Open nprokopic opened 3 months ago
cc @uvegla
I would also decouple authentication from the registry / mirror configuration. That is how the containerd
config file is structured and my main issue I found now is that if you want to mirror multiple registries with a single (cache) registry, like lets say Zot - but could be anything - and lets say that (cache) registry is authenticated now the current structure implies that you should set the credentials section for each instance. If you do, it will be generated into the config.toml
multiple times for the same registrys auth section and will result in an invalid containerd
config failing to boot up the service and thus the whole node and cluster.
@uvegla we are watching this issue, is there a way forward or can this be closed?
This should be Turtles board and implemented there as an improvement. I believe this is still valid.
moving this to @giantswarm/team-tenet as the successor of @giantswarm/team-turtles
This existing API is not really good, it's a bit hard to expand it now with local registry mirrors (will add more details from Slack thread).
The issue happens with
containerRegistries
value, so maybe instead of introducing a breaking change here, we could deprecate the oldcontainerRegistries
value and add a new one called justregistries
.So this would be the new API:
And a cluster would use either new improved
registries
API (if it is set) or oldcontainerRegistries
(if newregistries
API is not set).Naming this new Helm value
registries
is just an example. We should check the structure of containerd configuration file and then design an API nicely aligned with containerd config, so when you see containerd Helm values you can easily tell where and how those are used in containerd config file.