How to add private container registries WITHOUT disabling TLS and WITHOUT auth credentials.

[zombiemaker]

I am trying to configure Talos Linux to pull container images for talos-metal-installer, kubelet, kube-apiserver, kube-scheduler, kube-proxy, and kube-controller-manager from a private container image registry.

The registry repositories are public, which means clients do not need to authenticate to pull images.
The registry servers support TLS using a private certificate authority. The certificates for the private root and intermediate CAs are added in the machine configuration.

If I add a registry entry in the machine config yaml with "insecureSkipVerify: false" and no auth credentials, Talos does not generate registry configurations for containerd.

Example:

machine:
registries:
config:
my-registry.my-domain:
tls:
insecureSkipVerify: false

This does not generate and containerd configuration files in the /etc/cri/conf.d/hosts directory. Is this not needed then?

Does containerd need a /etc/cri/conf.d/hosts/my-registry.my-domain/hosts.toml for each container registry that the Talos Linux cluster can pull image from?

[smira]

I'm not sure what is the question, insecureSkipVerify: false is a default setting anyways. TLS registry certificates can be configured in the same machine config block.

containerd configuration for registries is atm split between base containerd config and hosts/ directory (this is how containerd works).

[zombiemaker]

@smira : Thanks for your response!

The "insecureSkipVerify: false" was a test to see if I can trick the process for generating containerd configs to generate a configuration for a registry host that uses server TLS without user authentication. Otherwise, the Talos process for generating containerd config would not generate one.

This was before I learned that this can be done with an entry in the registries.mirrors section of the machine config. I was confused by the "mirrors" parameter name because this registry is not a mirror of another registry. I did not realize that the machine.registries.mirrors is for both mirrored AND non-mirrored registries.

The machine config is now:

machine:
  registries:
    mirrors:
      my-registry.my-domain:
        endpoints:
          - https://my-registry.my-domain:/
        skipFallback: true
        overridePath: false
    config:
      my-registry.my-domain:
        # tried both true and without this config parameter
        tls:
          insecureSkipVerify: true