Closed obeyler closed 4 years ago
here's the containerd docs as they relate to TLS:
https://github.com/containerd/cri/blob/master/docs/registry.md#configure-registry-tls-communication
@jhunt I put the insecure-skip-verify, and auth options. For certicate tls I'll do it in a next PR I have to think about it before to be able to create pem files.
I've had some ideas kicking around since we first started talking about them; I'm going to try to whip up a PR that implements those ideas and see what you think.
I change the config to be conform to your remarks: now the mirrors can be describe like that:
- name: runtime-runc
release: k8s
properties:
cni: weave
mirrors:
docker.io:
url: ((registry-mirrors))
quay.io:
url: ((registry-mirrors))
k8s.gcr.io:
url: ((registry-mirrors))
'*':
url: ((registry-mirrors))
other option such as tls or auth can be added is also proposed (see spec of runctime-runc job)
the only trouble I have on it is some unnecessary line is added to the containerd.toml file
cat /var/vcap/jobs/runtime-runc/etc/containerd.toml
[plugins]
[plugins.cri]
[plugins.cri.containerd]
snapshotter = "overlayfs"
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/var/vcap/packages/runtime-runc/bin/runc"
runtime_root = ""
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/var/vcap/packages/runtime-runc/bin/runsc"
runtime_root = "/var/vcap/data/k8s/runtime-runc"
[plugins.cri.containerd.gvisor]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/var/vcap/packages/runtime-runc/bin/runsc"
runtime_root = "/var/vcap/data/k8s/runtime-runc"
[plugins.cri.cni]
conf_dir = "/var/vcap/jobs/net-weave/etc/cni/net.d"
bin_dir = "/var/vcap/packages/containerd/bin"
[plugins.cri.registry]
[plugins.cri.registry.configs]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."*"]
endpoint = ["https://docker.jcr.nd-int-ops-paas"]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://docker.jcr.nd-int-ops-paas"]
[plugins.cri.registry.mirrors."k8s.gcr.io"]
endpoint = ["https://docker.jcr.nd-int-ops-paas"]
[plugins.cri.registry.mirrors."quay.io"]
endpoint = ["https://docker.jcr.nd-int-ops-paas"]
# persistent data location
root = "/var/vcap/store/k8s/runtime-runc"
From the previous review:
Is it possible to get the test harness for those added to the PR to assist others in the future when / if they need to make changes to this code?
an easy way to test it is to use a JCR launched by docker
docker run --name artifactory -d -p 8081:8081 docker.bintray.io/jfrog/artifactory-jcr:latest
to configure it you can use this file cat param.yml
remoteRepositories: #Remote repositories configuration
quay-io:
type: docker
url: https://quay.io/
enableTokenAuthentication: true
repoLayout: simple-default
docker-remote:
type: docker
url: https://registry-1.docker.io/
enableTokenAuthentication: true
repoLayout: simple-default
virtualRepositories: #Virtual repositories configuration
docker:
type: docker
repositories:
- docker-remote
- quay-io
and use it on your JCR
export BASE_URL="http://localhost:8081/artifactory"
export AUTH=" -u admin:((jcr_admin_password))"
#check container is ready, timeout 120s
timeout 120 sh -c 'until nc -z $0 $1; do sleep 1; done' localhost 8081
curl $AUTH -X PATCH "http://localhost:8081/artifactory/api/system/configuration" -H "Content-Type:application/yaml" -T param.yml
Superseded by #60
This Feature allows to add capacity for containerd to use mirror to docker registry. fix: #39