container-registry: add target image TLS integration

Install CA certificates and registry configuration into target images
so they can pull from the secure registry at runtime.

docker-registry-config.bb: When CONTAINER_REGISTRY_SECURE=1, install
the CA cert to /etc/docker/certs.d/{host}/ca.crt instead of adding
insecure-registries to daemon.json. Translates localhost/127.0.0.1 to
10.0.2.2 for QEMU targets where the host registry is accessed via
slirp networking.

container-oci-registry-config.bb: Same secure mode support for
podman/CRI-O with insecure=false in registries.conf.

container-registry-ca.bb: New recipe that installs the CA certificate
to Docker, podman/CRI-O, and system trust store paths on the target.

container-cross-install.bbclass: Auto-add docker-registry-config or
container-oci-registry-config to IMAGE_INSTALL when
CONTAINER_REGISTRY_SECURE=1, based on the configured container engine.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/classes/container-cross-install.bbclass b/classes/container-cross-install.bbclass
index bb2547e0..2ae25d9b 100644
--- a/classes/container-cross-install.bbclass
+++ b/classes/container-cross-install.bbclass
@@ -183,6 +183,16 @@ python __anonymous() {
 
     if deps:
         d.appendVarFlag('do_rootfs', 'depends', deps)
+
+    # Auto-add registry config package when secure registry is configured
+    # This ensures the target can pull from the registry at runtime
+    if d.getVar('CONTAINER_REGISTRY_SECURE') == '1':
+        # Determine which config package based on container engine
+        engine = d.getVar('VIRTUAL-RUNTIME_container_engine') or ''
+        if 'docker' in engine:
+            d.appendVar('IMAGE_INSTALL', ' docker-registry-config')
+        elif engine in ('podman', 'containerd', 'cri-o'):
+            d.appendVar('IMAGE_INSTALL', ' container-oci-registry-config')
 }
 
 # Build CONTAINER_SERVICE_FILE_MAP from varflags for shell access