Updated docs and code for default nil behavior

Signed-off-by: Brandon Lum <lumjjb@gmail.com>

pkg/server/image_pull.go

@@ -411,11 +411,10 @@ func newTransport() *http.Transport {
 	}
 }
 
-// addEncryptedImagesPullOpts adds the necessary pull options to a list of
-// pull options if enabled.
+// encryptedImagesPullOpts returns the necessary list of pull options required
+// for decryption of encrypted images based on the cri decryption configuration.
 func (c *criService) encryptedImagesPullOpts() []containerd.RemoteOpt {
-	if c.config.ImageEncryption.KeyModel == criconfig.EncryptionKeyModelNode ||
-		c.config.ImageEncryption.KeyModel == "" {
+	if c.config.ImageDecryption.KeyModel == criconfig.KeyModelNode {
 		ltdd := imgcrypt.Payload{}
 		decUnpackOpt := encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd))
 		opt := containerd.WithUnpackOpts([]containerd.UnpackOpt{decUnpackOpt})

pkg/server/image_pull_test.go

@@ -295,17 +295,17 @@ func TestEncryptedImagePullOpts(t *testing.T) {
 		expectedOpts int
 	}{
 		"node key model should return one unpack opt": {
-			keyModel:     criconfig.EncryptionKeyModelNode,
+			keyModel:     criconfig.KeyModelNode,
 			expectedOpts: 1,
 		},
 		"no key model selected should default to node key model": {
 			keyModel:     "",
-			expectedOpts: 1,
+			expectedOpts: 0,
 		},
 	} {
 		t.Logf("TestCase %q", desc)
 		c := newTestCRIService()
-		c.config.ImageEncryption.KeyModel = test.keyModel
+		c.config.ImageDecryption.KeyModel = test.keyModel
 		got := len(c.encryptedImagesPullOpts())
 		assert.Equal(t, test.expectedOpts, got)
 	}