Containerd fails to pull image from private registry due to "tls: bad certificate"

-- Workaround 1: Disable docker-registry mutual authentication

juju config docker-registry tls-ca-path=""

Please note that this comes with security implications. Normally, the docker-registry charm will refuse to serve images to any client that does not present a client certificate signed by the easyrsa it is related to. This means that only members of the Charmed Kubernetes cluster can pull from it. If you disable mutual authentication, then docker-registry will serve images to any client who can reach its endpoint.

-- Workaround 2: Use docker instead of containerd

The docker charm is not affected by this bug. Using docker instead of containerd is briefly covered here: https://ubuntu.com/kubernetes/docs/container-runtime

I did a test deployment where I started with containerd 1.2.6 and upgraded to 1.3.0. It looks like the impact is pretty small. The only impact I observed was that I got kicked out of a `kubectl exec` session, but I was able to restart it immediately after. Pod containers were not restarted. Integration tests showed no issues following the upgrade.

The containerd apt package maintainer indicated that there should be no major issues with updating the package to 1.3.0, and we can request it by opening an issue here: https://bugs.launchpad.net/ubuntu/+source/containerd

I'm going to sync with the team before moving forward. Expect an update on this issue sometime next week.

I've requested an update to containerd 1.3.1 here: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1854841

This is currently blocked awaiting the update to containerd 1.3.1.

Now that bionic has containerd 1.3.3, I was able to verify pulling images with crictl works against a docker-registry with TLS/mutual auth enabled. However, the config.toml written by the containerd charm needs tweaking to make this happen. Pseudo patch that worked for me:

--- config.toml.orig
+++ config.toml.works
- [plugins.cri.registry.auths."172.31.20.67:5000"]
- username = "admin"
- password = "password"

+ [plugins.cri.registry.configs."172.31.20.67:5000".auth]
+ username = "admin"
+ password = "password"

- [plugins.cri.registry.tls_configs."172.31.20.67:5000"]
- ca_file = "/root/cdk/ca.crt"
- cert_file = "/root/cdk/server.crt"
- key_file = "/root/cdk/server.key"

+ [plugins.cri.registry.configs."172.31.20.67:5000".tls]
+ ca_file = "/root/cdk/ca.crt"
+ cert_file = "/root/cdk/server.crt"
+ key_file = "/root/cdk/server.key"

I'll work this into a formal PR for the containerd charm, but wanted to share what's working for me. Here are a couple runs:

## config.toml.orig
# ./crictl pull 172.31.20.67:5000/defaultbackend-amd64:1.5
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to pull and unpack image "172.31.20.67:5000/defaultbackend-amd64:1.5": failed to resolve reference "172.31.20.67:5000/defaultbackend-amd64:1.5": failed to do request: Head https://172.31.20.67:5000/v2/defaultbackend-amd64/manifests/1.5: remote error: tls: bad certificate

## config.toml.works
# ./crictl pull 172.31.20.67:5000/defaultbackend-amd64:1.5
Image is up to date for sha256:b5af743e598496e8ebd7a6eb3fea76a6464041581520d1c2315c95f993287303

I also confirmed that 'Workaround 1' from comment #1 works without any containerd changes.

PR ready for review:

https://github.com/charmed-kubernetes/charm-containerd/pull/34

Cherry-pick to stable: https://github.com/charmed-kubernetes/charm-containerd/commit/29ebcf97afb050f901c395b84f2d6db664871146