add `skip_verify` configuration for specific registry when pushing images with the `nerdctl` tool

[san3Xian]

Currently, snapshot-pod relies on nerdctl to commit and push images. However, there is no configuration file in snapshot-pod to set skip_verify for any registry, nor is there a parameter to configure skip_verify for specific registries.

https://github.com/BaizeAI/kube-snapshot/blob/v0.2.5/manifests/snapshot-pod/templates/daemonset.yaml

Could a mount point be added to the snapshot-pod DaemonSet configuration to mount the host's /etc/containerd/certs.d/ directory into the container in read-only mode?

Alternatively, considering that some Kubernetes environments do not use containerd directly as the CRI, another option is to add a ConfigMap to snapshot-pod to define untrusted registry addresses and mount this ConfigMap into snapshot-pod?

I also noticed that PR #18 includes configurations related to registry skip_verify. However, this PR disables certificate verification globally for all registries.

In enterprise production environments, there may be cases where some registries use HTTP while others are trusted HTTPS registries. Disabling certificate verification globally could introduce security risks.

[CoderTH]

I also noticed that #18 includes configurations related to registry skip_verify. However, this PR disables certificate verification globally for all registries.

I don't quite understand why it says that global registry is disabled here? A commit configuration option has been added here, which only applies to the current snapshotPod and its derived snapshotPod tasks

[kebe7jun]

I understand that @san3Xian may be worried that skip_verify will bring additional security issues.

Mounting the host's certs directory might be a good option, or it might be safer to allow users to manually specify certificates (via secret) instead of skip_verify.

[CoderTH]

I don't think mounting the host's certificates directory is a good approach for the following reasons
The Cert directory cannot be dynamically modified. Every time an image needs to be saved to a non secure registry, configuration files need to be manually added to each node
Additionally, I support using the secret method to allow users to specify certificates, but this does not solve the need for users to push images to non secure repositories. Therefore, I believe that the skip_tls parameter can be added, and a CertSecretRef field can also be added to use the specified certificate (but it can be done in two steps, I can do it). Additionally, this skip_tls is not a global setting and only applies to a single snapshot or snapshotpodtask
@kebe7jun

[kebe7jun]

I agree to implement CertSecretRef later.

For some enterprises, images may only be allowed to push to some specific, authenticated image repositories, whose certificates may have been configured on the host? Perhaps in this scenario, mounting the certificate on the host is a good choice.

[CoderTH]

Yes, this is a point I haven't considered. In that case, we can mount the CERT directory into it