feat: registry addon #170
Merged
feat: registry addon #170
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shaneutt
force-pushed
the
shaneutt/registry-addon
branch
from
70dfc9f to
f10457e
Compare
shaneutt
force-pushed
the
shaneutt/registry-addon
branch
from
f10457e to
e8394f6
Compare
shaneutt
force-pushed
the
shaneutt/registry-addon
branch
from
e8394f6 to
45e7276
Compare
shaneutt
force-pushed
the
shaneutt/registry-addon
branch
from
45e7276 to
b2fe42c
Compare
rainest
suggested changes
Dec 7, 2021
shaneutt
force-pushed
the
shaneutt/registry-addon
branch
from
6027a61 to
5350173
Compare
rainest
approved these changes
Dec 8, 2021
|
have docs / examples by chance? |
There's a helper doc present in the CLI which explains how to push images, but we definitely need to start thinking more holistically about documenting KTF now that our use cases are expanding beyond the KIC. Here's an example run which includes that output: $ go run cmd/ktf/main.go envs create --addon metallb --addon cert-manager --addon registry
building new environment kong-testing-environment
waiting for addon registry to become ready...
waiting for addon metallb to become ready...
waiting for addon cert-manager to become ready...
waiting for environment to become ready (this can take some time)...
environment kong-testing-environment was created successfully!
Registry Addon HELP:
You have installed the registry addon deployed with an SSL certificate provided
by cert-manager. The default certificate used is a self-signed certificate.
As such if you try to push images to this registry with the standard:
$ docker push ${REGISTRY_IP}/image
Without first adding its certificate to your local docker (or other client) chain
of trust it will fail. The following provides an example of how to add the certificate
using a standard docker installation on a Linux system where "/etc/docker" is the
configuration directory for docker:
$ REGISTRY_IP="$(kubectl -n registry get svc registry -o=go-template='{{(index .status.loadBalancer.ingress 0).ip}}')"
$ sudo mkdir -p /etc/docker/certs.d/${REGISTRY_IP}/
$ kubectl -n registry get secrets registry-cert-secret -o=go-template='{{index .data "ca.crt"}}' | base64 -d | sudo tee /etc/docker/certs.d/${REGISTRY_IP}/ca.crt
Note that this generally is not going to work verbatim on all systems and the
above instructions should be considered just an example. Adjust for your own
system and docker installation. You may also need to change ".ip" for ".host"
if your service is provided a DNS name instead of an IP for its LB address.
Afterwards you should be able to push images to the registry, e.g.:
$ docker pull kennethreitz/httpbin
$ docker tag kennethreitz/httpbin ${REGISTRY_IP}/httpbin
$ docker push ${REGISTRY_IP}/httpbin
Images pushed this way should be immediately usable in pod configurations
on the cluster as the certificate is automatically configured on the nodes.So the short version you'll need to trust the certificate in your local environment, and then whatever the So in my own environment, this is what I literally ran to push an image to the registry: $ go run cmd/ktf/main.go envs create --addon metallb --addon cert-manager --addon registry
$ REGISTRY_IP="$(kubectl -n registry get svc registry -o=go-template='{{(index .status.loadBalancer.ingress 0).ip}}')"
$ sudo mkdir -p /etc/docker/certs.d/${REGISTRY_IP}/
$ kubectl -n registry get secrets registry-cert-secret -o=go-template='{{index .data "ca.crt"}}' | base64 -d | sudo tee /etc/docker/certs.d/${REGISTRY_IP}/ca.crt
$ docker pull nginx
$ docker tag nginx ${REGISTRY_IP}/nginx
$ docker push ${REGISTRY_IP}/nginxThen used it for a deployment: $ cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: ${REGISTRY_IP}/nginx
ports:
- containerPort: 80
EOFAnd then: $ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-57f46f4d55-clbgf 1/1 Running 0 3sHopefully that helps you in the short term, for the long term I've created #184 so we can start improving the documentation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a
registryaddon so that a container image registry can be loaded into the cluster and be made available for pods.In order to accomplish this several new utilities were added, highlights include:
This new addon brings several benefits including:
This is the first iteration of this addon but is incomplete: this works using a self-signed certificate and only on
kindclusters. The current certificate management landscape in a KTF cluster is limited and the default cluster CA feature is desired prior to adding support for GKE so that certificate trust configuration no longer needs to be a part of the addon deployment as was done here, but instead cluster setup.