Set [plugins."io.containerd.grpc.v1.cri".registry].config_path by default #6485
Description
What is the problem you're trying to solve
I'm trying to add a new private registry (with a self-signed CA) to an existing Kubernetes cluster, where I may not have ssh access (but I do have cluster-admin).
Describe the solution you'd like
When using docker, something like the following suffices to add a selfsigned CA:
echo "${PEM_ENCODED_CERT}" > /etc/docker/certs.d/${REGISTRY_NAME}/ca.crtAccording the containerd documentation, loading registry certificates after startup requires the following key to be set in config.toml:
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"Adding this entry isn't sufficient, however, because you also need to restart containerd. Users end up with solutions like this:
http://hypernephelist.com/2021/03/23/kubernetes-containerd-certificate.html
Note that this solution is debian (update-ca-certificates) / systemd (systemctl) specific, and actually modifies the entire set of trust roots for the host, rather than modifying the config.toml programatically (because that seems dangerous)
It would be much cleaner if [plugins."io.containerd.grpc.v1.cri".registry].config_path defaulted to either:
"/etc/containerd/certs.d""/etc/containerd/certs.d:/etc/docker/certs.d"
My preference would be for 2, because it would allow scripts that worked with Docker to also work with containerd, but would still prefer certs in /etc/containerd if present.
Additional context
No response