Containerd Subordinate Charm

verify cert data can be specified per-registry in custom_registries config

Bug #1879347 reported by Adam Dyess
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Containerd Subordinate Charm
Fix Released
High
Kevin W Monroe
Containerd Subordinate Charm 1.18+ck1

Bug Description

WRT to LP:1831153

This other LP was a suggestion to allow configuration of private cert data through base64 encoded file passed as a single config option.

The containerd charm allows `custom_registries` to be provided as a list of json, but the cert data isn't represented in the json model.

Conversely, different 'custom registries' will have different cert data.

Could you extend the json model of custom_registries to allow providing base64 file data?

George Kraft (cynerva)
Changed in charm-containerd:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Adam Dyess (addyess) wrote :

working with @kwmonroe yesterday

we downloaded crictl to tmp and were able to use it to pull images once we got the config correct:

# list images
/tmp/crictl -r -r unix:///run/containerd/containerd.sock images

# delete images
/tmp/crictl -r -r unix:///run/containerd/containerd.sock delete my.custom.registry/busybox:latest

# pull images
/tmp/crictl -r -r unix:///run/containerd/containerd.sock pull my.custom.registry/busybox:latest

With these tools we were able to determine the appropriate config necessary for a custom_registry that was using a self-signed cert

I can use the charm's current config

juju config containerd \
custom_registries='[{"url": "my.custom.registry", "username": "*****", "password": "********"}]'

to create MOST of the config, but what i can't specify is the ca_file

I am proposing a new config option like this
juju config containerd \
custom_registries='[{"url": "my.custom.registry", "username": "*****", "password": "********"
"ca_file": "'$(base64 < my.custom.registry.pem)'"}]'

so that the charm does this:
      [plugins.cri.registry.configs]
        [plugins.cri.registry.configs."my.custom.registry".tls]
          ca_file = "/etc/containerd/my.custom.registry.pem"

creates a file on the filesystem /etc/containerd/my.custom.registry.pem
  with the value of the base64.b64_decode( ca_file_config )

Revision history for this message
Adam Dyess (addyess) wrote :

I've proposed a solution here: https://github.com/charmed-kubernetes/charm-containerd/pull/39

George Kraft (cynerva)
tags: added: review-needed
Revision history for this message
Chris Sanders (chris.sanders) wrote :

I've subscribed field-high

George Kraft (cynerva)
Changed in charm-containerd:
importance: Medium → High
Kevin W Monroe (kwmonroe)
Changed in charm-containerd:
milestone: none → 1.18+ck1
Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

@addyess, thanks for the report *AND* the PR! This has been committed and will be in the stable charm channel once 1.18+ck1 is released.

Changed in charm-containerd:
assignee: nobody → Kevin W Monroe (kwmonroe)
assignee: Kevin W Monroe (kwmonroe) → nobody
status: Triaged → Fix Committed
assignee: nobody → Kevin W Monroe (kwmonroe)
tags: removed: review-needed
Revision history for this message
George Kraft (cynerva) wrote :

Cherry-pick to stable: https://github.com/charmed-kubernetes/charm-containerd/commit/12e28741af627680576c506bcb152a307f9abccb

Tim Van Steenburgh (tvansteenburgh)
Changed in charm-containerd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.