Add CAPI patch: fix containerd v2 registry mirror auth for Bottlerocket#5571
Open
peirulu wants to merge 2 commits into
Open
Add CAPI patch: fix containerd v2 registry mirror auth for Bottlerocket#5571peirulu wants to merge 2 commits into
peirulu wants to merge 2 commits into
Conversation
Collaborator
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
26ace15 to
c8b7791
Compare
c8b7791 to
50084ce
Compare
Containerd 2.x does not read credentials.toml files from the certs.d directory in the CRI image pull path. This causes ImagePullBackOff with "authorization failed: no basic auth credentials" on Bottlerocket k8s-1.33+ variants using containerd 2.1.7. Patch 0037 adds registryMirrorHostsTomlFile() that writes hosts.toml with inline auth headers via the bootstrap container's write_files mechanism. This works on all Bottlerocket variants (k8s 1.30-1.36). Verified: - Build compiles with Go 1.26 - Patches apply cleanly on CAPI v1.13.2 - containerd 1.7 (k8s-1.32): harmless, no breakage - containerd 2.1 (k8s-1.34): fixes image pulls from auth mirror
50084ce to
51cc861
Compare
2c32590 to
1012937
Compare
The bottlerocket-bootstrap container writes hosts.toml to /etc/containerd/certs.d/ which is the container's filesystem view. Due to thar-be-registries' atomic directory swap (renameat2), writes to this path land in the old (swapped-out) directory that containerd no longer reads. Fix by rewriting paths under /etc/containerd/certs.d/ to /.bottlerocket/rootfs/etc/containerd/certs.d/ which is the actual Bottlerocket rootfs that containerd reads. This enables the write_files approach for fixing containerd v2 registry mirror auth — the etcdadm/CAPI bootstrap providers add hosts.toml with authorization headers to write_files, and the bottlerocket-bootstrap container now writes them to the correct location. Verified: etcd node successfully pulled images from authenticated mirror after this fix (tested on cluster-133-dev-write). Signed-off-by: peirulu <peirulu@amazon.com>
1012937 to
a5892bc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes containerd v2 registry mirror auth for Bottlerocket k8s-1.33+ variants. Two changes:
registryMirrorHostsTomlFile()that generates awrite_filesentry withhosts.tomlcontaining inlineauthorizationheaders/etc/containerd/certs.d/paths to/.bottlerocket/rootfs/etc/containerd/certs.d/so the file lands on the actual rootfs that containerd readsRoot Cause
Containerd 2.x does not read
credentials.tomlfromcerts.d/in the CRI image pull path. Bottlerocket'sthar-be-registrieswritescredentials.tomlbut containerd ignores it. Additionally,thar-be-registriesatomically swaps thecerts.d/directory, so writes to the container-visible path (/etc/containerd/certs.d/) land in the old swapped-out directory.Fix
hosts.tomlwith auth headers to the bootstrap container'swrite_filesbottlerocket-bootstrapwrites to/.bottlerocket/rootfs/etc/containerd/certs.d/(actual rootfs) instead of/etc/containerd/certs.d/(container view)Verification
Tested end-to-end on cluster
cluster-133-dev-write(Bottlerocket k8s-1.34, vmware provider, authenticated registry mirror):Also verified backwards compatible on k8s-1.32 (containerd 1.7) — hosts.toml with header field is harmless.
Images for testing
public.ecr.aws/p2x5x2t2/bottlerocket-bootstrap:v0.1.0-dev-write-filepublic.ecr.aws/p2x5x2t2/aws/etcdadm-bootstrap-provider:v0.1.0-dev-write-filepublic.ecr.aws/p2x5x2t2/kubernetes-sigs/cluster-api/kubeadm-bootstrap-controller:v0.1.0-dev-write-fileRelated
Test plan
Testing on cluster creation
kubeadm-bootstrap-controller,etcdadm-bootstrap-controller, andbottlerocket-bootstrapand create a 1-33 bottlerocket authenticated registry mirror cluster (bottlerocket 1-33 use containerd v2), and the cluster creation succeed.