Remove internal registry #45
Comments
|
Yep private repo/images is something we should think about but I think the way to do it is to force it? I'm in favor of dropping the registry from sandbox. |
What do you mean? |
|
Drop the registry so that we can have a discussion about this. Force the discussion. |
|
I agree with @mmlb, just drop it for now from the sandbox. It is easy to add again later and most people/orgs that need a private repo already have a policy and implementation or know how to set it up.... Just my 2 cents... :-) |
Yeah, the problem is not how you set it up for yourself, but how you can use it in the installation environment if it has passwords or things like that. Anyway, I am always up for removing things 👍 I will leave time for more people to leave a comment, and at some point, I will move forward accordingly |
If you are running a private repo you always have that problem... :-( But this problem is also related to the encryption of the metadata path from provisioner to local executor. Thats something we need to make easy and save so all secrets can be transported in a save way. |
|
I think I'd like to keep it for now for consistency with k8s-sandbox. @detiber how do you push freshly built dev images to k8s with tilt? Is the registry required/useful? |
|
Beware i use a private repo registry for Docker images with the Ansible Playbook ... |
|
@fransvanberckel can you tell me a bit more?! Do you rely on the private registry that sandbox provides or you just provision a registry as part of toolchain ansible-role-tinkerbell ships? If it's the second no problem, you can keep shipping it. If it's the first removing it from the sandbox will require some work for the ansible role. |
|
@gianarb That's right, it's more or less the second. For more details, take a look at the role ... |
|
I think removing it is a good idea, because it simplifies things. If you seek to do private images or work in an airgapped environment, there are other ways to do it, like a private Docker registry with credentials or pre-pulling images. |
|
I have started to work at this and the problem is in OSIE (and tinkie @thebsdbox ). OSIE: https://github.com/tinkerbell/osie/blob/master/apps/workflow-helper.sh#L81 We use the internal registry as a way to select the version of tink-worker we want to run as part of the installation environment. Currently, it works this way:
We can make it more general and we can write a new RULE to OSIE: "OSIE use a expect a kernel command line called if we all agree I can open PR against osie and tinkie and sandbox to have all of them inline (At some point we should write OSIE RULES as documentation, but we don' know them all yet! :P ) |
|
We can easily do this now, default to lates and override in the How does that sound? |
|
@thebsdbox I am not too much into the details, but wouldn't it be better to create a new field in the facility object, because this could break applications, that use the Maybe something like |
|
ah so this is an undocumented thing :| things in the facility code are passed to the cmdline. They're then presented as environment variables or in |
|
Yep @thebsdbox I love that. Let's see what @mmlb says and I can proceed when we agree @nicklasfrahm yeah it is unfriendly and undocumented :) I think at some point we will figure out a better metadata structure for all of that. I think something is part of a proposal @mmlb started but not totally sure https://github.com/tinkerbell/proposals/pull/25/files |
|
Yep I think this should be done in a metadata fashion but not like that @thebsdbox, boots already supports this in "cacher mode", we have "custom services version" that we use to boot different versions of osie (https://github.com/tinkerbell/boots/blob/master/packet/models_cacher.go#L319). Custom services is meant for this in the legacy EM stack and we should probably make use of that in tinkerbell too I think. I don't like the idea of injecting it through the I don't think this should be part of the Instance proposal @gianarb thats the wrong layer to do this I think. The other option is to just pin it in the osie "package". Which is kind of the other side of doing things. I'm not too keen on this actually. There are some runtime params that we should have a way to pass down to tink-worker. Its version seems like one, centralized logging config is another. I think maybe {
"tink-worker": {
"log": {
"driver": "..."
},
"tag": "some-tag",
"repo": [
{ "url":"...", "user":"someuser", "password":"s3cr3t"}
]
}
}edited to add: |
|
Let's summarise:
Let's evaluate option 2. When you describe services do you mean this proposal https://github.com/tinkerbell/proposals/blob/master/proposals/0014/README.md ? Probably not At this point we have to figure out a structure and where we want to place that configuration (not in cmdline) |
|
Hmm yeah we can go with option where we can add |
|
I am confused, you say that cmdline were a bad idea right? :D |
|
The services proposal (workflow services actually) is not what I meant when I mentioned services... naming x) |
|
cmdline is definitely an option, but feels hacky (though its my favorite of the hacks). Having a proper way to get some hardware data from tink-server (through hegel probably?) is I think the best option, but not as quick :D |
|
Ok, we (@mmlb) moved our conversation over prv Slack because here it was too hard and we find a common proposal! We are gonna teach Hegel a new endpoint The format is not yet defied but ideally something like: {
"worker": {
"log": {
"driver": "..."
},
"image": "quay.io/tinkerbell/tink-worker:something",
....
}
}Unknown: tink-worker today relays on environment variables and I am not sure how and if we can make it work with this proposal. |
tstromberg
added
kind/cleanup
## Description This PR brings up the sandbox via Docker compose using the Kubernetes backend for all service. This does not completely remove the postgres backend setup but moves all the compose with postgres into an isolated directory (deploy/compose/postgres) that can be removed when we're ready. > I did not touch the terraform setup. I need some help validating that one. please and thank you. CC @mmlb @displague ## Why is this needed Fixes: #142 #45 #118 #131 #133 #145 #148 - This "fixes" a quite a few issues related to TLS cert generation. This is the case because we are not using TLS in this deployment. Also see, tinkerbell/tink#555. - This also "fixes" any issues related to the internal registry as that is removed as the default. ## How Has This Been Tested? Manually tested vagrant with virtualbox (on a Mac), vagrant with libvirt (on Ubuntu 22.04), and docker-compose (on on Ubuntu 22.04). ## How are existing users impacted? What migration steps/scripts do we need? There is no migration support. Users will need to follow a quick start guide to get started. ## Checklist: I have: - [x] updated the documentation and/or roadmap (if required) - [ ] added unit or e2e tests - [ ] provided instructions on how to upgrade
## Description This PR brings up the sandbox via Docker compose using the Kubernetes backend for all service. This does not completely remove the postgres backend setup but moves all the compose with postgres into an isolated directory (deploy/compose/postgres) that can be removed when we're ready. > I did not touch the terraform setup. I need some help validating that one. please and thank you. CC @mmlb @displague ## Why is this needed Fixes: tinkerbell#142 tinkerbell#45 tinkerbell#118 tinkerbell#131 tinkerbell#133 tinkerbell#145 tinkerbell#148 - This "fixes" a quite a few issues related to TLS cert generation. This is the case because we are not using TLS in this deployment. Also see, tinkerbell/tink#555. - This also "fixes" any issues related to the internal registry as that is removed as the default. ## How Has This Been Tested? Manually tested vagrant with virtualbox (on a Mac), vagrant with libvirt (on Ubuntu 22.04), and docker-compose (on on Ubuntu 22.04). ## How are existing users impacted? What migration steps/scripts do we need? There is no migration support. Users will need to follow a quick start guide to get started. ## Checklist: I have: - [x] updated the documentation and/or roadmap (if required) - [ ] added unit or e2e tests - [ ] provided instructions on how to upgrade
We are not sure if the internal registry is something we want or if it is just a complication.
We enabled #41. So now the workers have access to the internet. It means that all the registry setup and the certificate to have it secure is not strictly required anymore.
BUT we will have to figure out by ourselves how to get our actions to run in the worker. This is not a problem when the action is public, but for private repositories, it is a bit more complicated and the operating system installation environment (osie or tinkie) will have to give us a way to inject authentication (or we have to make tink-worker good enough to authenticate I suppose)
The text was updated successfully, but these errors were encountered: