From 1dc3e8e87fd6ac14ce9b15cfea0045b8c7cee981 Mon Sep 17 00:00:00 2001
From: sskaje <sskaje@gmail.com>
Date: Mon, 27 Jan 2025 11:41:08 +0800
Subject: [PATCH 1/5] T7092: Add Container Registry Mirror

---
 data/templates/container/registries.conf.j2 |  6 ++++++
 interface-definitions/container.xml.in      | 11 +++++++++++
 2 files changed, 17 insertions(+)

diff --git a/data/templates/container/registries.conf.j2 b/data/templates/container/registries.conf.j2
index eb7ff87758..48b3c7c4a9 100644
--- a/data/templates/container/registries.conf.j2
+++ b/data/templates/container/registries.conf.j2
@@ -28,4 +28,10 @@
 {%         set _ = registry_list.append(r) %}
 {%     endfor %}
 unqualified-search-registries = {{ registry_list }}
+{%     for r, r_options in registry.items() if r_options.disable is not vyos_defined %}
+[[registry]]
+location = "{{ r_options.mirror if r_options.mirror is vyos_defined else r }}"
+insecure = {{ 'true' if r_options.insecure is vyos_defined else 'false' }}
+prefix = "{{ r }}"
+{%     endfor %}
 {% endif %}
diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index 04318a7c9d..8752f5f4d0 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -538,6 +538,17 @@
         <children>
           #include <include/interface/authentication.xml.i>
           #include <include/generic-disable-node.xml.i>
+          <leafNode name="insecure">
+            <properties>
+              <help>Use HTTP instead of HTTPS</help>
+              <valueless/>
+            </properties>
+          </leafNode>
+          <leafNode name="mirror">
+            <properties>
+              <help>Registry mirror, use host:port</help>
+            </properties>
+          </leafNode>
         </children>
       </tagNode>
     </children>

From f0d67d3a56aeee9d3944cdd15a9fde86cf1a692a Mon Sep 17 00:00:00 2001
From: sskaje <sskaje@gmail.com>
Date: Thu, 30 Jan 2025 09:55:49 +0800
Subject: [PATCH 2/5] T7092: Regex for registry location

---
 interface-definitions/container.xml.in | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index 8752f5f4d0..4f9b8fe44c 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -546,7 +546,10 @@
           </leafNode>
           <leafNode name="mirror">
             <properties>
-              <help>Registry mirror, use host:port</help>
+              <help>Registry mirror, use host[:port][/path]</help>
+              <constraint>
+                <regex>^(?:[[:alnum:]-]+(?:\.[[:alnum:]-]+)*|(?:[[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}|\[[[:xdigit:]:]+])(?::[[:digit:]]{1,5})?(?:\/[^[:space:]?#]*)?$</regex>
+              </constraint>
             </properties>
           </leafNode>
         </children>

From 24ed4567dc3deb9b09e469142dcf2c2a9ac4f312 Mon Sep 17 00:00:00 2001
From: sskaje <sskaje@gmail.com>
Date: Sun, 9 Feb 2025 17:40:58 +0800
Subject: [PATCH 3/5] T7092: Update help message

---
 interface-definitions/container.xml.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index 4f9b8fe44c..19dc042050 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -540,7 +540,7 @@
           #include <include/generic-disable-node.xml.i>
           <leafNode name="insecure">
             <properties>
-              <help>Use HTTP instead of HTTPS</help>
+              <help>Set to allow registry using unencrypted HTTP as well as TLS connections with untrusted certificates.</help>
               <valueless/>
             </properties>
           </leafNode>

From 77b53f1ab2c280f864f56b90dd841d060e2f2b32 Mon Sep 17 00:00:00 2001
From: sskaje <sskaje@gmail.com>
Date: Thu, 13 Feb 2025 21:11:16 +0800
Subject: [PATCH 4/5] T7092: Update interface-definitions/container.xml.in

Co-authored-by: Daniil Baturin <daniil@baturin.org>
---
 interface-definitions/container.xml.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index 19dc042050..c8d4bbdd19 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -540,7 +540,7 @@
           #include <include/generic-disable-node.xml.i>
           <leafNode name="insecure">
             <properties>
-              <help>Set to allow registry using unencrypted HTTP as well as TLS connections with untrusted certificates.</help>
+              <help>Allow registry access over unencrypted HTTP or TLS connections with untrusted certificates</help>
               <valueless/>
             </properties>
           </leafNode>

From a8e0f015ea91859163ac9befad8a6e8ac68dec9a Mon Sep 17 00:00:00 2001
From: sskaje <sskaje@gmail.com>
Date: Tue, 11 Mar 2025 21:33:46 +0800
Subject: [PATCH 5/5] T7092: Change validators: regex to host-name|address +
 port + path

---
 data/templates/container/registries.conf.j2 |  6 ++-
 interface-definitions/container.xml.in      | 46 ++++++++++++++++++---
 src/conf_mode/container.py                  |  7 ++++
 3 files changed, 52 insertions(+), 7 deletions(-)

diff --git a/data/templates/container/registries.conf.j2 b/data/templates/container/registries.conf.j2
index 48b3c7c4a9..b5c7eed9b3 100644
--- a/data/templates/container/registries.conf.j2
+++ b/data/templates/container/registries.conf.j2
@@ -30,7 +30,11 @@
 unqualified-search-registries = {{ registry_list }}
 {%     for r, r_options in registry.items() if r_options.disable is not vyos_defined %}
 [[registry]]
-location = "{{ r_options.mirror if r_options.mirror is vyos_defined else r }}"
+{%         if r_options.mirror is vyos_defined %}
+location = "{{ r_options.mirror.host_name if r_options.mirror.host_name is vyos_defined else r_options.mirror.address }}{{ ":" + r_options.mirror.port if r_options.mirror.port is vyos_defined }}{{ r_options.mirror.path if r_options.mirror.path is vyos_defined }}"
+{%         else %}
+location = "{{ r }}"
+{%         endif %}
 insecure = {{ 'true' if r_options.insecure is vyos_defined else 'false' }}
 prefix = "{{ r }}"
 {%     endfor %}
diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index c8d4bbdd19..a17777af00 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -544,14 +544,48 @@
               <valueless/>
             </properties>
           </leafNode>
-          <leafNode name="mirror">
+          <node name="mirror">
             <properties>
-              <help>Registry mirror, use host[:port][/path]</help>
-              <constraint>
-                <regex>^(?:[[:alnum:]-]+(?:\.[[:alnum:]-]+)*|(?:[[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}|\[[[:xdigit:]:]+])(?::[[:digit:]]{1,5})?(?:\/[^[:space:]?#]*)?$</regex>
-              </constraint>
+              <help>Registry mirror, use host-name|address[:port][/path]</help>
             </properties>
-          </leafNode>
+            <children>
+              <leafNode name="address">
+                <properties>
+                  <help>IP address of container registry mirror</help>
+                  <valueHelp>
+                    <format>ipv4</format>
+                    <description>IPv4 address of container registry mirror</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>IPv6 address of container registry mirror</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ip-address"/>
+                    <validator name="ipv6-link-local"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="host-name">
+                <properties>
+                  <help>Hostname of container registry mirror</help>
+                  <valueHelp>
+                    <format>hostname</format>
+                    <description>FQDN of container registry mirror</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="fqdn"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              #include <include/port-number.xml.i>
+              <leafNode name="path">
+                <properties>
+                  <help>Path of container registry mirror, optional, must be start with '/' if not empty</help>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
         </children>
       </tagNode>
     </children>
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 594de3eb0b..8f57be06da 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -273,6 +273,13 @@ def verify(container):
 
     if 'registry' in container:
         for registry, registry_config in container['registry'].items():
+            if 'mirror' in registry_config:
+                if 'host_name' in registry_config['mirror'] and 'address' in registry_config['mirror']:
+                    raise ConfigError(f'Container registry mirror address/host-name are mutually exclusive!')
+
+                if 'path' in registry_config['mirror'] and not registry_config['mirror']['path'].startswith('/'):
+                    raise ConfigError('Container registry mirror path must start with "/"!')
+
             if 'authentication' not in registry_config:
                 continue
             if not {'username', 'password'} <= set(registry_config['authentication']):