From 9e7f8fe30ce53cb120e2780f7a5d545adc9306f8 Mon Sep 17 00:00:00 2001
From: Derek McGowan <derek@mcg.dev>
Date: Sat, 29 Apr 2023 23:44:49 -0700
Subject: [PATCH] Update CRI registry configuration docs

Remove deprecated sections except for auth configuration.
Add note about auth configuration deprecation.

Signed-off-by: Derek McGowan <derek@mcg.dev>
---
 docs/cri/registry.md | 102 +++----------------------------------------
 1 file changed, 7 insertions(+), 95 deletions(-)

diff --git a/docs/cri/registry.md b/docs/cri/registry.md
index b96714515..617d9901b 100644
--- a/docs/cri/registry.md
+++ b/docs/cri/registry.md
@@ -2,105 +2,20 @@
 
 This document describes the method to configure the image registry for `containerd` for use with the `cri` plugin.
 
-*** registry.mirrors and registry.configs as described in this document
-have been DEPRECATED. As described in [the cri config](./config.md#registry-configuration) you
-should now use the form
+> **_NOTE:_** registry.mirrors and registry.configs as previously described in this document
+> have been DEPRECATED. As described in [the cri config](./config.md#registry-configuration) you
+> should now use the following configuration
 ```toml
 [plugins."io.containerd.grpc.v1.cri".registry]
    config_path = "/etc/containerd/certs.d"
 ```
 
-- - -
-<!-- TODO: remove in containerd 2.0 -->
-
-<details>
-<summary>Show the original content (<strong>DEPRECATED</strong>)</summary>
-<p>
-
-## Configure Registry Endpoint
-
-With containerd, `docker.io` is the default image registry. You can also set up other image registries similar to docker.
-
-To configure image registries create/modify the `/etc/containerd/config.toml` as follows:
-
-```toml
-# Config file is parsed as version 1 by default.
-# To use the long form of plugin names set "version = 2"
-# explicitly use v2 config format
-version = 2
-
-[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
-  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
-    endpoint = ["https://registry-1.docker.io"]
-  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."test.https-registry.io"]
-    endpoint = ["https://HostIP1:Port1"]
-  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."test.http-registry.io"]
-    endpoint = ["http://HostIP2:Port2"]
-  # wildcard matching is supported but not required.
-  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."*"]
-    endpoint = ["https://HostIP3:Port3"]
-```
-
-The default configuration can be generated by `containerd config default > /etc/containerd/config.toml`.
-
-The endpoint is a list that can contain multiple image registry URLs split by commas. When pulling an image
-from a registry, containerd will try these endpoint URLs one by one, and use the first working one. Please note
-that if the default registry endpoint is not already specified in the endpoint list, it will be automatically
-tried at the end with scheme `https` and path `v2`, e.g. `https://gcr.io/v2` for `gcr.io`.
-
-As an example, for the image `gcr.io/library/busybox:latest`, the endpoints are:
-
-* `gcr.io` is configured: endpoints for `gcr.io` + default endpoint `https://gcr.io/v2`.
-* `*` is configured, and `gcr.io` is not: endpoints for `*` + default
-  endpoint `https://gcr.io/v2`.
-* None of above is configured: default endpoint `https://gcr.io/v2`.
-
-After modify this config, you need restart the `containerd` service.
-
-## Configure Registry TLS Communication
-
-`cri` plugin also supports configuring TLS settings when communicating with a registry.
-
-To configure the TLS settings for a specific registry, create/modify the `/etc/containerd/config.toml` as follows:
-
-```toml
-# explicitly use v2 config format
-version = 2
-
-# The registry host has to be a domain name or IP. Port number is also
-# needed if the default HTTPS or HTTP port is not used.
-[plugins."io.containerd.grpc.v1.cri".registry.configs."my.custom.registry".tls]
-    ca_file   = "ca.pem"
-    cert_file = "cert.pem"
-    key_file  = "key.pem"
-```
-
-In the config example shown above, TLS mutual authentication will be used for communications with the registry endpoint located at <https://my.custom.registry>.
-`ca_file` is file name of the certificate authority (CA) certificate used to authenticate the x509 certificate/key pair specified by the files respectively pointed to by `cert_file` and `key_file`.
-
-`cert_file` and `key_file` are not needed when TLS mutual authentication is unused.
-
-```toml
-# explicitly use v2 config format
-version = 2
-
-[plugins."io.containerd.grpc.v1.cri".registry.configs."my.custom.registry".tls]
-    ca_file   = "ca.pem"
-```
-
-To skip the registry certificate verification:
-
-```toml
-# explicitly use v2 config format
-version = 2
-
-[plugins."io.containerd.grpc.v1.cri".registry.configs."my.custom.registry".tls]
-  insecure_skip_verify = true
-```
-
 ## Configure Registry Credentials
 
-`cri` plugin also supports docker like registry credential config.
+> **_NOTE:_**  registry.configs.*.auth is DEPRECATED and will NOT have an equivalent way to store
+> unecrypted secrets in the host configuration files. However, it will not be removed until
+> a suitable secret management alternative is available as a plugin. It remains supported
+> in 1.x releases, including the 1.6 LTS release.
 
 To configure a credential for a specific registry, create/modify the
 `/etc/containerd/config.toml` as follows:
@@ -200,6 +115,3 @@ Image is up to date for sha256:78096d0a54788961ca68393e5f8038704b97d8af374249dc5
 ---
 
 NOTE: The configuration syntax used in this doc is in version 2 which is the recommended since `containerd` 1.3. For the previous config format you can reference [https://github.com/containerd/cri/blob/release/1.2/docs/registry.md](https://github.com/containerd/cri/blob/release/1.2/docs/registry.md).
-
-</p>
-</details>