You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(air-gapped): improve registry mirrors for tenant Kubernetes (#461)
## Summary
- Clarify that tenant control plane (Kamaji) uses management cluster's
registry mirrors automatically, and only worker nodes need separate
configuration
- Add Option A showing how to configure registry mirrors via the
platform Package CR
- Add collapsible section with `kubectl patch` alternative for existing
deployments
- Add authentication example for containerd TOML configuration
- Add "How it works" section explaining the secret distribution
mechanism
- Fix per-cluster secret naming to match actual code
(`kubernetes-<cluster-name>-patch-containerd`)
## Test plan
- [x] Verify the page renders correctly with Hugo
- [x] Verify the collapsible `<details>` section renders properly with
code block inside
- [x] Verify all internal links work
(#2-configure-container-registry-mirrors anchor)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Clarified air-gapped Kubernetes install flow: control planes inherit
registry mirrors automatically; worker nodes require separate mirror
configuration.
* Added two supported approaches for configuring worker node mirrors,
including an alternate method to patch an existing platform deployment.
* Documented authenticated mirror registry options and use of image pull
secrets.
* Added per-cluster mirror override support and precedence rules when
both global and per-cluster configs exist.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
It's possible to configure registry mirrors for a particular tenant Kubernetes cluster:
356
+
The `patch-containerd` secret from the `cozy-system` namespace is automatically copied
357
+
to every tenant Kubernetes cluster namespace during deployment.
358
+
The secret data is mounted into worker node VMs as containerd registry configuration files
359
+
at `/etc/containerd/certs.d/<registry>/hosts.toml`.
214
360
215
-
- The tenant cluster must be deployed with a Kubernetes package version 0.23.1 or later, which is available since Cozystack 0.32.1.
216
-
- Before deploying the tenant cluster, create a Kubernetes Secret named `kubernetes-<cluster name>` with the same contents as shown above.
361
+
### Per-cluster configuration
362
+
363
+
It is possible to configure registry mirrors for a particular tenant Kubernetes cluster
364
+
instead of using the global `patch-containerd` secret:
365
+
366
+
- The tenant cluster must be deployed with a Kubernetes package version 0.23.1 or later, which is available since Cozystack 0.32.1.
367
+
- Before deploying the tenant cluster, create a Kubernetes Secret named `kubernetes-<cluster-name>-patch-containerd` in the tenant cluster namespace, using the same format as the examples above.
368
+
369
+
{{% alert color="warning" %}}
370
+
**Important:** If both the global `patch-containerd` secret and a per-cluster secret exist, the global secret takes precedence and the per-cluster secret is ignored. To use a per-cluster configuration, ensure that the global `patch-containerd` secret in the `cozy-system` namespace is not present.
371
+
{{% /alert %}}
217
372
218
373
To learn more about registry configuration values, read the [CRI Plugin configuration guide](
0 commit comments