At its heart, Trow is just a StatefulSet that needs to be exposed through a service. The main complication is getting TLS configured correctly. The developer or quick install uses a cluster-signed cert that is used by Trow itself and copies the CA certificate to all nodes and clients. The standard install runs Trow behind a TLS-terminating ingress. The TLS cert can be obtained automatically via cert-manager (or a ManagedCertificate if running on GKE), but does require a (sub)domain whose DNS can be pointed at the cluster.
The following install instructions are based on Kustomize (see Scott Lowe's blog for a good introduction). If you'd rather try the new Helm install, please see this guide.
To use the Kustomize install you will need to create a new overlay for your cluster, containing your domain name and any special configuration (e.g. ingress). The overlay will refer to other configuration files. By keeping all changes to your own directory, any updates to Trow base configuration can be easily merged by just pulling the new commits.
There is a complete example in the install/overlays/example-overlay
directory, which can be used as a basis
for getting your cluster running.
Assuming your cluster has cert-manager installed:
- Copy the directory
install/overlays/example-overlay
toinstall/overlays/mycluster
, changing mycluster to an appropriate name. - Open the
kustomization.yaml
file. Change the namespace to whatever namespace you want the Trow resources to run in. Update the YAML undersecretGenerator
with the user name and password you want to use for the registry. - In the same
kustomization.yaml
, update the domain name to the domain you wish to use for your registry. Update the user name to the user name you set in the previous step. - Run
kubectl apply -k overlays/mycluster
from the install directory. - Set the DNS for your domain to point to the IP for your ingress, which you can find with
kubectl get ingress -n trow-example
. Note that in GKE, this IP is subject to change unless you obtain a static IP. It may take a moment for the IP address to populate. - Once the certificate is obtained, TLS will start working and Trow should be available. You may get TLS errors whilst the certificate is being provisioned.
If you're using a Google ManagedCertificate, change the base in kustomization.yaml
to ../gke
and
replace the Ingress
patch with a copy of ManagedCertificate
patch from the
install/overlays/gke/kustomization.yaml
directory and edit as appropriate.
For other installs, please use the provided files as a base and consider contributing new overlays back to the project.
To enable validation:
- Add the following to your
kustomization.yaml
resources:
- ../../base/validate.yaml
And also uncomment the following under patchesJson6902
and modify the domain value:
- patch: |-
- op: replace
path: /webhooks/0/name
value: example.registry.com
target:
kind: ValidatingWebhookConfiguration
name: trow-validator
group: admissionregistration.k8s.io
version: v1
- Run
kubectl apply -k overlays/mycluster
from the install directory.
It would be better to point Kubernetes at the internal Trow service in step 2, but as this isn't running over TLS within the internal network in the default install, we need to use the external URL. We intend to address this in a future release.
Make sure your ingress is configured to allow large files to be transferred, or you may hit HTTP errors
such as 413 - Request Entity Too Large
. For the NGINX Ingress, make sure the following annotation is
present:
nginx.ingress.kubernetes.io/proxy-body-size: "0"
This will disable the transfer limit (it can alternatively be set to a large value such as 1000m
to allow blobs up to 1000 MB in size). More details can be found in the NGINX Ingress
guide.
There is also an Trow kustomize overlay with an NGINX
ingress
that may be useful.
The default install will result in TLS being used between the registry client (Docker) and the cluster ingress, but not inside the cluster. The next update to the Trow will use cluster certificates to achieve full end-to-end TLS.
NB if you use a service mesh, you may already have mutual TLS between pods and can safely ignore this.
This should be as simple as kubectl delete -k overlays/mycluster
(changing overlays/mycluster
to the name of your overlay).
See the User Guide.