[feature request] Pulling images from remote registries

[DerekTBrown]

User Story

• Suppose I have docker images stored in a private registry (e.g. ECR, GCR, GHCR).
• In production environments, these images are pulled via Node IAM roles / credential helpers. No pod-specific configuration (i.e. imagePullSecrets) are required.
• I want to create a Tilt environment that runs production workloads with minimum Tilt-specific configuration. i.e. Ideally there is some way to configure ctlptl/Kind to also be able to pull these images without imagePullSecrets.

[DerekTBrown]

Possible Solutions

1. [Easy] Extension to load images from remote The current approach I have is to create a Tilt resource that pulls images from remotes by:
   • docker pull
   • kind load docker-image.

Eventually, I could see it making sense to add this to tilt_extensions.

2. [Harder, but Robust] Provide an interface to define upstream registries for registry image
   • The registry image supports configuration as a pull-through cache, where cache upstreams can have authentication.
   • We could add an interface to ctlptl that makes it easy to configure these upstreams, such that they can borrow the local users' ECR, GCR, GHCR credentials, etc.

[nicks]

this is a good guide to the problem and the current solution space - https://kind.sigs.k8s.io/docs/user/private-registries/

for my own projects, i usually use an image pull secret attached to the default service account in a namespace, which i've found is the most portable approach, e.g., https://github.com/tilt-dev/tilt-extensions/tree/master/secret#secret_create_docker_registry_ecr

[DerekTBrown]

@nicks Agree these are the current best-supported paths. It just seems like there should be a fairly easy way to emulate the production EKS/GKE behavior such that ImagePullSecrets aren't needed.

[nicks]

heh, we have a rule around these parts where if you say it "should be fairly easy", that means you're signing up to implement it. : )