fnproject / fn-helm

Helm Chart for Fn
Apache License 2.0
56 stars 24 forks source link

Support authentication with 3rd party docker registries #8

Open zootalures opened 6 years ago

zootalures commented 6 years ago

Fn (dind) doesn't get docker regstry credentials.

I think fn needs to understand these eventually in some form but a stop gap

Ideally we should be able to share one or more k8s docker image pull secrets with the fn container to allow secured registries to be used.

e.g. (elswhere in k8s ):

kubectl create secret docker-registry wcrsecret--docker-server=wcr --docker-username=testserver --docker-password=$(cat ~/.wercker/token)  --docker-email=email@example.com

then in values.yaml

fnserver
   imageSecrets:
       - wcrsecret 
carimura commented 6 years ago

cc @derekschultz

rdallman commented 6 years ago

we support multiple registries configured in ~/.docker/config or through DOCKER_AUTH env var in fn. i am less sure if it works properly, but there was an attempt. it should be possible to thread in either way to k8s

venkat50 commented 6 years ago

Please also consider support for private registry (with and without authentication).

lenalebt commented 6 years ago

One important aspect to consider when using a private registry is the nesting level of docker image names. You can only have 3 at max, see https://github.com/fnproject/fn/blob/f27d47f2dd9520647f8799043bfcb3d121709958/api/agent/drivers/driver.go#L283

If you use more than 3, it falls back to assuming the image comes from docker hub and does not provide correct credentials. This cost me about 3 days of debugging, hoping that others do not run in the same thing...

Shorter nestings are okay.

I opened a bug report here: https://github.com/fnproject/fn/issues/764