Launch a cluster-local registry. #12833
Conversation
|
Some discussion for the cert issue is in #11725. |
|
A quick note from an earlier discussion with @thockin, this does not currently use PV/PVCs. |
|
GCE e2e build/test failed for commit 2b545583be7d06051f8c021542e1d2dd718b9459. |
uluyol
force-pushed
the
insecure-reg
branch
2 times, most recently
from
f535869 to
b8b5b2c
Compare
|
GCE e2e build/test passed for commit f53586977dfbf4cde60cda4e2008110ae2875fd3. |
|
GCE e2e build/test passed for commit b8b5b2c14ada082222a763635d336f2273004334. |
|
Could use help on thsi review - Bueller? Bueller? Firing randomly: @eparis @a-robinson @fgrzadkowski |
|
Ohh, @zmerlynn |
| # The set of addons images that should be prepopulated | ||
| readonly KUBE_ADDON_PATHS=( | ||
| gcr.io/google_containers/pause:0.8.0 | ||
| uluyol/kube-registry-proxy:0.2.3 |
There was a problem hiding this comment.
we'll have to make this a gcr.io image
There was a problem hiding this comment.
Is this going to get addressed before you leave?
|
I like the feature. I am concerned about adding more salt (to an open wound). Looking to @zmerlynn for a reality check. Other than general distaste with salt/jinja I did not find much to pick at. LGTM, pending consult |
|
I'll take a look today. |
|
Ref #1319 |
|
Pushed a new commit that uses a PV for storage. |
|
GCE e2e build/test failed for commit 406d7503459e5479c2225456c67ce25b79a148c7. |
|
GCE e2e build/test passed for commit 0a9d6f85ecb29eed0b2ed77502460d5132082f43. |
| -e "s/%PORT%/$REGISTRY_PORT/g" \ | ||
| -e "s/%FWDPORT%/$FORWARD_PORT/g" \ | ||
| -e "s|%CA_FILE%|$REGISTRY_CA|g" \ | ||
| </proxy.conf.in >/proxy.conf |
There was a problem hiding this comment.
Should proxy.conf be in the commit then - seems like it is auto-generated here?
There was a problem hiding this comment.
We generate it inside of the docker container at runtime.
There was a problem hiding this comment.
Right - my point is that it is in this PR, but I think we're agreed that it should not be.
There was a problem hiding this comment.
Oh, thanks. Removed.
|
Cool, though I don't understand the purpose of the proxy? I've done something similar in the past, though I set it up using a service. I set it up using a known IP, and then just used that IP to access the registry, though our DNS has improved so much since then that pure DNS might work now. (I also set it up using S3 as the backing store; not sure which is better. My guess is that a persistent volume is more portable and doesn't require embedding credentials, so I like this approach.) From an AWS implementation point of view, I agree that there should be a persistent backend for it too. I suggest that once this merges we open an issue to do the same thing for AWS & I will perform the equivalent changes for AWS. |
|
Using anything but localhost requires extra flags to docker or requires TLS On Thu, Aug 20, 2015 at 9:06 AM, Justin Santa Barbara <
|
|
Ah, I didn't realize there was an exception for localhost. That is great then! |
|
Well, we WANT to use TLS, but it was easier to start without it :) On Thu, Aug 20, 2015 at 10:57 AM, Justin Santa Barbara <
|
|
Okay, I'm just now getting around to reviewing due to |
| labels: | ||
| kubernetes.io/cluster-service: "true" | ||
| spec: | ||
| {% if pillar.get('cluster_registry_disk_type', '') == 'gce' %} |
There was a problem hiding this comment.
So if cluster_registry_disk_type isn't gce, this yaml blob just trails off at spec:?
There was a problem hiding this comment.
I wasn't sure what the best way to do this is. This template should only be evaluated if the cluster registry is enabled which should only be permitted if one of the branches here is taken (for non-gce, they'd need to have their own config branch). If somehow this is evaluated otherwise, that's a bug and we should see a failure.
There was a problem hiding this comment.
There's a pattern to do this e.g. http://stackoverflow.com/questions/21778252/how-to-raise-an-exception-in-a-jinja2-macro, but I'm not sure we have any of the pieces elsewhere in our Salt. This looks fine for now, though, it'll error in a different way, I think.
|
In general looks good, I like the approach. It's salty, but meh, that's the system we have. :/ |
uluyol
force-pushed
the
insecure-reg
branch
2 times, most recently
from
eef53a0 to
957b3f6
Compare
|
Pushed new version and rebased. Nits should have been addressed. |
|
GCE e2e build/test failed for commit eef53a0de7cf01370b4f87056034e18e9ffae5e0. |
|
GCE e2e build/test passed for commit 957b3f68eb23a000f3191a6efecaa0a1dcbda5b4. |
| for image in "$1/"*; do | ||
| timeout 30 docker load -i "${image}" &>/dev/null | ||
| rc=$? | ||
| if [[ $rc == 124 ]]; then |
There was a problem hiding this comment.
Sorry, I didn't notice the minor style nits in this file. Can you "${rc}", ${success}, ${restart_docker}, and quote "true"?
There was a problem hiding this comment.
Sure, though it really isn't necessary with the double brackets.
|
LGTM except one minor other nit and a question. @thockin for final buyoff. I'll be oncall tomorrow morning to merge, so if it LGTY, we can see how it does with Jenkins. Oh, and I forgot to add before: Great work! |
|
I'm good with it all, but we'll switch the image to a gcr.io image tomorrow On Thu, Aug 20, 2015 at 5:03 PM, Zach Loafman notifications@github.com
|
This registry can be accessed through proxies that run on each node listening on port 5000. We send the proxy images to the nodes directly to avoid requests that hit the network during cluster launch. For now, we continue to pull the registry itself over the network, especially given its large size (we should be able to dramatically shrink the image). On GCE we create a PD and use that for storage, otherwise we use an emptyDir. The registry is not enabled outside of GCE. All communication is currently plain HTTP. In order to use SSL, we will need to be able to request a certificate/key from the apiserver signed by the apiserver's CA cert.
|
Fixed remaining nits and removed extraneous file. |
|
GCE e2e build/test passed for commit 2fb4e7b. |
|
GCE e2e build/test failed for commit 55825b3f78fb24a15e3b33f89cea2dd3a5931cd4. |
|
The image for this is pushed to gcr now. On Fri, Aug 21, 2015 at 11:48 AM, Zach Loafman notifications@github.com
|
|
GCE e2e build/test passed for commit 3dc10a2. |
|
Now I'm waiting for even a vaguely yellowing |
thockin
added
the
lgtm
|
Supergreen, I'll watch Jenkins. |
Launch a cluster-local registry.
This registry can be accessed through proxies that run on each node listening on port 5000. We send the proxy images to the nodes directly to avoid requests that hit the network during cluster launch. For now, we continue to pull the registry itself over the network, especially given its large size (we should be able to dramatically shrink the image). On GCE we create a PD and use that for storage, otherwise we use an emptyDir. The registry is not enabled outside of GCE. All communication is currently plain HTTP. In order to use SSL, we will need to be able to request a certificate/key from the apiserver signed by the apiserver's CA cert.
@thockin