Provide the option to expose the registry through https

[pbochynski]

Description Provide a way to expose the docker registry using TLS certificates. It can be an optional setting that utilizes istio/api-gateway features.

Reasons Some customers use tools that enforce secure access to the registry with TLS.

AC

• [x] User has option to enable/disable tls communcation
• [x] if istio is not installed, operator resolves the status to Warning
• [x] https endpoint is visible in the status

Execution

• [x] POC: manually expose docker registry via https using istio resources (document the steps in /docs/user )
• [x] verify if docker CLI can be used against https exposed endpoint
• [x] implement an "auto-pilot" mode : implement auto-exposure in docker registry operator

[pPrecel]

We decided to make dependency on the APIGateway module to reuse the built-in kyma-gateway and to not manage our own dnsentry, certificates, and gateway.

[kwiatekus]

when I use hostPrefix configuration option than I can push to the url via docker CLI, but kubernetes cannot pull the image when scheduling a pod in arbitrary namespace (given exposed-registry-auth as imagePullSecret) It looks as if the secret that is propagated accross namespaces doesnt have proper registry URL in the .dockerconfigjson field (it has the default url, not the one I changed via hostPrefix option)

[kwiatekus]

Also.. when using the dafult host registry-default-kyma-system I experience the same problem - image can be pushed ( by docker cli ) but not pulled.

[pPrecel]

@kwiatekus I think the problem is caused because you used the wrong registry secret. I don't know what the exposed-registry-auth is but the name of the right one is located in the DockerRegistry CR status. Example:

apiVersion: operator.kyma-project.io/v1alpha1
kind: DockerRegistry
metadata:
  finalizers:
  - dockerregistry-operator.kyma-project.io/deletion-hook
  name: default
  namespace: default
spec:
  externalAccess:
    enabled: true
    hostPrefix: test-registry
status:
  conditions:
  - lastTransitionTime: "2024-07-04T07:38:35Z"
    message: Configuration ready
    reason: Configured
    status: "True"
    type: Configured
  - lastTransitionTime: "2024-07-04T07:38:53Z"
    message: DockerRegistry installed
    reason: Installed
    status: "True"
    type: Installed
  externalAccess:
    enabled: "True"
    pullAddress: test-registry...
    pushAddress: test-registry...
    secretName: dockerregistry-config-external
  internalAccess:
    enabled: "True"
    pullAddress: localhost:32137
    pushAddress: dockerregistry.default.svc.cluster.local:5000
    secretName: dockerregistry-config
  served: "True"
  state: Ready
  storage: filesystem

You can follow this tutorial to make sure you do everything correctly.

[kwiatekus]

dockerregistry-config-external is not propagated to every namespace. hence the problem. I schedule pod in default namespace, while the docker registry secret for external access is only available in kyma-system.

[pPrecel]

You are right. I forget about propagation.

[kwiatekus]

In the latest main the status no longer contains the details how to use it (secret name and the pull/push addresses).