feat: support containerd 2.x addon

[nvanthao]

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Steps to reproduce

Does this PR introduce a user-facing change?

Does this PR require documentation?

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-f433091-containerd-2.2.0-k8s-ctrd-2026-06-12T06:22:25Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-f433091-containerd-2.2.2-k8s-ctrd-2026-06-12T06:22:52Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-f433091-containerd-2.2.1-k8s-ctrd-2026-06-12T06:23:07Z

[greptile-apps]

Comments Outside Diff (1)

1. scripts/common/containerd.sh, line 29-32 (link)

   install_major is assigned without local, so it leaks into the global shell scope. All other captured semver values in this function (current_major, current_minor, install_minor) are properly declared. If another function ever reads $install_major after calling containerd_migration_steps, it will silently receive the wrong value.

_{Reviews (1): Last reviewed commit: "regenerate manifests for containerd 2.x" | Re-trigger Greptile}

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-f433091-containerd-2.2.3-k8s-ctrd-2026-06-12T06:23:40Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-f433091-containerd-2.2.4-k8s-ctrd-2026-06-12T06:24:06Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-f433091-containerd-2.1.5-k8s-ctrd-2026-06-12T06:30:42Z

[nvanthao]

manual test with CMX Ubuntu 24.04

curl -L https://staging.kurl.sh/7a33e2d | sudo bash

install successful

 cat /etc/containerd/conf.d/99-replicated.toml
version = 3

[debug]
  level = "warn"

[plugins.'io.containerd.transfer.v1.local']
  config_path = '/etc/containerd/certs.d'

[plugins.'io.containerd.cri.v1.images'.registry]
  config_path = '/etc/containerd/certs.d'

[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options]
  SystemdCgroup = true

[plugins.'io.containerd.cri.v1.runtime']
  disable_apparmor = true

[plugins.'io.containerd.cri.v1.images'.pinned_images]
  sandbox = 'registry.k8s.io/pause:3.10'

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-6e2df87-containerd-2.2.3-k8s-ctrd-2026-06-15T12:59:34Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-6e2df87-containerd-2.2.0-k8s-ctrd-2026-06-15T13:01:01Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-6e2df87-containerd-2.2.4-k8s-ctrd-2026-06-15T13:01:51Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-6e2df87-containerd-2.2.1-k8s-ctrd-2026-06-15T13:02:00Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-6e2df87-containerd-2.2.2-k8s-ctrd-2026-06-15T13:02:03Z

[greptile-apps]

_{Reviews (2): Last reviewed commit: "fix(containerd): route CONTAINERD_TOML_C..." | Re-trigger Greptile}

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-6e2df87-containerd-2.1.5-k8s-ctrd-2026-06-15T13:06:58Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-872af43-containerd-2.2.0-k8s-ctrd-2026-06-16T01:28:36Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-872af43-containerd-2.2.3-k8s-ctrd-2026-06-16T01:28:41Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-872af43-containerd-2.2.1-k8s-ctrd-2026-06-16T01:29:18Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-872af43-containerd-2.2.2-k8s-ctrd-2026-06-16T01:29:29Z

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-872af43-containerd-2.2.4-k8s-ctrd-2026-06-16T01:29:59Z

[greptile-apps]

_{Reviews (3): Last reviewed commit: "feat(containerd): back up 1.x config bef..." | Re-trigger Greptile}

[github-actions]

Testgrid Run(s) Executing @ https://testgrid.kurl.sh/run/pr-6029-872af43-containerd-2.1.5-k8s-ctrd-2026-06-16T01:34:51Z

[nvanthao]

Tested with:

• Install containerd 1.7.29 with Registry add-on https://kurl.sh/6ba28eb in Ubuntu 22.04
• Update to spec with containerd 2.1.5

apiVersion: cluster.kurl.sh/v1beta1
kind: Installer
metadata:
  name: 6ba28eb
spec:
  kubernetes:
    version: 1.35.4
  flannel:
    version: 0.28.4
  openebs:
    version: 4.4.0
    isLocalPVEnabled: true
    localPVStorageClassName: local
  minio:
    version: 2025-10-15T17-29-55Z
  registry:
    version: 3.1.1
  ekco:
    version: 0.28.14
  containerd:
    version: 2.1.5
    s3Override: >-
      https://kurl-sh.s3.amazonaws.com/pr/pr-6029-872af43-containerd-2.1.5.tar.gz

• Verified upgrade successful, containerd upgraded to 2.1.5, registry pod works fine with TLS using Kubernetes CA, test pod created successfuly
• Backup config of 1.x containerd is created