What is the problem you're trying to solve
I'm trying to add a new private registry (with a self-signed CA) to an existing Kubernetes cluster, where I may not have ssh access (but I do have cluster-admin).
Describe the solution you'd like
When using docker, something like the following suffices to add a selfsigned CA:
echo "${PEM_ENCODED_CERT}" > /etc/docker/certs.d/${REGISTRY_NAME}/ca.crtAccording the containerd documentation, loading registry certificates after startup requires the following key to be set in config.toml:
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
Adding this entry isn't sufficient, however, because you also need to restart containerd. Users end up with solutions like this:
http://hypernephelist.com/2021/03/23/kubernetes-containerd-certificate.html
Note that this solution is debian (update-ca-certificates) / systemd (systemctl) specific, and actually modifies the entire set of trust roots for the host, rather than modifying the config.toml programatically (because that seems dangerous)
It would be much cleaner if [plugins."io.containerd.grpc.v1.cri".registry].config_path defaulted to either:
"/etc/containerd/certs.d""/etc/containerd/certs.d:/etc/docker/certs.d"
My preference would be for 2, because it would allow scripts that worked with Docker to also work with containerd, but would still prefer certs in /etc/containerd if present.
Additional context
No response
What is the problem you're trying to solve
I'm trying to add a new private registry (with a self-signed CA) to an existing Kubernetes cluster, where I may not have ssh access (but I do have
cluster-admin).Describe the solution you'd like
When using docker, something like the following suffices to add a selfsigned CA:
According the containerd documentation, loading registry certificates after startup requires the following key to be set in
config.toml:Adding this entry isn't sufficient, however, because you also need to restart containerd. Users end up with solutions like this:
http://hypernephelist.com/2021/03/23/kubernetes-containerd-certificate.html
Note that this solution is debian (
update-ca-certificates) / systemd (systemctl) specific, and actually modifies the entire set of trust roots for the host, rather than modifying theconfig.tomlprogramatically (because that seems dangerous)It would be much cleaner if
[plugins."io.containerd.grpc.v1.cri".registry].config_pathdefaulted to either:"/etc/containerd/certs.d""/etc/containerd/certs.d:/etc/docker/certs.d"My preference would be for 2, because it would allow scripts that worked with Docker to also work with containerd, but would still prefer certs in
/etc/containerdif present.Additional context
No response