Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal to remove docker-registry-proxy daemonset #8221

Closed
zhengtianbao opened this issue Nov 22, 2021 · 3 comments
Closed

proposal to remove docker-registry-proxy daemonset #8221

zhengtianbao opened this issue Nov 22, 2021 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@zhengtianbao
Copy link
Member

Why is this needed:

As the registry document said the benefits of proxy daemonset are:

  1. SSL and authentication

The private registry runs as a Pod in your cluster. It does not currently support SSL or authentication, which triggers Docker's "insecure registry" logic. To work around this, we run a proxy on each node in the cluster, exposing a port onto the node (via a hostPort), which Docker accepts as "secure", since it is accessed by localhost.

but actually docker-registry can enable SSL or authentication by config: https://docs.docker.com/registry/deploying/#get-a-certificate

  1. in cluster access

we need to expose it onto each Kubernetes Node so that Docker will see it as localhost.

registry-proxy will create daemonset listen at hostPort:{{ registry_port }} which will redirect to the backend registry Service. Why not use ClusterIP to the registry service?

  1. external access

registry-proxy listen at every node's port as the same as NodePort, but sometimes we may want to use ingress or LoadBalancer.

I suppose the proxy daemonset is not really needed, It is a legacy used at kubernetes <1.5.x when not support ClusterIP.

I would like to remove the proxy by follow steps:

  • add registry configmap to support SSL and authentication
  • update registry service to support of ClusterIP, nodePort or loadBalance
  • add registry ingress
  • remove the proxy at some milestone
@zhengtianbao zhengtianbao added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 22, 2021
@cristicalin
Copy link
Contributor

Great analysis @zhengtianbao!

Since we have the hosted registry which you kindly augmented recently, why not just drop this registry proxy functionality ? From what I can tell (personally I was not even aware we had this) it is quite old and hackish.

I would go with your full plan to also drop the proxy.

Note that an ingress should be conditioned on the presence of an ingress controller which is not mandatory in a kubespray deployment.

Also please enable the proxy in on of the CI tests so we actually exercise this feature and know of any breakage later down the line, from what I can tell we don't have any coverage for this in CI.

@zhengtianbao zhengtianbao mentioned this issue Nov 25, 2021
Merged
This was referenced Dec 10, 2021
Merged
Merged
@zhengtianbao zhengtianbao mentioned this issue Dec 22, 2021
Merged
@zhengtianbao
Copy link
Member Author

/close

@floryut
Copy link
Member

floryut commented Dec 22, 2021
edited
Loading

@zhengtianbao kudos for this, thank you 🍾

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cristicalin @floryut @zhengtianbao