Merge pull request #1345 from Random-Liu/insecure-skip-verify

Add insecure_skip_verify option.

docs/registry.md

@@ -9,13 +9,13 @@ To configure image registries create/modify the `/etc/containerd/config.toml` as
 [plugins.cri.registry.mirrors]
   [plugins.cri.registry.mirrors."docker.io"]
     endpoint = ["https://registry-1.docker.io"]
-  [plugins.cri.registry.mirrors."test.secure-registry.io"]
+  [plugins.cri.registry.mirrors."test.https-registry.io"]
     endpoint = ["https://HostIP1:Port1"]
-  [plugins.cri.registry.mirrors."test.insecure-registry.io"]
+  [plugins.cri.registry.mirrors."test.http-registry.io"]
     endpoint = ["http://HostIP2:Port2"]
   # wildcard matching is supported but not required.
   [plugins.cri.registry.mirrors."*"]
-    endpoint = ["http://HostIP3:Port3"]
+    endpoint = ["https://HostIP3:Port3"]
 ```
 
 The default configuration can be generated by `containerd config default > /etc/containerd/config.toml`.
@@ -38,7 +38,8 @@ After modify this config, you need restart the `containerd` service.
 
 To configure the TLS settings for a specific registry, create/modify the `/etc/containerd/config.toml` as follows:
 ```toml
-# The registry host has to be an domain name or IP.
+# The registry host has to be an domain name or IP. Port number is also
+# needed if the default HTTPS or HTTP port is not used.
 [plugins.cri.registry.configs."my.custom.registry".tls]
     ca_file   = "ca.pem"
     cert_file = "cert.pem"
@@ -51,11 +52,16 @@ In the config example shown above, TLS mutual authentication will be used for co
 `cert_file` and `key_file` are not needed when TLS mutual authentication is unused.
 
 ```toml
-# The registry host has to be an domain name or IP.
 [plugins.cri.registry.configs."my.custom.registry".tls]
     ca_file   = "ca.pem"
 ```
 
+To skip the registry certificate verification:
+```
+[plugins.cri.registry.configs."my.custom.registry".tls]
+  insecure_skip_verify = true
+```
+
 ## Configure Registry Credentials
 
 `cri` plugin also supports docker like registry credential config.
@@ -63,7 +69,8 @@ In the config example shown above, TLS mutual authentication will be used for co
 To configure a credential for a specific registry, create/modify the
 `/etc/containerd/config.toml` as follows:
 ```toml
-# The registry host has to be an domain name or IP.
+# The registry host has to be an domain name or IP. Port number is also
+# needed if the default HTTPS or HTTP port is not used.
 [plugins.cri.registry.configs."gcr.io".auth]
   username = ""
   password = ""

pkg/config/config.go

@@ -124,9 +124,10 @@ type AuthConfig struct {
 
 // TLSConfig contains the CA/Cert/Key used for a registry
 type TLSConfig struct {
-	CAFile   string `toml:"ca_file" json:"caFile"`
+	InsecureSkipVerify bool   `toml:"insecure_skip_verify" json:"insecure_skip_verify"`
-	CertFile string `toml:"cert_file" json:"certFile"`
+	CAFile             string `toml:"ca_file" json:"caFile"`
-	KeyFile  string `toml:"key_file" json:"keyFile"`
+	CertFile           string `toml:"cert_file" json:"certFile"`
+	KeyFile            string `toml:"key_file" json:"keyFile"`
 }
 
 // Registry is registry settings configured

pkg/server/image_pull.go

@@ -253,39 +253,41 @@ func (c *criService) updateImage(ctx context.Context, r string) error {
 // getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig
 func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) {
 	var (
-		cert tls.Certificate
+		tlsConfig = &tls.Config{}
-		err  error
+		cert      tls.Certificate
+		err       error
 	)
-	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
-		cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to load cert file")
-		}
-	}
 	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" {
 		return nil, errors.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile)
 	}
 	if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" {
 		return nil, errors.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile)
 	}
+	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
+		cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to load cert file")
+		}
+		if len(cert.Certificate) != 0 {
+			tlsConfig.Certificates = []tls.Certificate{cert}
+		}
+		tlsConfig.BuildNameToCertificate()
+	}
 
-	caCertPool, err := x509.SystemCertPool()
+	if registryTLSConfig.CAFile != "" {
-	if err != nil {
+		caCertPool, err := x509.SystemCertPool()
-		return nil, errors.Wrap(err, "failed to get system cert pool")
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get system cert pool")
+		}
+		caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to load CA file")
+		}
+		caCertPool.AppendCertsFromPEM(caCert)
+		tlsConfig.RootCAs = caCertPool
 	}
-	caCert, err := ioutil.ReadFile(registryTLSConfig.CAFile)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to load CA file")
-	}
-	caCertPool.AppendCertsFromPEM(caCert)
 
-	tlsConfig := &tls.Config{
+	tlsConfig.InsecureSkipVerify = registryTLSConfig.InsecureSkipVerify
-		RootCAs: caCertPool,
-	}
-	if len(cert.Certificate) != 0 {
-		tlsConfig.Certificates = []tls.Certificate{cert}
-	}
-	tlsConfig.BuildNameToCertificate()
 	return tlsConfig, nil
 }