Add a "registry" action that creates a private docker registry

[axinojolais]

Hi,

This adds a action to the kubernetes-worker charm that creates (or deletes) a private, TLS-enabled, authentified (htpasswd) Docker repository in the deployed kubernetes cluster.

Comments welcome, of course !

Thanks

[caio1982]

Where is this used in the current diff?

[axinojolais]

Well it looks like it's not. :| Let me take a look

[axinojolais]

This is fixed now, by the way.

[axinojolais]

htpasswd also needs to be base64ified, I'll fix in the next commit

[chuckbutler]

Do we really need to base64 encode it? we're passing around TLS certs which are carriage return sensitive over the relation wires and haven't base64 encoded them. It hasn't seemed to be an issue yet, we might be playing with fire here, but in my experience, base64 encoding the contents is an extra, unnecessary step.

[axinojolais]

The secret used by the registry image needs to be base64 encoded. We can either do it here, or in the code of the action. This is the same for the certificates by the way. What do you think ?

[chuckbutler]

-edit- i misunderstood the goal/use-case here. What you've got is a great first iteration. We had a bit of back/forth on IRC and I feel that you're on the right path. With some slight tweaks to make the process clear to the user what they will be providing. I am +1 to that effort.

[axinojolais]

I still need to validate the last commit

[chuckbutler]

I have not tested this branch yet, so i'm holding off on approving this branch to be merged, but I am +1 to this . I'll get this built and tested directly after we complete the 1.5.2 release push we are in now. Thanks for the contributions @axinojolais

[chuckbutler]

+1 to not making the user bae64 encode the values I think this will be a better user experience. Even though its only a single removal of a piped command. 👍

[chuckbutler]

Nice addition here!

[chuckbutler]

Nice. Thanks for pulling this server side instead of client side.

[axinojolais]

Ha, I also need to add the ConfigMap mentioned in #100 (comment) - which is actually a required dependency for this PR.

[axinojolais]

This is tested, and works fine. However, this PR needs #100 to be merged first.

[chuckbutler]

Thanks for the follow up, will give this a look later today / early tomorrow and see if we can get it landed. We're cycling on getting our code upstream so we're not lagging behind in the upstream archive as we are today.

This may bring some concerns, but its not your fault/concern to track and we will ensure we carry this forward into upstream. Thanks for the contribution and patience during the review cycle axino!

[axinojolais]

To be complete, this will require 2 more changes : a secret to use the registry, and a modification of the "default" service account to use this secret by default.

[chuckbutler]

inline note:

we'll need to pull this in and retarget against kubernetes/kubernetes once we've passed the code review segment of the submission.

[axinojolais]

OK this is now complete and ready for review

[chuckbutler]

I've left some minor nits around on #100 requesting documentation updates regarding the added feature.

I still need to pull this in and give it a test, but initial tests were good with the configmap addition, I feel that this will be a simple test as well. Thanks for the work done here @axinojolais and your patience. We haven't forgotten about this PR, we're just tasked in 8 different directions at the moment. Will you perchance be at the charmer summit? We can certainly pull aside some time to finish these up and get your PR's landed against github.com/kubernetes/kubernetes then if you're available.

[axinojolais]

Nope, a bug got in ! Will fix tomorrow.

[chuckbutler]

Glad you're on top of this keeping the PR moving forward while we shuffle things around. Thanks for the update!

[axinojolais]

Replaced by kubernetes#40814