Support for private registries

[shalev123d]

Hello,

We're getting an "ImagePullBackOff" for the routing manager pod as well as the others due to a corporate proxy. It would be great to have support for downloading these images from our private registry (such as Artifactory) and being able to add a prefix to the image (e.g. PRIVATE_REPO/bridgetokubernetes.azurecr.io/lpkremoteagent or PRIVATE_REPO/lpkremoteagent)

Much thanks in advance!

[rakeshvanga]

@shalev123d Thanks for raising this issue. Would you be able to whitelist azure container registry endpoint so that you would be able to download the images? If so, you can get the ip address that should be whitelisted for ACR here: Service tags on-premises. Search for AzureContainerRegistry in the list of service tags to get the ip address ranges. Later on we are planning to move to Microsoft Container Registry (MCR) and would like to know if you will be able to pull images from this registry with your corporate proxy enabled?

[shalev123d]

@rakeshvanga Thanks for the response! The problem is, we're in an offline environment, connected only to an Artifactory server, which is the only server that is able to pull these images from the outside world. So in order to use those images we have to pull them from our Artifactory server which pulls them from wherever, but we can't pull them directly from the internet, so whitelisting won't solve our problem. We usually set a 'default registry' parameter in Helm charts and such to solve this problem, If it would be configurable instead of hard coded we would be able to use it :)

[rakeshvanga]

@shalev123d Thanks for sharing the details on how you work. Artifactory is binary repository management solution which stores the artifacts from builds and has the ability to hook up to a docker registry so it can manage the images for you. I don't see support for Azure Container Registry in Artifactory. If this is something that is available later on in Artifactory, then you can hookup your Artifactory instance to pull images from MCR or ACR.

At this point I don't see a way for us to make our images available in an offline environment.

[shalev123d]

@rakeshvanga Appreciate the response! I'm not asking for support for Artifactory specifically, I just want to be able to edit the default registry from which the images are being pulled from. it could be Artifactory or any other private registry. The best example is to be able to pull the image using PRIVATE_REGISTRY/lpkremoteagent instead of bridgetokubernetes.azurecr.io/lpkremoteagent which is hard coded in the extension binaries.

[rakeshvanga]

@shalev123d Sure, We could provide an ability to change the registry but I would like to understand how would the image say lpkremoteagent be available in PRIVATE_REGISTRY? You would setup a seperate job/task elsewhere which will pull images from bridgetokubernetes.azurecr.io and pushed to PRIVATE_REGISTRY?

[shalev123d]

@rakeshvanga Exactly! The PRIVATE_REGISTRY is able to pull images from all of the public repositories such as Docker Hub, MCR, etc, while our offline environment is able to pull images from PRIVATE_REGISTRY, which proxies the request to those public registries. So by changing the default registry to a custom one, we would be able to pull those images securely via PRIVATE_REGISTRY (which runs image scanning and such due to the security policy of our company)

[rakeshvanga]

@shalev123d I would create a task for us to support this functionality and will update you once it is released. Thanks for the feedback and sharing your scenario.

[shalev123d]

@rakeshvanga Thank you very much! really looking forward to using it :)

[rakeshvanga]

@shalev123d What client you are using when working with Bridge To Kubernetes, Visual Studio or VS Code?

For the targeting private registry would setting an environment variable works for your development scenarios?

[shalev123d]

@rakeshvanga We're actually planning on using both, because we are developing and deploying .Net Core services on Visual Studio as well as React/Node.JS on VSCode. Environment variables seems like a great solution!

[rakeshvanga]

@shalev123d Thanks for the details. We would be able to release this feature for VS Code by end of April and for Visual Studio by end of May. I'll update this thread once the feature is released. Thanks!

[shalev123d]

@rakeshvanga Thanks! Really appreciate it

[aido123]

+1 for this to be able to use a private repo and add specific an imagepullsecret.

Also I'd like the ability to specify pod labels on this deployment (it's an internal policy requirement).

Is this plugin closed source?

[rakeshvanga]

@aido123, Thanks for the feedback. When supporting this feature we will ensure to provide a way to specify imagepullsecret. Yes, Bridge To Kubernetes is a closed source.

Can you share more details about the pod labels? Are there specific labels that need to be added for each pod or the same labels of the pod that is being debugged can be applied to the pod started by Bridge To Kubernetes?

[aido123]

@rakeshvanga it's more of an internal policy requirement that we enforce with OPA e.g. a specific pod label is set.

If we had some way of customizing pod labels, annotations, limits & requests etc like one does over most helm charts via values, then that would be ideal, although I recognize that not everyone will require this & may add complexity on your side.

Let me know your thoughts.

[rakeshvanga]

@aido123 Thanks for providing more context. This would require more thought and planning from our side to achieve this. We will update this thread once we plan to work on this feature. For now, We'll prioritize working on supporting private registries.

[aido123]

Thanks for your efforts @rakeshvanga. Looking forward to see how this project evolves.

[bgorath]

Hello @rakeshvanga, we have the same issue as @shalev123d. We're running a private artifactory registry. Can you tell us whether there is any progress on the implementation of the environment variable?

[amsoedal]

HI @bgorath we haven't made progress on this unfortunately, but we do appreciate the feedback since it helps us prioritize our backlog. Is this blocking you from using Bridge at the moment? How many developers are on your team?

[bgorath]

HI @bgorath we haven't made progress on this unfortunately, but we do appreciate the feedback since it helps us prioritize our backlog. Is this blocking you from using Bridge at the moment? How many developers are on your team?

Hi @amsoedal , this is definitly blocking us from using the Bridge. There is no suitable workaround or alternative for us, as for security reasons, we are not allowed to use proxies to connect to a public repository. We are a team of 10 developers and just beginning to deploy applications to a local kubernetes cluster. But we are planning to migrate almost all of our existing applications to the cluster.

[koseburak]

Hi Guys, firstly thank you for your helpful extension.

We are working on the transform our contianer dev env from local docker to openshift cluster for too many dev teams. But, our cluster doesn't have access to public internet. Becaus of this, We are waiting this solution. Do you have any progress on this feature?

[daniv-msft]

Thanks @bgorath and @koseburak for your comments. This has been delayed because of other work, but hopefully we can pull it back higher in our backlog. Realistically, it shouldn't be a very big change so I'll try to make it fit in one of our incoming sprints. Thanks for the feedback!

[bgorath]

Thanks @bgorath and @koseburak for your comments. This has been delayed because of other work, but hopefully we can pull it back higher in our backlog. Realistically, it shouldn't be a very big change so I'll try to make it fit in one of our incoming sprints. Thanks for the feedback!

Thank you @daniv-msft for the update on this issue. We really appreciate it and are looking forward to it.

[shalev123d]

Hi @daniv-msft and @amsoedal Just wanted to add, we need the option to modify the envoy images as well and not just lpkremote etc, basically every image the extension spawns.

Thank you very much!

[daniv-msft]

@shalev123d Makes sense, thanks!

[plaisted]

Just piping in to mention this feature is needed for our clusters as well. It seems pretty common for enterprises to restrict images to be pulled from internal registries only.

[SteveCurran]

We would like this feature also. Being able to run a local registry along with rancher k3 cluster without an internet connection would be ideal.

[rajetta]

this feature is useful in a variety of scenarios, especially with many k8s clusters running with tightened security controls and restricting to use of only signed images from designated repos. Telepresence does this by way of config files to be able to override timeouts as well as registry. However, I like the simplicity of Bridge to Kubernetes.