-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feat] pull-through caching/proxying for images #370
Conversation
Signed-off-by: Derek Brown <[email protected]>
658329d
to
9385eb7
Compare
hey @DerekTBrown ! thanks for diving into the tangled mess that is containerd configs. so...this is complicated. my understanding is that containerd-team is in the middle of removing this functionality. see the "mirror config deprecation PSA" here: https://github.com/kubernetes-sigs/kind/releases/tag/v0.20.0 and the big DEPRECATED node at the top of this doc -- https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-image-registry and that even today, the code you have here will break in a bunch of cases because |
lol, there's also a big note on why they're removing it 🙈
|
one crazy idea -- Kind does let you pass extra args to the kubelet https://kind.sigs.k8s.io/docs/user/configuration/#kubeadm-config-patches so you might be able to mount a custom Credential provider that does what you want i think this might be closer to what the "real" EKS does to authenticate against ECR these days? |
I am not sure how I missed these deprecation warnings- I have seen this in practice a bunch. I interpret the deprecation notice to mean that there will be some future interface, but that interface will require storing credentials in an encrypted format. Assuming that is the case, I think this PR still makes sense: we would just need to migrate to that interface when it becomes available. |
Assuming we do need to implement an alternative authentication strategy, I have a slightly different approach in mind. We could extend the https://distribution.github.io/distribution/recipes/mirror/#run-a-registry-as-a-pull-through-cache We would then follow the exact same pattern currently used to redirect I think this has a few advantages:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, i guess i'm fine with trying this approach while we wait to see what happens with containerd
(though i'm also fine with trying the proxy approach you linked to) |
Signed-off-by: Derek Brown <[email protected]>
3fa854f
to
ee88e08
Compare
@nicks should be good to go! |
b1f7771
to
eb07193
Compare
Signed-off-by: Derek Brown <[email protected]>
eb07193
to
f6502ca
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks! just some minor issues
Signed-off-by: Derek Brown <[email protected]>
6e136e1
to
dec201f
Compare
Background
Motivation: [feature request] Pulling images from remote registries #355
In my "real" Kubernetes clusters, I use ECR as an image registry. Nodes are automatically authorized/configured to pull from ECR through a combination of IAM and containerd settings.
I want my Tilt Kubernetes clusters to mirror "real" clusters as much as possible. I want to avoid making Tilt-specific modifications to Kubernetes manifests to make them work (see discussion in [feature request] Pulling images from remote registries #355).
There currently isn't a way to achieve both of these goals simulaneously:
docker pull && docker push
orkind load
, though this makes the Tilt configuration clunky.imagePullSecrets
, but this causes the Tilt configuration to deviate from the "real" configuration (and would require modifying hundreds of helm charts).Note: I think there are other, similar usecases for providing cluster authentication credentials. For example, a user might want to avoid Docker registry ratelimits by providing a user token.
What does this PR do?
kind
cluster (possible in other cluster provisioners, but I have chosen this as a starting point).username
andpassword
properties, or via a templated env var topassword.
Test Plan
username
andpassword
(token).