openfaas / faasd

A lightweight & portable faas engine
https://store.openfaas.com/l/serverless-for-everyone-else
Other
3k stars 214 forks source link

Feature: insecure non-TLS registry support #186

Closed alexellis closed 4 months ago

alexellis commented 3 years ago

Add support for insecure non-TLS registries

Why? It seems like commercial users are unsure how to configure self-hosted registries with TLS, and have requested this feature several times.

Expected Behaviour

faasd-provider can pull images from an insecure registry with no TLS such as localhost:5000 or 192.168.0.101:5000

I would expect a new flag to be set on the faasd provider command: https://github.com/openfaas/faasd/blob/master/cmd/provider.go

Current Behaviour

A valid TLS cert is required, for self-signed certs the CA should be part of the system's trust bundle.

List all Possible Solutions

@AkihiroSuda pointed me at:

https://github.com/containerd/nerdctl/pull/287/files

Which could be updated here: https://github.com/openfaas/faasd/blob/2885bb0c514a403d317b93e6d8add1ad52239a13/pkg/service/service.go#L125

Steps to Reproduce (for bugs)

  1. Run an open source docker registry
  2. Push an image there from your Docker Desktop instance with faas-cli push
  3. Run faas-cli deploy and have faasd-provider deploy the function
Shikachuu commented 3 years ago

Hey @alexellis, I am planning to pick up this issue.

The do you have any flag name in mind? Or should I use the one in the nerdctl PR that you linked? (--insecure-registry)

alexellis commented 3 years ago

Why don't you have a play with it without committing to a design? Just see if you can figure out what's needed to make it work first.