication to a specific registry
-type AuthConfig struct {
-	// Username is the username to login the registry.
-	Username string `toml:"username" json:"username"`
-	// Password is the password to login the registry.
-	Password string `toml:"password" json:"password"`
-	// Auth is a base64 encoded string from the concatenation of the username,
-	// a colon, and the password.
-	Auth string `toml:"auth" json:"auth"`
-	// IdentityToken is used to authenticate the user and get
-	// an access token for the registry.
-	IdentityToken string `toml:"identitytoken" json:"identitytoken"`
-}
-
 // Registry is registry settings configured
 type Registry struct {
 	// ConfigPath is a path to the root directory containing registry-specific
 	// configurations.
 	// If ConfigPath is set, the rest of the registry specific options are ignored.
 	ConfigPath string `toml:"config_path" json:"configPath"`
-	// Mirrors are namespace to mirror mapping for all namespaces.
-	// This option will not be used when ConfigPath is provided.
-	// DEPRECATED: Use ConfigPath instead. Remove in containerd 2.0.
-	Mirrors map[string]Mirror `toml:"mirrors" json:"mirrors"`
-	// Configs are configs for each registry.
-	// The key is the domain name or IP of the registry.
-	// DEPRECATED: Use ConfigPath instead.
-	Configs map[string]RegistryConfig `toml:"configs" json:"configs"`
-	// Auths are registry endpoint to auth config mapping. The registry endpoint must
-	// be a valid url with host specified.
-	// DEPRECATED: Use ConfigPath instead. Remove in containerd 2.0, supported in 1.x releases.
-	Auths map[string]AuthConfig `toml:"auths" json:"auths"`
+	// MirrorsNoLongerSupported (Mirrors) was deprecated in containerd v1.5 and removed in v2.0.
+	// TODO: completely stop parsing this in v2.1.
+	MirrorsNoLongerSupported map[string]any `toml:"mirrors" json:"mirrors"`
+	// ConfigsNoLongerSupported (Configs) was deprecated in containerd v1.5 and removed in v2.0.
+	// TODO: completely stop parsing this in v2.1.
+	ConfigsNoLongerSupported map[string]any `toml:"configs" json:"configs"`
+	// AuthsNoLongerSupported (Auths) was deprecated in containerd v1.3 and removed in v2.0.
+	// TODO: completely stop parsing this in v2.1.
+	AuthsNoLongerSupported map[string]any `toml:"auths" json:"auths"`
 	// Headers adds additional HTTP headers that get sent to all registries
 	Headers map[string][]string `toml:"headers" json:"headers"`
 }
 
-// RegistryConfig contains configuration used to communicate with the registry.
-type RegistryConfig struct {
-	// Auth contains information to authenticate to the registry.
-	Auth *AuthConfig `toml:"auth" json:"auth"`
-}
-
 // ImageDecryption contains configuration to handling decryption of encrypted container images.
 type ImageDecryption struct {
 	// KeyModel specifies the trust model of where keys should reside.
@@ -486,41 +453,17 @@ const (
 func ValidateImageConfig(ctx context.Context, c *ImageConfig) ([]deprecation.Warning, error) {
 	var warnings []deprecation.Warning
 
-	useConfigPath := c.Registry.ConfigPath != ""
-	if len(c.Registry.Mirrors) > 0 {
-		if useConfigPath {
-			return warnings, errors.New("`mirrors` cannot be set when `config_path` is provided")
-		}
-		warnings = append(warnings, deprecation.CRIRegistryMirrors)
-		log.G(ctx).Warning("`mirrors` is deprecated, please use `config_path` instead")
+	if len(c.Registry.MirrorsNoLongerSupported) > 0 {
+		return warnings, errors.New("`mirrors` is no longer supported since containerd v2.0, please use `config_path` instead")
 	}
 
-	if len(c.Registry.Configs) != 0 {
-		warnings = append(warnings, deprecation.CRIRegistryConfigs)
-		log.G(ctx).Warning("`configs` is deprecated, please use `config_path` instead")
+	if len(c.Registry.ConfigsNoLongerSupported) != 0 {
+		return warnings, errors.New("`configs` is no longer supported since containerd v2.0, please use `config_path` instead")
 	}
 
 	// Validation for deprecated auths options and mapping it to configs.
-	if len(c.Registry.Auths) != 0 {
-		if c.Registry.Configs == nil {
-			c.Registry.Configs = make(map[string]RegistryConfig)
-		}
-		for endpoint, auth := range c.Registry.Auths {
-			auth := auth
-			u, err := url.Parse(endpoint)
-			if err != nil {
-				return warnings, fmt.Errorf("failed to parse registry url %q from `registry.auths`: %w", endpoint, err)
-			}
-			if u.Scheme != "" {
-				// Do not include the scheme in the new registry config.
-				endpoint = u.Host
-			}
-			config := c.Registry.Configs[endpoint]
-			config.Auth = &auth
-			c.Registry.Configs[endpoint] = config
-		}
-		warnings = append(warnings, deprecation.CRIRegistryAuths)
-		log.G(ctx).Warning("`auths` is deprecated, please use `ImagePullSecrets` instead")
+	if len(c.Registry.AuthsNoLongerSupported) != 0 {
+		return warnings, errors.New("`auths` is no longer supported since containerd v2.0, please use `ImagePullSecrets` instead")
 	}
 
 	// Validation for image_pull_progress_timeout
diff --git a/internal/cri/config/config_test.go b/internal/cri/config/config_test.go
@@ -73,26 +73,12 @@ func TestValidateConfig(t *testing.T) {
 			},
 			imageConfig: &ImageConfig{
 				Registry: Registry{
-					Auths: map[string]AuthConfig{
-						"https://gcr.io": {Username: "test"},
+					AuthsNoLongerSupported: map[string]any{
+						"https://gcr.io": map[string]any{"username": "test"},
 					},
 				},
 			},
-			imageExpected: &ImageConfig{
-				Registry: Registry{
-					Configs: map[string]RegistryConfig{
-						"gcr.io": {
-							Auth: &AuthConfig{
-								Username: "test",
-							},
-						},
-					},
-					Auths: map[string]AuthConfig{
-						"https://gcr.io": {Username: "test"},
-					},
-				},
-			},
-			warnings: []deprecation.Warning{deprecation.CRIRegistryAuths},
+			imageExpectedErr: "`auths` is no longer supported since containerd v2.0",
 		},
 		"invalid stream_idle_timeout": {
 			serverConfig: &ServerConfig{
@@ -104,12 +90,12 @@ func TestValidateConfig(t *testing.T) {
 			imageConfig: &ImageConfig{
 				Registry: Registry{
 					ConfigPath: "/etc/containerd/conf.d",
-					Mirrors: map[string]Mirror{
-						"something.io": {},
+					MirrorsNoLongerSupported: map[string]any{
+						"something.io": map[string]any{},
 					},
 				},
 			},
-			imageExpectedErr: "`mirrors` cannot be set when `config_path` is provided",
+			imageExpectedErr: "`mirrors` is no longer supported since containerd v2.0",
 		},
 		"deprecated mirrors": {
 			runtimeConfig: &RuntimeConfig{
@@ -122,8 +108,8 @@ func TestValidateConfig(t *testing.T) {
 			},
 			imageConfig: &ImageConfig{
 				Registry: Registry{
-					Mirrors: map[string]Mirror{
-						"example.com": {},
+					MirrorsNoLongerSupported: map[string]any{
+						"example.com": map[string]any{},
 					},
 				},
 			},
@@ -137,14 +123,7 @@ func TestValidateConfig(t *testing.T) {
 					},
 				},
 			},
-			imageExpected: &ImageConfig{
-				Registry: Registry{
-					Mirrors: map[string]Mirror{
-						"example.com": {},
-					},
-				},
-			},
-			warnings: []deprecation.Warning{deprecation.CRIRegistryMirrors},
+			imageExpectedErr: "`mirrors` is no longer supported since containerd v2.0",
 		},
 		"deprecated configs": {
 			runtimeConfig: &RuntimeConfig{
@@ -157,10 +136,10 @@ func TestValidateConfig(t *testing.T) {
 			},
 			imageConfig: &ImageConfig{
 				Registry: Registry{
-					Configs: map[string]RegistryConfig{
-						"gcr.io": {
-							Auth: &AuthConfig{
-								Username: "test",
+					ConfigsNoLongerSupported: map[string]any{
+						"gcr.io": map[string]any{
+							"auth": map[string]any{
+								"username": "test",
 							},
 						},
 					},
@@ -176,18 +155,7 @@ func TestValidateConfig(t *testing.T) {
 					},
 				},
 			},
-			imageExpected: &ImageConfig{
-				Registry: Registry{
-					Configs: map[string]RegistryConfig{
-						"gcr.io": {
-							Auth: &AuthConfig{
-								Username: "test",
-							},
-						},
-					},
-				},
-			},
-			warnings: []deprecation.Warning{deprecation.CRIRegistryConfigs},
+			imageExpectedErr: "`configs` is no longer supported since containerd v2.0",
 		},
 		"privileged_without_host_devices_all_devices_allowed without privileged_without_host_devices": {
 			runtimeConfig: &RuntimeConfig{
diff --git a/internal/cri/server/images/image_pull.go b/internal/cri/server/images/image_pull.go
@@ -45,7 +45,6 @@ import (
 	"github.com/containerd/containerd/v2/core/remotes/docker"
 	"github.com/containerd/containerd/v2/core/remotes/docker/config"
 	"github.com/containerd/containerd/v2/internal/cri/annotations"
-	criconfig "github.com/containerd/containerd/v2/internal/cri/config"
 	crilabels "github.com/containerd/containerd/v2/internal/cri/labels"
 	snpkg "github.com/containerd/containerd/v2/pkg/snapshotters"
 	"github.com/containerd/containerd/v2/pkg/tracing"
@@ -100,12 +99,6 @@ func (c *GRPCCRIImageService) PullImage(ctx context.Context, r *runtime.PullImag
 
 	credentials := func(host string) (string, string, error) {
 		hostauth := r.GetAuth()
-		if hostauth == nil {
-			config := c.config.Registry.Configs[host]
-			if config.Auth != nil {
-				hostauth = toRuntimeAuthConfig(*config.Auth)
-			}
-		}
 		return ParseAuth(hostauth, host)
 	}
 
@@ -444,7 +437,6 @@ func (c *CRIImageService) registryHosts(ctx context.Context, credentials func(ho
 			var (
 				transport = newTransport()
 				client    = &http.Client{Transport: transport}
-				config    = c.config.Registry.Configs[u.Host]
 			)
 
 			if docker.IsLocalhost(host) && u.Scheme == "http" {
@@ -457,13 +449,6 @@ func (c *CRIImageService) registryHosts(ctx context.Context, credentials func(ho
 			// Make a copy of `credentials`, so that different authorizers would not reference
 			// the same credentials variable.
 			credentials := credentials
-			if credentials == nil && config.Auth != nil {
-				auth := toRuntimeAuthConfig(*config.Auth)
-				credentials = func(host string) (string, string, error) {
-					return ParseAuth(auth, host)
-				}
-
-			}
 
 			if updateClientFn != nil {
 				if err := updateClientFn(client); err != nil {
@@ -492,16 +477,6 @@ func (c *CRIImageService) registryHosts(ctx context.Context, credentials func(ho
 	}
 }
 
-// toRuntimeAuthConfig converts cri plugin auth config to runtime auth config.
-func toRuntimeAuthConfig(a criconfig.AuthConfig) *runtime.AuthConfig {
-	return &runtime.AuthConfig{
-		Username:      a.Username,
-		Password:      a.Password,
-		Auth:          a.Auth,
-		IdentityToken: a.IdentityToken,
-	}
-}
-
 // defaultScheme returns the default scheme for a registry host.
 func defaultScheme(host string) string {
 	if docker.IsLocalhost(host) {
@@ -510,51 +485,13 @@ func defaultScheme(host string) string {
 	return "https"
 }
 
-// addDefaultScheme returns the endpoint with default scheme
-func addDefaultScheme(endpoint string) (string, error) {
-	if strings.Contains(endpoint, "://") {
-		return endpoint, nil
-	}
-	ue := "dummy://" + endpoint
-	u, err := url.Parse(ue)
-	if err != nil {
-		return "", err
-	}
-	return fmt.Sprintf("%s://%s", defaultScheme(u.Host), endpoint), nil
-}
-
 // registryEndpoints returns endpoints for a given host.
-// It adds default registry endpoint if it does not exist in the passed-in endpoint list.
-// It also supports wildcard host matching with `*`.
 func (c *CRIImageService) registryEndpoints(host string) ([]string, error) {
 	var endpoints []string
-	_, ok := c.config.Registry.Mirrors[host]
-	if ok {
-		endpoints = c.config.Registry.Mirrors[host].Endpoints
-	} else {
-		endpoints = c.config.Registry.Mirrors["*"].Endpoints
-	}
 	defaultHost, err := docker.DefaultHost(host)
 	if err != nil {
 		return nil, fmt.Errorf("get default host: %w", err)
 	}
-	for i := range endpoints {
-		en, err := addDefaultScheme(endpoints[i])
-		if err != nil {
-			return nil, fmt.Errorf("parse endpoint url: %w", err)
-		}
-		endpoints[i] = en
-	}
-	for _, e := range endpoints {
-		u, err := url.Parse(e)
-		if err != nil {
-			return nil, fmt.Errorf("parse endpoint url: %w", err)
-		}
-		if u.Host == host {
-			// Do not add default if the endpoint already exists.
-			return endpoints, nil
-		}
-	}
 	return append(endpoints, defaultScheme(defaultHost)+"://"+defaultHost), nil
 }
 
diff --git a/internal/cri/server/images/image_pull_test.go b/internal/cri/server/images/image_pull_test.go
