siderolabs · DmitriyMV · Nov 21, 2024
diff --git a/api/resource/definitions/registry/registry.proto b/api/resource/definitions/registry/registry.proto
@@ -0,0 +1,43 @@
+syntax = "proto3";
+
+package talos.resource.definitions.registry;
+
+option go_package = "github.com/siderolabs/talos/pkg/machinery/api/resource/definitions/registry";
+option java_package = "dev.talos.api.resource.definitions.registry";
+
+import "common/common.proto";
+
+// AuthConfig specifies authentication configuration for a registry.
+message AuthConfig {
+  string registry_username = 1;
+  string registry_password = 2;
+  string registry_auth = 3;
+  string registry_identity_token = 4;
+}
+
+// Config specifies auth & TLS config per registry.
+message Config {
+  TLSConfig registry_tls = 1;
+  AuthConfig registry_auth = 2;
+}
+
+// MirrorConfig represents mirror configuration for a registry.
+message MirrorConfig {
+  repeated string mirror_endpoints = 1;
+  bool mirror_override_path = 2;
+  bool mirror_skip_fallback = 3;
+}
+
+// RegistriesSpecSpec describes status of rendered secrets.
+message RegistriesSpecSpec {
+  map<string, MirrorConfig> registry_mirrors = 1;
+  map<string, Config> registry_config = 2;
+}
+
+// TLSConfig specifies TLS config for HTTPS registries.
+message TLSConfig {
+  common.PEMEncodedCertificateAndKey tls_client_identity = 1;
+  bytes tlsca = 2;
+  bool tls_insecure_skip_verify = 3;
+}
+
diff --git a/hack/structprotogen/proto/proto.go b/hack/structprotogen/proto/proto.go
@@ -396,6 +396,12 @@ func formatTypeName(fieldTypePkg string, fieldType string, declPkg string) (stri
 		return commoProto, "common.PEMEncodedCertificate"
 	case typeData{"github.com/siderolabs/talos/pkg/machinery/cel", "Expression"}:
 		return "google/api/expr/v1alpha1/checked.proto", "google.api.expr.v1alpha1.CheckedExpr"
+	case typeData{"github.com/siderolabs/talos/pkg/machinery/resources/registry", "MirrorConfig"}:
+		// This is a hack, but I (Dmitry) don't have enough patience to figure out why we don't support complex maps
+		return "resource/definitions/registry/registry.proto", "talos.resource.definitions.registry.MirrorConfig"
+	case typeData{"github.com/siderolabs/talos/pkg/machinery/resources/registry", "Config"}:
+		// This is a hack, but I (Dmitry) don't have enough patience to figure out why we don't support complex maps
+		return "resource/definitions/registry/registry.proto", "talos.resource.definitions.registry.Config"
 	default:
 		return "", ""
 	}

diff --git a/internal/app/machined/pkg/controllers/files/cri_registry_config.go b/internal/app/machined/pkg/controllers/files/cri_registry_config.go
@@ -24,6 +24,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/files"
+	"github.com/siderolabs/talos/pkg/machinery/resources/registry"
 )
 
 // CRIRegistryConfigController generates parts of the CRI config for registry configuration.
@@ -88,23 +89,23 @@ func (ctrl *CRIRegistryConfigController) Run(ctx context.Context, r controller.R
 		case <-r.EventCh():
 		}
 
-		cfg, err := safe.ReaderGetByID[*config.MachineConfig](ctx, r, config.V1Alpha1ID)
+		cfg, err := safe.ReaderGetByID[*registry.RegistriesSpec](ctx, r, registry.RegistriesID)
 		if err != nil && !state.IsNotFoundError(err) {
-			return fmt.Errorf("error getting config: %w", err)
+			return fmt.Errorf("error getting registries config: %w", err)
 		}
 
 		var (
 			criRegistryContents []byte
 			criHosts            *containerd.HostsConfig
 		)
 
-		if cfg != nil && cfg.Config().Machine() != nil {
-			criRegistryContents, err = containerd.GenerateCRIConfig(cfg.Config().Machine().Registries())
+		if cfg != nil {
+			criRegistryContents, err = containerd.GenerateCRIConfig(cfg.TypedSpec())
 			if err != nil {
 				return err
 			}
 
-			criHosts, err = containerd.GenerateHosts(cfg.Config().Machine().Registries(), basePath)
+			criHosts, err = containerd.GenerateHosts(cfg.TypedSpec(), basePath)
 			if err != nil {
 				return err
 			}

diff --git a/internal/app/machined/pkg/controllers/registry/registry.go b/internal/app/machined/pkg/controllers/registry/registry.go
@@ -0,0 +1,86 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package registry provides controllers for registry configuration.
+package registry
+
+import (
+	"context"
+
+	"github.com/cosi-project/runtime/pkg/controller"
+	"github.com/cosi-project/runtime/pkg/controller/generic/transform"
+	"github.com/siderolabs/gen/optional"
+	"go.uber.org/zap"
+
+	"github.com/siderolabs/talos/pkg/machinery/resources/config"
+	"github.com/siderolabs/talos/pkg/machinery/resources/registry"
+)
+
+// ConfigController watches v1alpha1.Config, updates registry.RegistriesSpec.
+type ConfigController = transform.Controller[*config.MachineConfig, *registry.RegistriesSpec]
+
+// NewConfigController instanciates the config controller.
+func NewConfigController() *ConfigController {
+	return transform.NewController(
+		transform.Settings[*config.MachineConfig, *registry.RegistriesSpec]{
+			Name: "registry.ConfigController",
+			MapMetadataOptionalFunc: func(cfg *config.MachineConfig) optional.Optional[*registry.RegistriesSpec] {
+				if cfg.Metadata().ID() != config.V1Alpha1ID {
+					return optional.None[*registry.RegistriesSpec]()
+				}
+
+				if cfg.Config().Machine() == nil {
+					return optional.None[*registry.RegistriesSpec]()
+				}
+
+				return optional.Some(registry.NewRegistriesSpec())
+			},
+			TransformFunc: func(ctx context.Context, r controller.Reader, logger *zap.Logger, cfg *config.MachineConfig, res *registry.RegistriesSpec) error {
+				spec := res.TypedSpec()
+
+				if cfg != nil && cfg.Config().Machine() != nil {
+					clear(spec.RegistryConfig)
+					clear(spec.RegistryMirrors)
+
+					// I have no idea how to bypass `RawV1Alpha1` since I need original types and not interfaces.
+					mr := cfg.Provider().RawV1Alpha1().MachineConfig.MachineRegistries
+
+					for k, v := range mr.RegistryConfig {
+						if spec.RegistryConfig == nil {
+							spec.RegistryConfig = make(map[string]*registry.Config, len(mr.RegistryConfig))
+						}
+
+						spec.RegistryConfig[k] = &registry.Config{
+							RegistryTLS: &registry.TLSConfig{
+								TLSClientIdentity:     v.RegistryTLS.TLSClientIdentity,
+								TLSCA:                 v.RegistryTLS.TLSCA,
+								TLSInsecureSkipVerify: v.RegistryTLS.TLSInsecureSkipVerify,
+							},
+							RegistryAuth: &registry.AuthConfig{
+								RegistryUsername:      v.RegistryAuth.RegistryUsername,
+								RegistryPassword:      v.RegistryAuth.RegistryPassword,
+								RegistryAuth:          v.RegistryAuth.RegistryAuth,
+								RegistryIdentityToken: v.RegistryAuth.RegistryIdentityToken,
+							},
+						}
+					}
+
+					for k, v := range mr.RegistryMirrors {
+						if spec.RegistryMirrors == nil {
+							spec.RegistryMirrors = make(map[string]*registry.MirrorConfig, len(mr.RegistryMirrors))
+						}
+
+						spec.RegistryMirrors[k] = &registry.MirrorConfig{
+							MirrorEndpoints:    v.MirrorEndpoints,
+							MirrorOverridePath: v.MirrorOverridePath,
+							MirrorSkipFallback: v.MirrorSkipFallback,
+						}
+					}
+				}
+
+				return nil
+			},
+		},
+	)
+}
diff --git a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
@@ -32,6 +32,7 @@ import (
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/kubespan"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/perf"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/registry"
 	runtimecontrollers "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/runtime"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/secrets"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/siderolink"
@@ -278,6 +279,7 @@ func (ctrl *Controller) Run(ctx context.Context, drainer *runtime.Drainer) error
 		&network.TimeServerMergeController{},
 		&network.TimeServerSpecController{},
 		&perf.StatsController{},
+		registry.NewConfigController(),
 		&runtimecontrollers.CRIImageGCController{},
 		&runtimecontrollers.DevicesStatusController{
 			V1Alpha1Mode: ctrl.v1alpha1Runtime.State().Platform().Mode(),

diff --git a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_state.go b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_state.go
@@ -26,6 +26,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/resources/kubespan"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 	"github.com/siderolabs/talos/pkg/machinery/resources/perf"
+	criregistry "github.com/siderolabs/talos/pkg/machinery/resources/registry"
 	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 	"github.com/siderolabs/talos/pkg/machinery/resources/secrets"
 	"github.com/siderolabs/talos/pkg/machinery/resources/siderolink"
@@ -186,6 +187,7 @@ func NewState() (*State, error) {
 		&network.TimeServerSpec{},
 		&perf.CPU{},
 		&perf.Memory{},
+		&criregistry.RegistriesSpec{},
 		&runtime.DevicesStatus{},
 		&runtime.Diagnostic{},
 		&runtime.EventSinkConfig{},