added support for private Docker registries #1666
Conversation
RichhLi
requested review from
aseaday,
zwpaper,
kemingy,
VoVAllen and
gaocegege
as code owners
Signed-off-by: Richard Li <ricli@linkedin.com>
Signed-off-by: Richard Li <ricli@linkedin.com>
Signed-off-by: Richard Li <ricli@linkedin.com>
Signed-off-by: Richard Li <ricli@linkedin.com>
Signed-off-by: Richard Li <ricli@linkedin.com>
RichhLi
force-pushed
the
support_private_registries
branch
from
f7b7425
to
b173e8d
Compare
.DS_Store
Outdated
pkg/app/bootstrap.go
Outdated
| for _, reg := range strings.Split(clicontext.String("registry"), ";") { | ||
| // Split into parts | ||
| parts := strings.Split(reg, ",") | ||
| if len(parts) != 4 { |
There was a problem hiding this comment.
Is it mandatory to set CA for the private registry?
There was a problem hiding this comment.
Yes. From our findings, ca is required. Interestingly, cert and key weren't necessary for us, but we wanted to keep the existing structure as generic as possible. We assume the original writers added the cert and key values for a reason.
pkg/app/bootstrap.go
Outdated
| @@ -315,3 +331,29 @@ func buildkit(clicontext *cli.Context) error { | |||
|
|
|||
| return nil | |||
| } | |||
|
|
|||
| func updateConfigWithRegistry(clicontext *cli.Context, config *buildkitutil.BuildkitConfig) error { | |||
There was a problem hiding this comment.
Should this be a method of the buildkitutil.BuildkitConfig?
pkg/app/bootstrap.go
Outdated
| config.Registry = append(config.Registry, strings.Split(parts[0], "=")[1]) | ||
| caPath := strings.Split(parts[1], "=")[1] | ||
| config.Ca = append(config.Ca, caPath) | ||
| config.Key = append(config.Key, strings.Split(parts[2], "=")[1]) | ||
| config.Cert = append(config.Cert, strings.Split(parts[3], "=")[1]) |
There was a problem hiding this comment.
This has an assumption: the order has to be register,ca,key,cert but this has not been validated.
BTW, it seems these 3 files have to be in the same directory as the CA path. Otherwise the bind won't work.
There was a problem hiding this comment.
yeah so i think passing a json string might be better
There was a problem hiding this comment.
General suggestions:
- I think naming as
registry-credentialmakes more sense thenregistrybecause the main purpose is to pass credential to enable auth with the registry. - I feel the string parsing logic is a bit overwhelming now. Users have to write bunch of stuff with
;and,, which is kinda error-prone. I feel passing the whole thing as a json string would be easier to handle and validate. For example:
envd bootstrap --registry-credential='{
"Registry": ["reg1", "reg2"],
"Ca": ["ca1, "ca2"],
...etc
}'
or
envd bootstrap --registry-credentials='{
"Credentials": [
{
"register": "reg1",
"ca": "ca1",
}
{
"register": "reg2",
"ca": "ca2",
}
]
}'
and you can use golang json to unmarshal the string like
type MyData struct {
List []string `json:"list"`
}
func main() {
app := &cli.App{
Name: "myapp",
Usage: "An example CLI",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "json",
Usage: "JSON string argument",
},
},
Action: func(c *cli.Context) error {
jsonString := c.String("json")
if jsonString != "" {
var data MyData
err := json.Unmarshal([]byte(jsonString), &data)
if err != nil {
return err
}
// Process the JSON data here
fmt.Printf("List items: %+v\n", data.List)
}
return nil
},
}
err := app.Run(os.Args)
if err != nil {
log.Fatal(err)
}
}
- Should
use-httpanddockerhub-mirroralso be included inregistry-credential? i see they are both for per registry
pkg/app/bootstrap.go
Outdated
| } | ||
|
|
||
| // Generate file path | ||
| path, err := fileutil.ConfigFile(fmt.Sprintf("registry_%s.pem", kv[0])) |
There was a problem hiding this comment.
I am curious why do we have to read and write the pem files? can't we just use the original one?
There was a problem hiding this comment.
This is copied from the original implementation. The main purpose is to make sure these 3 files are in the same directory since we will mount this directory to the buildkitd container.
There was a problem hiding this comment.
So we basically copy 3 pems to the new dir? If that's the case, do we still need binding to allow the permission to /etc or other folders? I think buildkit will have permission to the new dir?
There was a problem hiding this comment.
What do you mean the original impl? and Why not just use io.Copy instead of read and write?
There was a problem hiding this comment.
Why not just use
io.Copyinstead ofreadandwrite?
That should be better.
So we basically copy 3 pems to the new dir? If that's the case, do we still need binding to allow the permission to
/etcor other folders? I think buildkit will have permission to the new dir?
Need to mount a directory to the buildkitd container. This directory is used to store the envd config, which should be safe.
This PR supports multiple registries which means it needs different CAs for different registries. It might need to differentiate the file names.
pkg/app/bootstrap.go
Outdated
| // Split into parts | ||
| parts := strings.Split(reg, ",") | ||
| if len(parts) != 4 { | ||
| return fmt.Errorf("invalid registry string: %s", reg) |
There was a problem hiding this comment.
maybe use errors.Newf everywhere for consistency?
pkg/app/bootstrap.go
Outdated
| @@ -315,3 +331,29 @@ func buildkit(clicontext *cli.Context) error { | |||
|
|
|||
| return nil | |||
| } | |||
|
|
|||
| func updateConfigWithRegistry(clicontext *cli.Context, config *buildkitutil.BuildkitConfig) error { | |||
There was a problem hiding this comment.
would be better to add a test to this func
| {{- range $index, $value := .Registry }} | ||
| [registry."{{ if $value }}{{ $value }}{{ else }}docker.io{{ end }}"] | ||
| {{- if $.UseHTTP }} | ||
| http = true |
There was a problem hiding this comment.
what if they want to specify different http/mirrors for different registries?
There was a problem hiding this comment.
Maybe we should make the mirror a string slice.
There was a problem hiding this comment.
@kemingy advised me to leave the dockerhub-mirror command as is, since Docker mirrors are unrelated to private registries. I can change it, but then the command will be removed (the mirror config will be in the JSON file instead).
| hostConfig := &container.HostConfig{ | ||
| Privileged: true, | ||
| AutoRemove: true, | ||
| } | ||
|
|
||
| if bc.SetCA { | ||
| hostConfig.Mounts = append(hostConfig.Mounts, mount.Mount{ |
There was a problem hiding this comment.
Will removing this cause any side effect?
Signed-off-by: Richard Li <ricli@linkedin.com>
Signed-off-by: Richard Li <ricli@linkedin.com>
Signed-off-by: Richard Li <ricli@linkedin.com>
Signed-off-by: Richard Li <ricli@linkedin.com>
Signed-off-by: Richard Li <ricli@linkedin.com>
| Usage: "Specify the registry to pull the image from", | ||
| Aliases: []string{"r"}, | ||
| Name: "registry-config", | ||
| Usage: "Path to a JSON file containing registry configuration", |
There was a problem hiding this comment.
If we're going to pass a JSON file, why not use the buildkit TOML file directly?
I think the main purpose of the CLI is to make it user-friendly. If the situation is complex, it's almost the same as setting up a buildkitd instance manually.
This decision will heavily affect the implementation. What do you think?
There was a problem hiding this comment.
How about providing the buildkit TOML directly to envd?
There was a problem hiding this comment.
Very good point. The problem with directly providing a TOML file is that the Docker mount won't be set up. I think this pr may not even be necessary because we might as well just set up buildkitd manually like you said. We will discuss this.
There was a problem hiding this comment.
@kemingy @gaocegege Would it be possible to keep the current envd implementation, and the only change we'll make is adding a command that accepts JSON input? And we'll add a check where users can only use one of the commands, not both at the same time. So it will be completely backward compatible.
There was a problem hiding this comment.
@kemingy @gaocegege Would it be possible to keep the current envd implementation, and the only change we'll make is adding a command that accepts JSON input? And we'll add a check where users can only use one of the commands, not both at the same time. So it will be completely backward compatible.
I'm okay with it.
There was a problem hiding this comment.
LGTM!
Will you implement it in this PR?
There was a problem hiding this comment.
Yes, or do you want it in different pr?
There was a problem hiding this comment.
No, I am just asking. Keeping in this PR LGTM.
There was a problem hiding this comment.
Hi @RichhLi Do you still need this PR?
There was a problem hiding this comment.
No, I merged this one: #1680
|
close due to #1680 |
Usage:
envd bootstrap --registry-config path_to_json_fileFormat:
Note that the "name" field is required. The other fields are all optional.
This will allow users to specify private Docker registries and the respective credentials. Under the hood, we parse these credentials and create a corresponding buildkit TOML file, as well as set up Docker bindings. This enables users to pull and push images from private Docker registries.