File this under things that should not be this complicated.
I am being rate limited by Docker Hub due to unauthenticated requests. I want to use my docker login / authentication to get a higher limit.
Containerd cannot use the plaintext credentials directly from $HOME/.docker/config.json.
There is conflicting guidance online and how this works across versions 1 and 2 of containerd itself as well as versions 2 and 3 of the toml configuration.
Executive summary:
If you are interacting with a registry that does bearer auth flow (like Docker Hub), you cannot use the 'new' /etc/containerd/certs.d/docker.io/hosts.toml.
This will not work for docker hub:
server = "https://docker.io"
[host."https://registry-1.docker.io"]
capabilities = ["pull", "resolve"]
[host."https://registry-1.docker.io".header]
Authorization = "Basic BASE64_OF_USERNAME_COLON_TOKEN"
Even though there are multiple places that say this is the new way forward. For custom registries that would accept a static header, this probably does work for them.
This warning is listed prominently in the documentation:
NOTE: registry.configs.*.auth is DEPRECATED and will NOT have an equivalent way to store unencrypted secrets in the host configuration files. However, it will not be removed until a suitable secret management alternative is available as a plugin. It remains supported in 1.x releases, including the 1.6 LTS release.
Which is not true when read literally. The new hosts files do have mechanisms to store plaintext credentials and pass them along, just not in the same way that registry.configs did, which is a massive distinction that is not written down anywhere.
The correct way to use existing docker authentication for containerd version 2 / toml version 3 is:
[plugins."io.containerd.cri.v1.images".registry.configs."registry-1.docker.io".auth]
auth = "BASE64_OF_USERNAME_COLON_TOKEN"