Comment 5 for bug 1853653

Now that bionic has containerd 1.3.3, I was able to verify pulling images with crictl works against a docker-registry with TLS/mutual auth enabled. However, the config.toml written by the containerd charm needs tweaking to make this happen. Pseudo patch that worked for me:

--- config.toml.orig
+++ config.toml.works
- [plugins.cri.registry.auths."172.31.20.67:5000"]
- username = "admin"
- password = "password"

+ [plugins.cri.registry.configs."172.31.20.67:5000".auth]
+ username = "admin"
+ password = "password"

- [plugins.cri.registry.tls_configs."172.31.20.67:5000"]
- ca_file = "/root/cdk/ca.crt"
- cert_file = "/root/cdk/server.crt"
- key_file = "/root/cdk/server.key"

+ [plugins.cri.registry.configs."172.31.20.67:5000".tls]
+ ca_file = "/root/cdk/ca.crt"
+ cert_file = "/root/cdk/server.crt"
+ key_file = "/root/cdk/server.key"

I'll work this into a formal PR for the containerd charm, but wanted to share what's working for me. Here are a couple runs:

## config.toml.orig
# ./crictl pull 172.31.20.67:5000/defaultbackend-amd64:1.5
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to pull and unpack image "172.31.20.67:5000/defaultbackend-amd64:1.5": failed to resolve reference "172.31.20.67:5000/defaultbackend-amd64:1.5": failed to do request: Head https://172.31.20.67:5000/v2/defaultbackend-amd64/manifests/1.5: remote error: tls: bad certificate

## config.toml.works
# ./crictl pull 172.31.20.67:5000/defaultbackend-amd64:1.5
Image is up to date for sha256:b5af743e598496e8ebd7a6eb3fea76a6464041581520d1c2315c95f993287303

I also confirmed that 'Workaround 1' from comment #1 works without any containerd changes.