-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
multiple hostnames are used to access the built-in docker-registry service #65
Comments
Just a note that while I am working on the workflows, I am not really explicitly setting the registry. As the image name is one of the inputs, the workflow expects the registry to be part of the image name, for example, for using the internal FuseML registry the image name should be |
Moving out of MVP scope due to time constraints and the fact that this is not a must have for MVP. This issue is not functionality impairing and a workaround is already in place to address the Tekton related issue. |
Moving to V2 for further investigation. If it turns out to be too difficult to implement, or it requires adding TLS support to part of the FuseML components, we should do it later. |
Adding notes from older issue regarding removal of Quarks from FuseML.
Looking towards the future, we should try to take into account the multi-cluster use-case, where several clusters may consume images hosted in a single docker registry server. Generating cluster CA certificates only works in the cluster that is used to generates them. |
This issue covers 2 different, but related, problems:
|
Reopening as |
The double identity problem can only be solved when we add TLS support to FuseML and the services that are part of it, trow included. Even so, valid certificates will be required for the exposed endpoints, otherwise certificates will need to be installed on the k8s nodes manually. A mixed solution should also be investigated, where if valid certificates are not provided, the current approach is reused. |
The built-in docker-registry service needs to be accessed from several places simultaneously, and this is reflected in the URLs used for the container images that it stores:
127.0.0.1:30500
registry.fuseml-registry
This shows that our deployment setup is currently suffering from a multiple identity problem regarding the location of the OCI registry endpoint, and this already has some negative side-effects:
Some ideas on how to fix this:
registry.fuseml-registry
) and cluster port on the k8s nodes instead of the localhost/nodeport, if possibleNOTE: when this issue is fixed, the Tekton entrypoint workaround mentioned above should also be removed.
The text was updated successfully, but these errors were encountered: