-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy any registry and do it automatically (using MutatingWebhookConfiguration) #329
Conversation
So they can easily be ran localy
Also make Trow compatible with registries that use Basic auth and no auth.
uncovered by unit tests because even with rusoto_mock it's very hard to test this !
It now just works, automagically !!!
make it simpler !
The issue: The container runtime must pull from the ClusterIP -> it must trust the ClusterIP This requires the use of a privileged daemonset that fetches the ClusterIP and writes it to /etc/containers/certs.d (or /etc/containerd/...). This also requires the Trow server to fetch its service IP in the mutating webhook. Not an elegant solution.
Updates trow, trow-server & helm chart. Using NodePort service type :(
@amouat Please consider merging this PR, it would help us a lot. |
@mysticaltech there's a few conflicts that need resolved, but they don't look difficult. @awoimbee what's the outcome of this patch - does helm become the standard way to install Trow? I assume kustomize still works? |
@amouat The outcomes are listed in the PR description, but if I had to list them now (1 year later), it would be:
My setupI've been using this in prod since the 22nd of June 2022. The equivalent image:
tag: 22-06-2022-0
trow:
domain: 127.0.0.1:12345
validation:
enableWebhook: true
config:
default: Deny
allow:
- 127.0.0.1:12345/
- 602401143452.dkr.ecr
- public.ecr.aws/
proxyConfig:
enableWebhook: true
config:
- { alias: docker, host: registry-1.docker.io }
- { alias: quay, host: quay.io }
- { alias: nvcr, host: nvcr.io }
- { alias: ghcr, host: ghcr.io }
- { alias: k8s, host: registry.k8s.io }
- { alias: k8s-gcr, host: gcr.k8s.io }
- { alias: gcr-k8s, host: k8s.gcr.io }
- { alias: elastic, host: docker.elastic.co }
# - [...]
- { alias: ecr, host: xxxxxxxxxxxx.dkr.ecr.us-west-1.amazonaws.com, username: AWS }
service:
type: NodePort
nodePort: 12345
resources:
requests:
cpu: 100m
memory: 128Mi
volumeClaim:
resource:
requests:
storage: 30Gi The final
|
Basically I like this a lot, but I'd also like kustomize to keep working. If you're still using this and are able to maintain (the helm side of things) we should merge. Unfortunately I don't have time to do much work on this any more since changing jobs. |
Folks, our Kube-Hetzner project is growing fast, and many Hetzner Cloud nodes are blacklisted by gcr and everything that uses it underneath like registry.k8s.io, and ghcr.io. But in a single cluster, most nodes are ok, so this is an IDEAL solution. So, we will recommend this and even ship it as an add-on, doing our fair share to provide users with the best possible experience. I think it has amazing potential! If you folks combine forces it would be of great help to a lot of people. |
@mysticaltech please drop me an e-mail to adrian.mouat at gmail and we can talk about options. |
I can maintain the helm chart, but not the quick-install and kustomize. The helm chart from this PR is available for testing @ https://awoimbee.github.io/helm-charts, I'm using v |
We should merge @amouat. |
Wonderful! |
Sorry for the size of this PR, I saw no other way to do this (and do it fast).
The goals of this PR:
Other changes that happened:
.yaml
that only configures the webhook (no side effects)proxy_auth.rs
,image.rs
=> it made writing tests so much easierkube
andk8s-openapi
instead of custom types forAdmissionReview
Deprecation of
./quick-install/
and./install/
:I want to greatly simplify the deployment by only providing an easy to use helm chart. These folders push the user to run many manual steps/scripts and they duplicate deployment config. I did not outright delete these folders because this PR has already too many changes, but it's planned.
Notes: