Now that bionic has containerd 1.3.3, I was able to verify pulling images with crictl works against a docker-registry with TLS/mutual auth enabled. However, the config.toml written by the containerd charm needs tweaking to make this happen. Pseudo patch that worked for me:
I'll work this into a formal PR for the containerd charm, but wanted to share what's working for me. Here are a couple runs:
## config.toml.orig
# ./crictl pull 172.31.20.67:5000/defaultbackend-amd64:1.5
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to pull and unpack image "172.31.20.67:5000/defaultbackend-amd64:1.5": failed to resolve reference "172.31.20.67:5000/defaultbackend-amd64:1.5": failed to do request: Head https://172.31.20.67:5000/v2/defaultbackend-amd64/manifests/1.5: remote error: tls: bad certificate
## config.toml.works
# ./crictl pull 172.31.20.67:5000/defaultbackend-amd64:1.5
Image is up to date for sha256:b5af743e598496e8ebd7a6eb3fea76a6464041581520d1c2315c95f993287303
I also confirmed that 'Workaround 1' from comment #1 works without any containerd changes.
Now that bionic has containerd 1.3.3, I was able to verify pulling images with crictl works against a docker-registry with TLS/mutual auth enabled. However, the config.toml written by the containerd charm needs tweaking to make this happen. Pseudo patch that worked for me:
--- config.toml.orig cri.registry. auths." 172.31. 20.67:5000" ]
+++ config.toml.works
- [plugins.
- username = "admin"
- password = "password"
+ [plugins. cri.registry. configs. "172.31. 20.67:5000" .auth]
+ username = "admin"
+ password = "password"
- [plugins. cri.registry. tls_configs. "172.31. 20.67:5000" ] cdk/server. crt" cdk/server. key"
- ca_file = "/root/cdk/ca.crt"
- cert_file = "/root/
- key_file = "/root/
+ [plugins. cri.registry. configs. "172.31. 20.67:5000" .tls] cdk/server. crt" cdk/server. key"
+ ca_file = "/root/cdk/ca.crt"
+ cert_file = "/root/
+ key_file = "/root/
I'll work this into a formal PR for the containerd charm, but wanted to share what's working for me. Here are a couple runs:
## config.toml.orig 20.67:5000/ defaultbackend- amd64:1. 5 20.67:5000/ defaultbackend- amd64:1. 5": failed to resolve reference "172.31. 20.67:5000/ defaultbackend- amd64:1. 5": failed to do request: Head https:/ /172.31. 20.67:5000/ v2/defaultbacke nd-amd64/ manifests/ 1.5: remote error: tls: bad certificate
# ./crictl pull 172.31.
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to pull and unpack image "172.31.
## config.toml.works 20.67:5000/ defaultbackend- amd64:1. 5 b5af743e598496e 8ebd7a6eb3fea76 a6464041581520d 1c2315c95f99328 7303
# ./crictl pull 172.31.
Image is up to date for sha256:
I also confirmed that 'Workaround 1' from comment #1 works without any containerd changes.