Setting config_path for registry tls disables the "default localhost to http" behavior #7392
Description
Description
By default if you give CRI an image referencing localhost it will default to http. This is legacy behavior from docker that is continued to be supported going forward. In acorn.io we are exploiting this fact to run a registry on a node port bypassing the need to run TLS. This failed on AKS because we found out that AKS by default adds "config_path" = "/etc/containerd/certs.d" which inadvertently (i think) disabled the localhost behavior. The issue is here
containerd/pkg/cri/server/image_pull.go
Line 337 in 1764ea9
containerd/pkg/cri/server/image_pull.go
Line 378 in 1764ea9
Steps to reproduce the issue
- Run a k8s w/ containerd setup
- Use this config
version = 2
[plugins."io.containerd.grpc.v1.cri"]
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"- Run a pod with image
127.0.0.1:5000. You will see in the logs that it fails to connect (because there is no registry there) and the URL is https://127.0.0.1:5000, nothttp://127.0.0.1:5000
Describe the results you received and expected
With acorn we get ```Sep 13 00:53:58 aks-nodepool1-14481657-vmss000000 containerd[1153]: time="2022-09-13T00:53:58.817676889Z" level=info msg="trying next host" error="failed to do request: Head "https://127.0.0.1:31889/v2/acorn/acorn/blobs/sha256:438b33ad07ea40f5c8cbbbc893b0faa2ed204dafac880c73ae6359b8f20ce17a\": http: server gave HTTP response to HTTPS client" host="127.0.0.1:31889"
We should get success :)
### What version of containerd are you using?
containerd github.com/containerd/containerd 1.6.4+azure-4 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
### Any other relevant information
_No response_
### Show configuration if it is related to CRI plugin.
version = 2
oom_score = 0
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "mcr.microsoft.com/oss/kubernetes/pause:3.6"
[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
BinaryName = "/usr/bin/runc"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.untrusted]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.untrusted.options]
BinaryName = "/usr/bin/runc"
[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
conf_template = "/etc/containerd/kubenet_template.conf"
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
[plugins."io.containerd.grpc.v1.cri".registry.headers]
X-Meta-Source-Client = ["azure/aks"]
[metrics]
address = "0.0.0.0:10257"