fix: add support for a fallback '*' mirror configuration
Talos always supported that, but CRI config lacked support for it. Now with recent containerd the new `_default` host is used as a fallback, so this re-enables the support and updates the docs. See https://github.com/containerd/containerd/pull/8065 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit is contained in:
Andrey Smirnov
parent
dcd4eb1a93
commit
6e8f13529c
@ -55,6 +55,22 @@ These APIs are available via new `talosctl etcd` sub-commands:
|
||||
* `talosctl etcd status`
|
||||
|
||||
See also [etcd maintenance guide](https://talos.dev/v1.4/advanced/etcd-maintenance/).
|
||||
"""
|
||||
|
||||
[notes.crihosts]
|
||||
title = "Registry Mirror Catch-All Option"
|
||||
description="""\
|
||||
Talos now supports a catch-all option for registry mirrors:
|
||||
|
||||
```yaml
|
||||
machine:
|
||||
registries:
|
||||
mirrors:
|
||||
docker.io:
|
||||
- https://registry-1.docker.io/
|
||||
"*":
|
||||
- https://my-registry.example.com/
|
||||
```
|
||||
"""
|
||||
|
||||
[make_deps]
|
||||
|
||||
@ -41,7 +41,7 @@ type HostsFile struct {
|
||||
|
||||
// GenerateHosts generates a structure describing contents of the containerd hosts configuration.
|
||||
//
|
||||
//nolint:gocyclo
|
||||
//nolint:gocyclo,cyclop
|
||||
func GenerateHosts(cfg config.Registries, basePath string) (*HostsConfig, error) {
|
||||
config := &HostsConfig{
|
||||
Directories: map[string]*HostsDirectory{},
|
||||
@ -183,6 +183,11 @@ func GenerateHosts(cfg config.Registries, basePath string) (*HostsConfig, error)
|
||||
}
|
||||
}
|
||||
|
||||
if hostname == "*" {
|
||||
// no way to generate TLS config for wildcard host
|
||||
return nil, fmt.Errorf("wildcard host TLS configuration is not supported")
|
||||
}
|
||||
|
||||
directory := &HostsDirectory{}
|
||||
|
||||
defaultHost, err := docker.DefaultHost(hostname)
|
||||
@ -221,6 +226,10 @@ func GenerateHosts(cfg config.Registries, basePath string) (*HostsConfig, error)
|
||||
|
||||
// hostDirectory converts ":port" to "_port_" in directory names.
|
||||
func hostDirectory(host string) string {
|
||||
if host == "*" {
|
||||
return "_default"
|
||||
}
|
||||
|
||||
idx := strings.LastIndex(host, ":")
|
||||
if idx > 0 {
|
||||
return host[:idx] + "_" + host[idx+1:] + "_"
|
||||
|
||||
@ -106,6 +106,9 @@ func TestGenerateHostsWithoutTLS(t *testing.T) {
|
||||
"docker.io": {
|
||||
MirrorEndpoints: []string{"https://registry-1.docker.io", "https://registry-2.docker.io"},
|
||||
},
|
||||
"*": {
|
||||
MirrorEndpoints: []string{"https://my-registry"},
|
||||
},
|
||||
},
|
||||
config: map[string]*v1alpha1.RegistryConfig{
|
||||
"some.host:123": {
|
||||
@ -142,6 +145,84 @@ func TestGenerateHostsWithoutTLS(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
"_default": {
|
||||
Files: []*containerd.HostsFile{
|
||||
{
|
||||
Name: "hosts.toml",
|
||||
Mode: 0o600,
|
||||
Contents: []byte("\n[host]\n\n [host.\"https://my-registry\"]\n capabilities = [\"pull\", \"resolve\"]\n"),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}, result)
|
||||
}
|
||||
|
||||
func TestGenerateHostsTLSWildcardWrong(t *testing.T) {
|
||||
cfg := &mockConfig{
|
||||
mirrors: map[string]*v1alpha1.RegistryMirrorConfig{},
|
||||
config: map[string]*v1alpha1.RegistryConfig{
|
||||
"*": {
|
||||
RegistryTLS: &v1alpha1.RegistryTLSConfig{
|
||||
TLSCA: []byte("allcert"),
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
_, err := containerd.GenerateHosts(cfg, "/etc/cri/conf.d/hosts")
|
||||
assert.EqualError(t, err, "wildcard host TLS configuration is not supported")
|
||||
}
|
||||
|
||||
func TestGenerateHostsTLSWildcard(t *testing.T) {
|
||||
cfg := &mockConfig{
|
||||
mirrors: map[string]*v1alpha1.RegistryMirrorConfig{
|
||||
"*": {
|
||||
MirrorEndpoints: []string{"https://my-registry1", "https://my-registry2"},
|
||||
},
|
||||
},
|
||||
config: map[string]*v1alpha1.RegistryConfig{
|
||||
"my-registry1": {
|
||||
RegistryTLS: &v1alpha1.RegistryTLSConfig{
|
||||
TLSCA: []byte("allcert"),
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
result, err := containerd.GenerateHosts(cfg, "/etc/cri/conf.d/hosts")
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.Equal(t, &containerd.HostsConfig{
|
||||
Directories: map[string]*containerd.HostsDirectory{
|
||||
"_default": {
|
||||
Files: []*containerd.HostsFile{
|
||||
{
|
||||
Name: "my-registry1-ca.crt",
|
||||
Mode: 0o600,
|
||||
Contents: []byte("allcert"),
|
||||
},
|
||||
{
|
||||
Name: "hosts.toml",
|
||||
Mode: 0o600,
|
||||
Contents: []byte("\n[host]\n\n [host.\"https://my-registry1\"]\n ca = \"/etc/cri/conf.d/hosts/_default/my-registry1-ca.crt\"\n capabilities = [\"pull\", \"resolve\"]\n\n [host.\"https://my-registry2\"]\n capabilities = [\"pull\", \"resolve\"]\n"), //nolint:lll
|
||||
},
|
||||
},
|
||||
},
|
||||
"my-registry1": {
|
||||
Files: []*containerd.HostsFile{
|
||||
{
|
||||
Name: "my-registry1-ca.crt",
|
||||
Mode: 0o600,
|
||||
Contents: []byte("allcert"),
|
||||
},
|
||||
{
|
||||
Name: "hosts.toml",
|
||||
Mode: 0o600,
|
||||
Contents: []byte("\n[host]\n\n [host.\"https://my-registry1\"]\n ca = \"/etc/cri/conf.d/hosts/my-registry1/my-registry1-ca.crt\"\n"),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}, result)
|
||||
}
|
||||
|
||||
@ -1868,9 +1868,9 @@
|
||||
"registries": {
|
||||
"$ref": "#/$defs/RegistriesConfig",
|
||||
"title": "registries",
|
||||
"description": "Used to configure the machine’s container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe mirrors section allows to redirect requests for images to non-default registry,\nwhich might be local registry or caching mirror.\n\nThe config section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in .docker/config.json.\n\nSee also matching configuration for CRI containerd plugin.\n",
|
||||
"markdownDescription": "Used to configure the machine's container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe `mirrors` section allows to redirect requests for images to non-default registry,\nwhich might be local registry or caching mirror.\n\nThe `config` section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication).\n\nSee also matching configuration for [CRI containerd plugin](https://github.com/containerd/cri/blob/master/docs/registry.md).",
|
||||
"x-intellij-html-description": "\u003cp\u003eUsed to configure the machine\u0026rsquo;s container image registry mirrors.\u003c/p\u003e\n\n\u003cp\u003eAutomatically generates matching CRI configuration for registry mirrors.\u003c/p\u003e\n\n\u003cp\u003eThe \u003ccode\u003emirrors\u003c/code\u003e section allows to redirect requests for images to non-default registry,\nwhich might be local registry or caching mirror.\u003c/p\u003e\n\n\u003cp\u003eThe \u003ccode\u003econfig\u003c/code\u003e section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in \u003ca href=\"https://docs.docker.com/engine/api/v1.41/#section/Authentication\" target=\"_blank\"\u003e\u003ccode\u003e.docker/config.json\u003c/code\u003e\u003c/a\u003e.\u003c/p\u003e\n\n\u003cp\u003eSee also matching configuration for \u003ca href=\"https://github.com/containerd/cri/blob/master/docs/registry.md\" target=\"_blank\"\u003eCRI containerd plugin\u003c/a\u003e.\u003c/p\u003e\n"
|
||||
"description": "Used to configure the machine’s container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe mirrors section allows to redirect requests for images to a non-default registry,\nwhich might be a local registry or a caching mirror.\n\nThe config section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in .docker/config.json.\n\nSee also matching configuration for CRI containerd plugin.\n",
|
||||
"markdownDescription": "Used to configure the machine's container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe `mirrors` section allows to redirect requests for images to a non-default registry,\nwhich might be a local registry or a caching mirror.\n\nThe `config` section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication).\n\nSee also matching configuration for [CRI containerd plugin](https://github.com/containerd/cri/blob/master/docs/registry.md).",
|
||||
"x-intellij-html-description": "\u003cp\u003eUsed to configure the machine\u0026rsquo;s container image registry mirrors.\u003c/p\u003e\n\n\u003cp\u003eAutomatically generates matching CRI configuration for registry mirrors.\u003c/p\u003e\n\n\u003cp\u003eThe \u003ccode\u003emirrors\u003c/code\u003e section allows to redirect requests for images to a non-default registry,\nwhich might be a local registry or a caching mirror.\u003c/p\u003e\n\n\u003cp\u003eThe \u003ccode\u003econfig\u003c/code\u003e section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in \u003ca href=\"https://docs.docker.com/engine/api/v1.41/#section/Authentication\" target=\"_blank\"\u003e\u003ccode\u003e.docker/config.json\u003c/code\u003e\u003c/a\u003e.\u003c/p\u003e\n\n\u003cp\u003eSee also matching configuration for \u003ca href=\"https://github.com/containerd/cri/blob/master/docs/registry.md\" target=\"_blank\"\u003eCRI containerd plugin\u003c/a\u003e.\u003c/p\u003e\n"
|
||||
},
|
||||
"systemDiskEncryption": {
|
||||
"$ref": "#/$defs/SystemDiskEncryptionConfig",
|
||||
@ -2254,9 +2254,9 @@
|
||||
},
|
||||
"type": "object",
|
||||
"title": "mirrors",
|
||||
"description": "Specifies mirror configuration for each registry.\nThis setting allows to use local pull-through caching registires,\nair-gapped installations, etc.\n\nRegistry name is the first segment of image identifier, with ‘docker.io’\nbeing default one.\n",
|
||||
"markdownDescription": "Specifies mirror configuration for each registry.\nThis setting allows to use local pull-through caching registires,\nair-gapped installations, etc.\n\nRegistry name is the first segment of image identifier, with 'docker.io'\nbeing default one.",
|
||||
"x-intellij-html-description": "\u003cp\u003eSpecifies mirror configuration for each registry.\nThis setting allows to use local pull-through caching registires,\nair-gapped installations, etc.\u003c/p\u003e\n\n\u003cp\u003eRegistry name is the first segment of image identifier, with \u0026lsquo;docker.io\u0026rsquo;\nbeing default one.\u003c/p\u003e\n"
|
||||
"description": "Specifies mirror configuration for each registry host namespace.\nThis setting allows to configure local pull-through caching registires,\nair-gapped installations, etc.\n\nFor example, when pulling an image with the reference example.com:123/image:v1,\nthe example.com:123 key will be used to lookup the mirror configuration.\n\nOptionally the * key can be used to configure a fallback mirror.\n\nRegistry name is the first segment of image identifier, with ‘docker.io’\nbeing default one.\n",
|
||||
"markdownDescription": "Specifies mirror configuration for each registry host namespace.\nThis setting allows to configure local pull-through caching registires,\nair-gapped installations, etc.\n\nFor example, when pulling an image with the reference `example.com:123/image:v1`,\nthe `example.com:123` key will be used to lookup the mirror configuration.\n\nOptionally the `*` key can be used to configure a fallback mirror.\n\nRegistry name is the first segment of image identifier, with 'docker.io'\nbeing default one.",
|
||||
"x-intellij-html-description": "\u003cp\u003eSpecifies mirror configuration for each registry host namespace.\nThis setting allows to configure local pull-through caching registires,\nair-gapped installations, etc.\u003c/p\u003e\n\n\u003cp\u003eFor example, when pulling an image with the reference \u003ccode\u003eexample.com:123/image:v1\u003c/code\u003e,\nthe \u003ccode\u003eexample.com:123\u003c/code\u003e key will be used to lookup the mirror configuration.\u003c/p\u003e\n\n\u003cp\u003eOptionally the \u003ccode\u003e*\u003c/code\u003e key can be used to configure a fallback mirror.\u003c/p\u003e\n\n\u003cp\u003eRegistry name is the first segment of image identifier, with \u0026lsquo;docker.io\u0026rsquo;\nbeing default one.\u003c/p\u003e\n"
|
||||
},
|
||||
"config": {
|
||||
"patternProperties": {
|
||||
@ -2266,9 +2266,9 @@
|
||||
},
|
||||
"type": "object",
|
||||
"title": "config",
|
||||
"description": "Specifies TLS \u0026amp; auth configuration for HTTPS image registries.\nMutual TLS can be enabled with ‘clientIdentity’ option.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate.\n",
|
||||
"markdownDescription": "Specifies TLS \u0026 auth configuration for HTTPS image registries.\nMutual TLS can be enabled with 'clientIdentity' option.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate.",
|
||||
"x-intellij-html-description": "\u003cp\u003eSpecifies TLS \u0026amp; auth configuration for HTTPS image registries.\nMutual TLS can be enabled with \u0026lsquo;clientIdentity\u0026rsquo; option.\u003c/p\u003e\n\n\u003cp\u003eTLS configuration can be skipped if registry has trusted\nserver certificate.\u003c/p\u003e\n"
|
||||
"description": "Specifies TLS \u0026amp; auth configuration for HTTPS image registries.\nMutual TLS can be enabled with ‘clientIdentity’ option.\n\nThe full hostname and port (if not using a default port 443)\nshould be used as the key.\nThe fallback key * can’t be used for TLS configuration.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate.\n",
|
||||
"markdownDescription": "Specifies TLS \u0026 auth configuration for HTTPS image registries.\nMutual TLS can be enabled with 'clientIdentity' option.\n\nThe full hostname and port (if not using a default port 443)\nshould be used as the key.\nThe fallback key `*` can't be used for TLS configuration.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate.",
|
||||
"x-intellij-html-description": "\u003cp\u003eSpecifies TLS \u0026amp; auth configuration for HTTPS image registries.\nMutual TLS can be enabled with \u0026lsquo;clientIdentity\u0026rsquo; option.\u003c/p\u003e\n\n\u003cp\u003eThe full hostname and port (if not using a default port 443)\nshould be used as the key.\nThe fallback key \u003ccode\u003e*\u003c/code\u003e can\u0026rsquo;t be used for TLS configuration.\u003c/p\u003e\n\n\u003cp\u003eTLS configuration can be skipped if registry has trusted\nserver certificate.\u003c/p\u003e\n"
|
||||
}
|
||||
},
|
||||
"additionalProperties": false,
|
||||
|
||||
@ -805,8 +805,8 @@ type MachineConfig struct {
|
||||
//
|
||||
// Automatically generates matching CRI configuration for registry mirrors.
|
||||
//
|
||||
// The `mirrors` section allows to redirect requests for images to non-default registry,
|
||||
// which might be local registry or caching mirror.
|
||||
// The `mirrors` section allows to redirect requests for images to a non-default registry,
|
||||
// which might be a local registry or a caching mirror.
|
||||
//
|
||||
// The `config` section provides a way to authenticate to the registry with TLS client
|
||||
// identity, provide registry CA, or authentication information.
|
||||
@ -1513,10 +1513,15 @@ type TimeConfig struct {
|
||||
// RegistriesConfig represents the image pull options.
|
||||
type RegistriesConfig struct {
|
||||
// description: |
|
||||
// Specifies mirror configuration for each registry.
|
||||
// This setting allows to use local pull-through caching registires,
|
||||
// Specifies mirror configuration for each registry host namespace.
|
||||
// This setting allows to configure local pull-through caching registires,
|
||||
// air-gapped installations, etc.
|
||||
//
|
||||
// For example, when pulling an image with the reference `example.com:123/image:v1`,
|
||||
// the `example.com:123` key will be used to lookup the mirror configuration.
|
||||
//
|
||||
// Optionally the `*` key can be used to configure a fallback mirror.
|
||||
//
|
||||
// Registry name is the first segment of image identifier, with 'docker.io'
|
||||
// being default one.
|
||||
// examples:
|
||||
@ -1526,6 +1531,10 @@ type RegistriesConfig struct {
|
||||
// Specifies TLS & auth configuration for HTTPS image registries.
|
||||
// Mutual TLS can be enabled with 'clientIdentity' option.
|
||||
//
|
||||
// The full hostname and port (if not using a default port 443)
|
||||
// should be used as the key.
|
||||
// The fallback key `*` can't be used for TLS configuration.
|
||||
//
|
||||
// TLS configuration can be skipped if registry has trusted
|
||||
// server certificate.
|
||||
// examples:
|
||||
|
||||
@ -268,7 +268,7 @@ func init() {
|
||||
MachineConfigDoc.Fields[15].Name = "registries"
|
||||
MachineConfigDoc.Fields[15].Type = "RegistriesConfig"
|
||||
MachineConfigDoc.Fields[15].Note = ""
|
||||
MachineConfigDoc.Fields[15].Description = "Used to configure the machine's container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe `mirrors` section allows to redirect requests for images to non-default registry,\nwhich might be local registry or caching mirror.\n\nThe `config` section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication).\n\nSee also matching configuration for [CRI containerd plugin](https://github.com/containerd/cri/blob/master/docs/registry.md)."
|
||||
MachineConfigDoc.Fields[15].Description = "Used to configure the machine's container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe `mirrors` section allows to redirect requests for images to a non-default registry,\nwhich might be a local registry or a caching mirror.\n\nThe `config` section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication).\n\nSee also matching configuration for [CRI containerd plugin](https://github.com/containerd/cri/blob/master/docs/registry.md)."
|
||||
MachineConfigDoc.Fields[15].Comments[encoder.LineComment] = "Used to configure the machine's container image registry mirrors."
|
||||
|
||||
MachineConfigDoc.Fields[15].AddExample("", machineConfigRegistriesExample)
|
||||
@ -986,14 +986,14 @@ func init() {
|
||||
RegistriesConfigDoc.Fields[0].Name = "mirrors"
|
||||
RegistriesConfigDoc.Fields[0].Type = "map[string]RegistryMirrorConfig"
|
||||
RegistriesConfigDoc.Fields[0].Note = ""
|
||||
RegistriesConfigDoc.Fields[0].Description = "Specifies mirror configuration for each registry.\nThis setting allows to use local pull-through caching registires,\nair-gapped installations, etc.\n\nRegistry name is the first segment of image identifier, with 'docker.io'\nbeing default one."
|
||||
RegistriesConfigDoc.Fields[0].Comments[encoder.LineComment] = "Specifies mirror configuration for each registry."
|
||||
RegistriesConfigDoc.Fields[0].Description = "Specifies mirror configuration for each registry host namespace.\nThis setting allows to configure local pull-through caching registires,\nair-gapped installations, etc.\n\nFor example, when pulling an image with the reference `example.com:123/image:v1`,\nthe `example.com:123` key will be used to lookup the mirror configuration.\n\nOptionally the `*` key can be used to configure a fallback mirror.\n\nRegistry name is the first segment of image identifier, with 'docker.io'\nbeing default one."
|
||||
RegistriesConfigDoc.Fields[0].Comments[encoder.LineComment] = "Specifies mirror configuration for each registry host namespace."
|
||||
|
||||
RegistriesConfigDoc.Fields[0].AddExample("", machineConfigRegistryMirrorsExample)
|
||||
RegistriesConfigDoc.Fields[1].Name = "config"
|
||||
RegistriesConfigDoc.Fields[1].Type = "map[string]RegistryConfig"
|
||||
RegistriesConfigDoc.Fields[1].Note = ""
|
||||
RegistriesConfigDoc.Fields[1].Description = "Specifies TLS & auth configuration for HTTPS image registries.\nMutual TLS can be enabled with 'clientIdentity' option.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate."
|
||||
RegistriesConfigDoc.Fields[1].Description = "Specifies TLS & auth configuration for HTTPS image registries.\nMutual TLS can be enabled with 'clientIdentity' option.\n\nThe full hostname and port (if not using a default port 443)\nshould be used as the key.\nThe fallback key `*` can't be used for TLS configuration.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate."
|
||||
RegistriesConfigDoc.Fields[1].Comments[encoder.LineComment] = "Specifies TLS & auth configuration for HTTPS image registries."
|
||||
|
||||
RegistriesConfigDoc.Fields[1].AddExample("", machineConfigRegistryConfigExample)
|
||||
|
||||
@ -316,9 +316,9 @@ sysctls:
|
||||
sysfs:
|
||||
devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
|
||||
{{< /highlight >}}</details> | |
|
||||
|`registries` |<a href="#registriesconfig">RegistriesConfig</a> |<details><summary>Used to configure the machine's container image registry mirrors.</summary><br />Automatically generates matching CRI configuration for registry mirrors.<br /><br />The `mirrors` section allows to redirect requests for images to non-default registry,<br />which might be local registry or caching mirror.<br /><br />The `config` section provides a way to authenticate to the registry with TLS client<br />identity, provide registry CA, or authentication information.<br />Authentication information has same meaning with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication).<br /><br />See also matching configuration for [CRI containerd plugin](https://github.com/containerd/cri/blob/master/docs/registry.md).</details> <details><summary>Show example(s)</summary>{{< highlight yaml >}}
|
||||
|`registries` |<a href="#registriesconfig">RegistriesConfig</a> |<details><summary>Used to configure the machine's container image registry mirrors.</summary><br />Automatically generates matching CRI configuration for registry mirrors.<br /><br />The `mirrors` section allows to redirect requests for images to a non-default registry,<br />which might be a local registry or a caching mirror.<br /><br />The `config` section provides a way to authenticate to the registry with TLS client<br />identity, provide registry CA, or authentication information.<br />Authentication information has same meaning with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication).<br /><br />See also matching configuration for [CRI containerd plugin](https://github.com/containerd/cri/blob/master/docs/registry.md).</details> <details><summary>Show example(s)</summary>{{< highlight yaml >}}
|
||||
registries:
|
||||
# Specifies mirror configuration for each registry.
|
||||
# Specifies mirror configuration for each registry host namespace.
|
||||
mirrors:
|
||||
docker.io:
|
||||
# List of endpoints (URLs) for registry mirrors to use.
|
||||
@ -1212,7 +1212,7 @@ Appears in:
|
||||
|
||||
|
||||
{{< highlight yaml >}}
|
||||
# Specifies mirror configuration for each registry.
|
||||
# Specifies mirror configuration for each registry host namespace.
|
||||
mirrors:
|
||||
docker.io:
|
||||
# List of endpoints (URLs) for registry mirrors to use.
|
||||
@ -1236,7 +1236,7 @@ config:
|
||||
|
||||
| Field | Type | Description | Value(s) |
|
||||
|-------|------|-------------|----------|
|
||||
|`mirrors` |map[string]<a href="#registrymirrorconfig">RegistryMirrorConfig</a> |<details><summary>Specifies mirror configuration for each registry.</summary>This setting allows to use local pull-through caching registires,<br />air-gapped installations, etc.<br /><br />Registry name is the first segment of image identifier, with 'docker.io'<br />being default one.</details> <details><summary>Show example(s)</summary>{{< highlight yaml >}}
|
||||
|`mirrors` |map[string]<a href="#registrymirrorconfig">RegistryMirrorConfig</a> |<details><summary>Specifies mirror configuration for each registry host namespace.</summary>This setting allows to configure local pull-through caching registires,<br />air-gapped installations, etc.<br /><br />For example, when pulling an image with the reference `example.com:123/image:v1`,<br />the `example.com:123` key will be used to lookup the mirror configuration.<br /><br />Optionally the `*` key can be used to configure a fallback mirror.<br /><br />Registry name is the first segment of image identifier, with 'docker.io'<br />being default one.</details> <details><summary>Show example(s)</summary>{{< highlight yaml >}}
|
||||
mirrors:
|
||||
ghcr.io:
|
||||
# List of endpoints (URLs) for registry mirrors to use.
|
||||
@ -1244,7 +1244,7 @@ mirrors:
|
||||
- https://registry.insecure
|
||||
- https://ghcr.io/v2/
|
||||
{{< /highlight >}}</details> | |
|
||||
|`config` |map[string]<a href="#registryconfig">RegistryConfig</a> |<details><summary>Specifies TLS & auth configuration for HTTPS image registries.</summary>Mutual TLS can be enabled with 'clientIdentity' option.<br /><br />TLS configuration can be skipped if registry has trusted<br />server certificate.</details> <details><summary>Show example(s)</summary>{{< highlight yaml >}}
|
||||
|`config` |map[string]<a href="#registryconfig">RegistryConfig</a> |<details><summary>Specifies TLS & auth configuration for HTTPS image registries.</summary>Mutual TLS can be enabled with 'clientIdentity' option.<br /><br />The full hostname and port (if not using a default port 443)<br />should be used as the key.<br />The fallback key `*` can't be used for TLS configuration.<br /><br />TLS configuration can be skipped if registry has trusted<br />server certificate.</details> <details><summary>Show example(s)</summary>{{< highlight yaml >}}
|
||||
config:
|
||||
registry.insecure:
|
||||
# The TLS configuration for the registry.
|
||||
|
||||
@ -1868,9 +1868,9 @@
|
||||
"registries": {
|
||||
"$ref": "#/$defs/RegistriesConfig",
|
||||
"title": "registries",
|
||||
"description": "Used to configure the machine’s container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe mirrors section allows to redirect requests for images to non-default registry,\nwhich might be local registry or caching mirror.\n\nThe config section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in .docker/config.json.\n\nSee also matching configuration for CRI containerd plugin.\n",
|
||||
"markdownDescription": "Used to configure the machine's container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe `mirrors` section allows to redirect requests for images to non-default registry,\nwhich might be local registry or caching mirror.\n\nThe `config` section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication).\n\nSee also matching configuration for [CRI containerd plugin](https://github.com/containerd/cri/blob/master/docs/registry.md).",
|
||||
"x-intellij-html-description": "\u003cp\u003eUsed to configure the machine\u0026rsquo;s container image registry mirrors.\u003c/p\u003e\n\n\u003cp\u003eAutomatically generates matching CRI configuration for registry mirrors.\u003c/p\u003e\n\n\u003cp\u003eThe \u003ccode\u003emirrors\u003c/code\u003e section allows to redirect requests for images to non-default registry,\nwhich might be local registry or caching mirror.\u003c/p\u003e\n\n\u003cp\u003eThe \u003ccode\u003econfig\u003c/code\u003e section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in \u003ca href=\"https://docs.docker.com/engine/api/v1.41/#section/Authentication\" target=\"_blank\"\u003e\u003ccode\u003e.docker/config.json\u003c/code\u003e\u003c/a\u003e.\u003c/p\u003e\n\n\u003cp\u003eSee also matching configuration for \u003ca href=\"https://github.com/containerd/cri/blob/master/docs/registry.md\" target=\"_blank\"\u003eCRI containerd plugin\u003c/a\u003e.\u003c/p\u003e\n"
|
||||
"description": "Used to configure the machine’s container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe mirrors section allows to redirect requests for images to a non-default registry,\nwhich might be a local registry or a caching mirror.\n\nThe config section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in .docker/config.json.\n\nSee also matching configuration for CRI containerd plugin.\n",
|
||||
"markdownDescription": "Used to configure the machine's container image registry mirrors.\n\nAutomatically generates matching CRI configuration for registry mirrors.\n\nThe `mirrors` section allows to redirect requests for images to a non-default registry,\nwhich might be a local registry or a caching mirror.\n\nThe `config` section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication).\n\nSee also matching configuration for [CRI containerd plugin](https://github.com/containerd/cri/blob/master/docs/registry.md).",
|
||||
"x-intellij-html-description": "\u003cp\u003eUsed to configure the machine\u0026rsquo;s container image registry mirrors.\u003c/p\u003e\n\n\u003cp\u003eAutomatically generates matching CRI configuration for registry mirrors.\u003c/p\u003e\n\n\u003cp\u003eThe \u003ccode\u003emirrors\u003c/code\u003e section allows to redirect requests for images to a non-default registry,\nwhich might be a local registry or a caching mirror.\u003c/p\u003e\n\n\u003cp\u003eThe \u003ccode\u003econfig\u003c/code\u003e section provides a way to authenticate to the registry with TLS client\nidentity, provide registry CA, or authentication information.\nAuthentication information has same meaning with the corresponding field in \u003ca href=\"https://docs.docker.com/engine/api/v1.41/#section/Authentication\" target=\"_blank\"\u003e\u003ccode\u003e.docker/config.json\u003c/code\u003e\u003c/a\u003e.\u003c/p\u003e\n\n\u003cp\u003eSee also matching configuration for \u003ca href=\"https://github.com/containerd/cri/blob/master/docs/registry.md\" target=\"_blank\"\u003eCRI containerd plugin\u003c/a\u003e.\u003c/p\u003e\n"
|
||||
},
|
||||
"systemDiskEncryption": {
|
||||
"$ref": "#/$defs/SystemDiskEncryptionConfig",
|
||||
@ -2254,9 +2254,9 @@
|
||||
},
|
||||
"type": "object",
|
||||
"title": "mirrors",
|
||||
"description": "Specifies mirror configuration for each registry.\nThis setting allows to use local pull-through caching registires,\nair-gapped installations, etc.\n\nRegistry name is the first segment of image identifier, with ‘docker.io’\nbeing default one.\n",
|
||||
"markdownDescription": "Specifies mirror configuration for each registry.\nThis setting allows to use local pull-through caching registires,\nair-gapped installations, etc.\n\nRegistry name is the first segment of image identifier, with 'docker.io'\nbeing default one.",
|
||||
"x-intellij-html-description": "\u003cp\u003eSpecifies mirror configuration for each registry.\nThis setting allows to use local pull-through caching registires,\nair-gapped installations, etc.\u003c/p\u003e\n\n\u003cp\u003eRegistry name is the first segment of image identifier, with \u0026lsquo;docker.io\u0026rsquo;\nbeing default one.\u003c/p\u003e\n"
|
||||
"description": "Specifies mirror configuration for each registry host namespace.\nThis setting allows to configure local pull-through caching registires,\nair-gapped installations, etc.\n\nFor example, when pulling an image with the reference example.com:123/image:v1,\nthe example.com:123 key will be used to lookup the mirror configuration.\n\nOptionally the * key can be used to configure a fallback mirror.\n\nRegistry name is the first segment of image identifier, with ‘docker.io’\nbeing default one.\n",
|
||||
"markdownDescription": "Specifies mirror configuration for each registry host namespace.\nThis setting allows to configure local pull-through caching registires,\nair-gapped installations, etc.\n\nFor example, when pulling an image with the reference `example.com:123/image:v1`,\nthe `example.com:123` key will be used to lookup the mirror configuration.\n\nOptionally the `*` key can be used to configure a fallback mirror.\n\nRegistry name is the first segment of image identifier, with 'docker.io'\nbeing default one.",
|
||||
"x-intellij-html-description": "\u003cp\u003eSpecifies mirror configuration for each registry host namespace.\nThis setting allows to configure local pull-through caching registires,\nair-gapped installations, etc.\u003c/p\u003e\n\n\u003cp\u003eFor example, when pulling an image with the reference \u003ccode\u003eexample.com:123/image:v1\u003c/code\u003e,\nthe \u003ccode\u003eexample.com:123\u003c/code\u003e key will be used to lookup the mirror configuration.\u003c/p\u003e\n\n\u003cp\u003eOptionally the \u003ccode\u003e*\u003c/code\u003e key can be used to configure a fallback mirror.\u003c/p\u003e\n\n\u003cp\u003eRegistry name is the first segment of image identifier, with \u0026lsquo;docker.io\u0026rsquo;\nbeing default one.\u003c/p\u003e\n"
|
||||
},
|
||||
"config": {
|
||||
"patternProperties": {
|
||||
@ -2266,9 +2266,9 @@
|
||||
},
|
||||
"type": "object",
|
||||
"title": "config",
|
||||
"description": "Specifies TLS \u0026amp; auth configuration for HTTPS image registries.\nMutual TLS can be enabled with ‘clientIdentity’ option.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate.\n",
|
||||
"markdownDescription": "Specifies TLS \u0026 auth configuration for HTTPS image registries.\nMutual TLS can be enabled with 'clientIdentity' option.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate.",
|
||||
"x-intellij-html-description": "\u003cp\u003eSpecifies TLS \u0026amp; auth configuration for HTTPS image registries.\nMutual TLS can be enabled with \u0026lsquo;clientIdentity\u0026rsquo; option.\u003c/p\u003e\n\n\u003cp\u003eTLS configuration can be skipped if registry has trusted\nserver certificate.\u003c/p\u003e\n"
|
||||
"description": "Specifies TLS \u0026amp; auth configuration for HTTPS image registries.\nMutual TLS can be enabled with ‘clientIdentity’ option.\n\nThe full hostname and port (if not using a default port 443)\nshould be used as the key.\nThe fallback key * can’t be used for TLS configuration.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate.\n",
|
||||
"markdownDescription": "Specifies TLS \u0026 auth configuration for HTTPS image registries.\nMutual TLS can be enabled with 'clientIdentity' option.\n\nThe full hostname and port (if not using a default port 443)\nshould be used as the key.\nThe fallback key `*` can't be used for TLS configuration.\n\nTLS configuration can be skipped if registry has trusted\nserver certificate.",
|
||||
"x-intellij-html-description": "\u003cp\u003eSpecifies TLS \u0026amp; auth configuration for HTTPS image registries.\nMutual TLS can be enabled with \u0026lsquo;clientIdentity\u0026rsquo; option.\u003c/p\u003e\n\n\u003cp\u003eThe full hostname and port (if not using a default port 443)\nshould be used as the key.\nThe fallback key \u003ccode\u003e*\u003c/code\u003e can\u0026rsquo;t be used for TLS configuration.\u003c/p\u003e\n\n\u003cp\u003eTLS configuration can be skipped if registry has trusted\nserver certificate.\u003c/p\u003e\n"
|
||||
}
|
||||
},
|
||||
"additionalProperties": false,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user