djwhatle
commented
3 years ago @sseago @dymurray this feels like something that should still be fixed. What do you think?
Open sseago opened 5 years ago
djwhatle
commented
3 years ago @sseago @dymurray this feels like something that should still be fixed. What do you think?
sseago
commented
3 years ago There's value in fixing it, but it's a lower priority now that we're trying to get customers away from using this registry at all. A bigger issue is that we don't currently deal with internal registries that require cert setup. To be specific, since I really don't have any experience with locked-down internal registries, for any registry where the following settings for push/pull access won't work, we'll break:
DockerDaemonInsecureSkipTLSVerify: true,
DockerInsecureSkipTLSVerify: types.OptionalBoolTrue,
The current implementation of the (temporary) migration registry creates a registry pod which doesn't use https or require login credentials. We should update this to allow for securing the registry with certs and credentials. This will also require plugin support. The plugin will need to obtain certs and credentials created by the controller (probably via secrets created in the velero namespace with some supporting annotations on the velero CR) and use them to access the registry.