add containerd config_path

Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>

roles/container-engine/containerd/tasks/main.yml

@@ -56,6 +56,15 @@
     - containerd-shim-runc-v2
     - ctr
 
+- name: containerd ｜ Create certs.d directories
+  file:
+    path: "{{ containerd_cfg_dir }}/{{ item }}"
+    state: directory
+    mode: 0755
+  with_items:
+    - certs.d
+  run_once: true
+
 - name: containerd | Generate systemd service for containerd
   template:
     src: containerd.service.j2
@@ -111,6 +120,27 @@
     mode: 0640
   notify: restart containerd
 
+- name: containerd ｜ Create registry directories
+  file:
+    path: "{{ containerd_cfg_dir }}/certs.d/{{ item }}"
+    state: directory
+    mode: 0755
+  with_items: "{{ containerd_insecure_registries }}"
+  run_once: true
+
+- name: containerd ｜ Write hosts.toml file
+  blockinfile:
+    path: "{{ containerd_cfg_dir }}/certs.d/{{ item }}/hosts.toml"
+    owner: "root"
+    mode: 0640
+    create: true
+    block: |
+      server = "https://{{ item }}"
+      [host."https://{{ item }}"]
+        capabilities = ["pull", "resolve", "push"]
+        skip_verify = true
+  with_items: "{{ containerd_insecure_registries }}"
+
 # you can sometimes end up in a state where everything is installed
 # but containerd was not started / enabled
 - name: containerd | Flush handlers

roles/container-engine/containerd/templates/config.toml.j2

@@ -47,6 +47,7 @@ oom_score = {{ containerd_oom_score }}
           runtime_type = "io.containerd.runsc.v1"
 {% endif %}
     [plugins."io.containerd.grpc.v1.cri".registry]
+      config_path = "{{ containerd_cfg_dir }}/certs.d"
       [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
 {% for registry, addr in containerd_registries.items() %}
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ registry }}"]