From 464b1e02d8f26f3a4480f752dc5a9a08431e257c Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Fri, 19 Jun 2020 11:22:59 -0400 Subject: [PATCH] Update containerd config to use the right docker registry cert Currently containerd is configured to use /etc/ssl/private/registry-cert.crt to access docker registry at registry.local:9001. But newly installed docker registry certificate will be in /etc/docker/certs.d/registry.local:9001/registry-cert.crt. While this is ok for controller nodes (as the registry cert at both locations will be updated to the new one on controllers), worker node will fail to access registry.local by certificate verification as containerd still uses /etc/ssl/private/registry-cert.crt which is not updated. /etc/docker/certs.d/registry.local:9001/registry-cert.crt is the right cert for any client to access registry.local. This commit updated containerd config file to point to the right registry cert. Change-Id: Id9c22994edea03da3449b0146cf04a3538d67716 Closes-Bug: 1870406 Signed-off-by: Andy Ning --- puppet-manifests/src/modules/platform/templates/config.toml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet-manifests/src/modules/platform/templates/config.toml.erb b/puppet-manifests/src/modules/platform/templates/config.toml.erb index bbd695588..aa60a082d 100644 --- a/puppet-manifests/src/modules/platform/templates/config.toml.erb +++ b/puppet-manifests/src/modules/platform/templates/config.toml.erb @@ -85,7 +85,7 @@ oom_score = 0 <%- end -%> # End of insecure registries [plugins.cri.registry.configs."registry.local:9001".tls] - ca_file = "/etc/ssl/private/registry-cert.crt" + ca_file = "/etc/docker/certs.d/registry.local:9001/registry-cert.crt" [plugins.cri.registry.configs."registry.local:9001".auth] auth = "<%= @registry_auth %>" [plugins.cri.x509_key_pair_streaming]