cleanup DEPRECATED TLS config

Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>

integration/image_pull_timeout_test.go

@@ -257,13 +257,6 @@ func testCRIImagePullTimeoutByNoDataTransferred(t *testing.T) {
 					Endpoints: []string{mirrorURL.String()},
 				},
 			},
-			Configs: map[string]criconfig.RegistryConfig{
-				mirrorURL.Host: {
-					TLS: &criconfig.TLSConfig{
-						InsecureSkipVerify: true,
-					},
-				},
-			},
 		},
 	} {
 		criService, err := initLocalCRIPlugin(cli, tmpDir, registryCfg)

pkg/cri/config/config.go

@@ -179,14 +179,6 @@ type AuthConfig struct {
 	IdentityToken string `toml:"identitytoken" json:"identitytoken"`
 }
 
-// TLSConfig contains the CA/Cert/Key used for a registry
-type TLSConfig struct {
-	InsecureSkipVerify bool   `toml:"insecure_skip_verify" json:"insecure_skip_verify"`
-	CAFile             string `toml:"ca_file" json:"caFile"`
-	CertFile           string `toml:"cert_file" json:"certFile"`
-	KeyFile            string `toml:"key_file" json:"keyFile"`
-}
-
 // Registry is registry settings configured
 type Registry struct {
 	// ConfigPath is a path to the root directory containing registry-specific
@@ -213,11 +205,6 @@ type Registry struct {
 type RegistryConfig struct {
 	// Auth contains information to authenticate to the registry.
 	Auth *AuthConfig `toml:"auth" json:"auth"`
-	// TLS is a pair of CA/Cert/Key which then are used when creating the transport
-	// that communicates with the registry.
-	// This field will not be used when ConfigPath is provided.
-	// DEPRECATED: Use ConfigPath instead. Remove in containerd 1.7.
-	TLS *TLSConfig `toml:"tls" json:"tls"`
 }
 
 // ImageDecryption contains configuration to handling decryption of encrypted container images.
@@ -412,19 +399,6 @@ func ValidatePluginConfig(ctx context.Context, c *PluginConfig) error {
 		}
 		log.G(ctx).Warning("`mirrors` is deprecated, please use `config_path` instead")
 	}
-	var hasDeprecatedTLS bool
-	for _, r := range c.Registry.Configs {
-		if r.TLS != nil {
-			hasDeprecatedTLS = true
-			break
-		}
-	}
-	if hasDeprecatedTLS {
-		if useConfigPath {
-			return errors.New("`configs.tls` cannot be set when `config_path` is provided")
-		}
-		log.G(ctx).Warning("`configs.tls` is deprecated, please use `config_path` instead")
-	}
 
 	// Validation for deprecated auths options and mapping it to configs.
 	if len(c.Registry.Auths) != 0 {

pkg/cri/config/config_test.go

@@ -112,27 +112,6 @@ func TestValidateConfig(t *testing.T) {
 			},
 			expectedErr: "`mirrors` cannot be set when `config_path` is provided",
 		},
-		"conflicting tls registry config": {
-			config: &PluginConfig{
-				ContainerdConfig: ContainerdConfig{
-					DefaultRuntimeName: RuntimeDefault,
-					Runtimes: map[string]Runtime{
-						RuntimeDefault: {
-							Type: "default",
-						},
-					},
-				},
-				Registry: Registry{
-					ConfigPath: "/etc/containerd/conf.d",
-					Configs: map[string]RegistryConfig{
-						"something.io": {
-							TLS: &TLSConfig{},
-						},
-					},
-				},
-			},
-			expectedErr: "`configs.tls` cannot be set when `config_path` is provided",
-		},
 		"privileged_without_host_devices_all_devices_allowed without privileged_without_host_devices": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{

pkg/cri/sbserver/images/image_pull.go

@@ -19,7 +19,6 @@ package images
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -27,7 +26,6 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -340,48 +338,6 @@ func (c *CRIImageService) UpdateImage(ctx context.Context, r string) error {
 	return nil
 }
 
-// getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig
-func (c *CRIImageService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) {
-	var (
-		tlsConfig = &tls.Config{}
-		cert      tls.Certificate
-		err       error
-	)
-	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" {
-		return nil, fmt.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile)
-	}
-	if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" {
-		return nil, fmt.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile)
-	}
-	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
-		cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load cert file: %w", err)
-		}
-		if len(cert.Certificate) != 0 {
-			tlsConfig.Certificates = []tls.Certificate{cert}
-		}
-		// TODO(thaJeztah): verify if we should ignore the deprecation; see https://github.com/containerd/containerd/pull/7349/files#r990644833
-		tlsConfig.BuildNameToCertificate() //nolint:staticcheck
-	}
-
-	if registryTLSConfig.CAFile != "" {
-		caCertPool, err := x509.SystemCertPool()
-		if err != nil {
-			return nil, fmt.Errorf("failed to get system cert pool: %w", err)
-		}
-		caCert, err := os.ReadFile(registryTLSConfig.CAFile)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load CA file: %w", err)
-		}
-		caCertPool.AppendCertsFromPEM(caCert)
-		tlsConfig.RootCAs = caCertPool
-	}
-
-	tlsConfig.InsecureSkipVerify = registryTLSConfig.InsecureSkipVerify
-	return tlsConfig, nil
-}
-
 func hostDirFromRoots(roots []string) func(string) (string, error) {
 	rootfn := make([]func(string) (string, error), len(roots))
 	for i := range roots {
@@ -439,12 +395,7 @@ func (c *CRIImageService) registryHosts(ctx context.Context, auth *runtime.AuthC
 				config    = c.config.Registry.Configs[u.Host]
 			)
 
-			if config.TLS != nil {
+			if docker.IsLocalhost(host) && u.Scheme == "http" {
-				transport.TLSClientConfig, err = c.getTLSConfig(*config.TLS)
-				if err != nil {
-					return nil, fmt.Errorf("get TLSConfig for registry %q: %w", e, err)
-				}
-			} else if docker.IsLocalhost(host) && u.Scheme == "http" {
 				// Skipping TLS verification for localhost
 				transport.TLSClientConfig = &tls.Config{
 					InsecureSkipVerify: true,

pkg/cri/server/image_pull.go

@@ -19,14 +19,12 @@ package server
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
-	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -322,48 +320,6 @@ func (c *criService) updateImage(ctx context.Context, r string) error {
 	return nil
 }
 
-// getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig
-func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.Config, error) {
-	var (
-		tlsConfig = &tls.Config{}
-		cert      tls.Certificate
-		err       error
-	)
-	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile == "" {
-		return nil, fmt.Errorf("cert file %q was specified, but no corresponding key file was specified", registryTLSConfig.CertFile)
-	}
-	if registryTLSConfig.CertFile == "" && registryTLSConfig.KeyFile != "" {
-		return nil, fmt.Errorf("key file %q was specified, but no corresponding cert file was specified", registryTLSConfig.KeyFile)
-	}
-	if registryTLSConfig.CertFile != "" && registryTLSConfig.KeyFile != "" {
-		cert, err = tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load cert file: %w", err)
-		}
-		if len(cert.Certificate) != 0 {
-			tlsConfig.Certificates = []tls.Certificate{cert}
-		}
-		// TODO(thaJeztah): verify if we should ignore the deprecation; see https://github.com/containerd/containerd/pull/7349/files#r990644833
-		tlsConfig.BuildNameToCertificate() //nolint:staticcheck
-	}
-
-	if registryTLSConfig.CAFile != "" {
-		caCertPool, err := x509.SystemCertPool()
-		if err != nil {
-			return nil, fmt.Errorf("failed to get system cert pool: %w", err)
-		}
-		caCert, err := os.ReadFile(registryTLSConfig.CAFile)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load CA file: %w", err)
-		}
-		caCertPool.AppendCertsFromPEM(caCert)
-		tlsConfig.RootCAs = caCertPool
-	}
-
-	tlsConfig.InsecureSkipVerify = registryTLSConfig.InsecureSkipVerify
-	return tlsConfig, nil
-}
-
 func hostDirFromRoots(roots []string) func(string) (string, error) {
 	rootfn := make([]func(string) (string, error), len(roots))
 	for i := range roots {
@@ -421,12 +377,7 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
 				config    = c.config.Registry.Configs[u.Host]
 			)
 
-			if config.TLS != nil {
+			if docker.IsLocalhost(host) && u.Scheme == "http" {
-				transport.TLSClientConfig, err = c.getTLSConfig(*config.TLS)
-				if err != nil {
-					return nil, fmt.Errorf("get TLSConfig for registry %q: %w", e, err)
-				}
-			} else if docker.IsLocalhost(host) && u.Scheme == "http" {
 				// Skipping TLS verification for localhost
 				transport.TLSClientConfig = &tls.Config{
 					InsecureSkipVerify: true,