From c6bdc387762136b510cafbb65da3167d9104f577 Mon Sep 17 00:00:00 2001
From: Mathieu Parent <mathieu.parent@insee.fr>
Date: Mon, 29 Apr 2024 14:41:47 +0200
Subject: [PATCH] containerd: allow to configure fallback server (#10988)

Also nerdctl limitation is now removed as we use /etc/containerd/certs.d/
---
 docs/containerd.md                              | 17 ++++++++++++-----
 .../containerd/templates/hosts.toml.j2          |  2 +-
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/docs/containerd.md b/docs/containerd.md
index c9d18051a..9fd03bf25 100644
--- a/docs/containerd.md
+++ b/docs/containerd.md
@@ -35,13 +35,20 @@ containerd_registries_mirrors:
         skip_verify: false
 ```
 
-`containerd_registries_mirrors` is ignored for pulling images when `image_command_tool=nerdctl`
-(the default for `container_manager=containerd`). Use `crictl` instead, it supports
-`containerd_registries_mirrors` but lacks proper multi-arch support (see
-[#8375](https://github.com/kubernetes-sigs/kubespray/issues/8375)):
+containerd falls back to `https://{{ prefix }}` when none of the mirrors have the image.
+This can be changed with the [`server` field](https://github.com/containerd/containerd/blob/main/docs/hosts.md#server-field):
 
 ```yaml
-image_command_tool: crictl
+containerd_registries_mirrors:
+  - prefix: docker.io
+    mirrors:
+      - host: https://mirror.gcr.io
+        capabilities: ["pull", "resolve"]
+        skip_verify: false
+      - host: https://registry-1.docker.io
+        capabilities: ["pull", "resolve"]
+        skip_verify: false
+    server: https://mirror.example.org
 ```
 
 The `containerd_registries` and `containerd_insecure_registries` configs are deprecated.
diff --git a/roles/container-engine/containerd/templates/hosts.toml.j2 b/roles/container-engine/containerd/templates/hosts.toml.j2
index ea003ed44..ef63ff17a 100644
--- a/roles/container-engine/containerd/templates/hosts.toml.j2
+++ b/roles/container-engine/containerd/templates/hosts.toml.j2
@@ -1,4 +1,4 @@
-server = "https://{{ item.prefix }}"
+server = "{{ item.server | default("https://" + item.prefix) }}"
 {% for mirror in item.mirrors %}
 [host."{{ mirror.host }}"]
   capabilities = ["{{ ([ mirror.capabilities ] | flatten ) | join('","') }}"]