add upstream fallback to containerd registry mirrors

When the pull-through proxy (10.0.20.10) is down, containerd now falls
back to the official upstream registries (registry-1.docker.io, ghcr.io)
instead of failing. Also cleans up stale disabled registry mirror dirs
and removes unnecessary containerd restart from the rollout script.

scripts/setup_containerd_mirrors.sh

@@ -36,30 +36,19 @@ fi
 
 echo "=== Creating hosts.toml files ==="
 
-# docker.io (Docker Hub)
+# docker.io (Docker Hub) — proxy first, upstream fallback
 mkdir -p "$CERTS_DIR/docker.io"
-printf 'server = "https://registry-1.docker.io"\n\n[host."http://10.0.20.10:5000"]\n  capabilities = ["pull", "resolve"]\n' > "$CERTS_DIR/docker.io/hosts.toml"
+printf 'server = "https://registry-1.docker.io"\n\n[host."http://10.0.20.10:5000"]\n  capabilities = ["pull", "resolve"]\n\n[host."https://registry-1.docker.io"]\n  capabilities = ["pull", "resolve"]\n' > "$CERTS_DIR/docker.io/hosts.toml"
 
-# ghcr.io
+# ghcr.io — proxy first, upstream fallback
 mkdir -p "$CERTS_DIR/ghcr.io"
-printf 'server = "https://ghcr.io"\n\n[host."http://10.0.20.10:5010"]\n  capabilities = ["pull", "resolve"]\n' > "$CERTS_DIR/ghcr.io/hosts.toml"
+printf 'server = "https://ghcr.io"\n\n[host."http://10.0.20.10:5010"]\n  capabilities = ["pull", "resolve"]\n\n[host."https://ghcr.io"]\n  capabilities = ["pull", "resolve"]\n' > "$CERTS_DIR/ghcr.io/hosts.toml"
 
-# quay.io
-mkdir -p "$CERTS_DIR/quay.io"
-printf 'server = "https://quay.io"\n\n[host."http://10.0.20.10:5020"]\n  capabilities = ["pull", "resolve"]\n' > "$CERTS_DIR/quay.io/hosts.toml"
+# Low-traffic registries (quay.io, registry.k8s.io, reg.kyverno.io) pull directly — no proxy.
+# Remove stale hosts.toml from previous config if present.
+rm -f "$CERTS_DIR/quay.io/hosts.toml" "$CERTS_DIR/registry.k8s.io/hosts.toml" "$CERTS_DIR/reg.kyverno.io/hosts.toml"
+rmdir "$CERTS_DIR/quay.io" "$CERTS_DIR/registry.k8s.io" "$CERTS_DIR/reg.kyverno.io" 2>/dev/null || true
 
-# registry.k8s.io
-mkdir -p "$CERTS_DIR/registry.k8s.io"
-printf 'server = "https://registry.k8s.io"\n\n[host."http://10.0.20.10:5030"]\n  capabilities = ["pull", "resolve"]\n' > "$CERTS_DIR/registry.k8s.io/hosts.toml"
-
-# reg.kyverno.io
-mkdir -p "$CERTS_DIR/reg.kyverno.io"
-printf 'server = "https://reg.kyverno.io"\n\n[host."http://10.0.20.10:5040"]\n  capabilities = ["pull", "resolve"]\n' > "$CERTS_DIR/reg.kyverno.io/hosts.toml"
-
-echo "=== Restarting containerd ==="
-systemctl restart containerd
-
-echo "=== Verifying containerd is running ==="
-systemctl is-active containerd
+# No containerd restart needed — hosts.toml is re-read on each pull
 
 echo "=== Done ==="

stacks/infra/main.tf

@@ -69,11 +69,11 @@ module "k8s-node-template" {
 
   # Create hosts.toml for docker.io (Docker Hub) — high traffic, rate-limited
   mkdir -p /etc/containerd/certs.d/docker.io
-  printf 'server = "https://registry-1.docker.io"\n\n[host."http://10.0.20.10:5000"]\n  capabilities = ["pull", "resolve"]\n' > /etc/containerd/certs.d/docker.io/hosts.toml
+  printf 'server = "https://registry-1.docker.io"\n\n[host."http://10.0.20.10:5000"]\n  capabilities = ["pull", "resolve"]\n\n[host."https://registry-1.docker.io"]\n  capabilities = ["pull", "resolve"]\n' > /etc/containerd/certs.d/docker.io/hosts.toml
 
   # Create hosts.toml for ghcr.io — medium traffic
   mkdir -p /etc/containerd/certs.d/ghcr.io
-  printf 'server = "https://ghcr.io"\n\n[host."http://10.0.20.10:5010"]\n  capabilities = ["pull", "resolve"]\n' > /etc/containerd/certs.d/ghcr.io/hosts.toml
+  printf 'server = "https://ghcr.io"\n\n[host."http://10.0.20.10:5010"]\n  capabilities = ["pull", "resolve"]\n\n[host."https://ghcr.io"]\n  capabilities = ["pull", "resolve"]\n' > /etc/containerd/certs.d/ghcr.io/hosts.toml
 
   # Create hosts.toml for private registry — both IP and hostname entries
   # IP-based (10.0.20.10:5050): direct access, skip TLS verify (wildcard cert, no IP SAN)