@@ -116,7 +116,7 @@ func (h *imageRegistriesPatchHandler) Mutate(
116116 }
117117
118118 if globalMirrorErr == nil {
119- mirrorCredentials , generateErr := mirrorConfigFromGlobalImageRegistryMirror (
119+ mirrorCredentials , generateErr := mirrorWithOptionalCredentialsFromGlobalImageRegistryMirror (
120120 ctx ,
121121 h .client ,
122122 globalMirror ,
@@ -332,12 +332,13 @@ func registryWithOptionalCredentialsFromImageRegistryCredentials(
332332 if secret != nil {
333333 registryWithOptionalCredentials .Username = string (secret .Data ["username" ])
334334 registryWithOptionalCredentials .Password = string (secret .Data ["password" ])
335+ registryWithOptionalCredentials .HasCACert = secretHasCACert (secret )
335336 }
336337
337338 return registryWithOptionalCredentials , nil
338339}
339340
340- func mirrorConfigFromGlobalImageRegistryMirror (
341+ func mirrorWithOptionalCredentialsFromGlobalImageRegistryMirror (
341342 ctx context.Context ,
342343 c ctrlclient.Client ,
343344 mirror v1alpha1.GlobalImageRegistryMirror ,
@@ -365,6 +366,7 @@ func mirrorConfigFromGlobalImageRegistryMirror(
365366 if secret != nil {
366367 mirrorCredentials .Username = string (secret .Data ["username" ])
367368 mirrorCredentials .Password = string (secret .Data ["password" ])
369+ mirrorCredentials .HasCACert = secretHasCACert (secret )
368370 }
369371
370372 return mirrorCredentials , nil
@@ -438,12 +440,14 @@ func createSecretIfNeeded(
438440// This handler reads input from two user provided variables: globalImageRegistryMirror and imageRegistries.
439441// We expect if imageRegistries is set it will either have static credentials
440442// or be for a registry where the credential plugin returns the credentials, ie ECR, GCR, ACR, etc,
443+ // or have no credentials set but to contain a CA cert,
441444// and if that is not the case we assume the users missed setting static credentials and return an error.
442445// However, in addition to passing credentials with the globalImageRegistryMirror variable,
443446// it can also be used to only set Containerd mirror configuration,
444447// in that case it valid for static credentials to not be set and will return false, no error
445448// and this handler will skip generating any credential plugin related configuration.
446449func needImageRegistryCredentialsConfiguration (configs []providerConfig ) (bool , error ) {
450+ var needConfiguration bool
447451 for _ , config := range configs {
448452 requiresStaticCredentials , err := config .requiresStaticCredentials ()
449453 if err != nil {
@@ -452,17 +456,16 @@ func needImageRegistryCredentialsConfiguration(configs []providerConfig) (bool,
452456 }
453457 // verify the credentials are actually set if the plugin requires static credentials
454458 if config .isCredentialsEmpty () && requiresStaticCredentials {
455- // not setting credentials for a mirror is valid
456- // but if it's the only configuration then return false here and exit the handler early
457- if config .Mirror {
458- if len (configs ) == 1 {
459- return false , nil
460- }
461- } else {
462- return false , fmt .Errorf ("invalid image registry: %s: %w" , config .URL , ErrCredentialsNotFound )
459+ if config .Mirror || config .HasCACert {
460+ // not setting credentials for a mirror is valid
461+ // not setting credentials for a registry with a CA cert is valid
462+ continue
463463 }
464+ return false , fmt .Errorf ("invalid image registry: %s: %w" , config .URL , ErrCredentialsNotFound )
465+
464466 }
467+ needConfiguration = true
465468 }
466469
467- return true , nil
470+ return needConfiguration , nil
468471}
0 commit comments