Skip to content

Latest commit

 

History

History
168 lines (132 loc) · 5.59 KB

REGISTRY.md

File metadata and controls

168 lines (132 loc) · 5.59 KB

Registry configuration

General info

Makisu supports TLS and Basic Auth with Docker registry (Docker Hub, GCR, and private registries). By default, TLS is enabled and makisu uses a list of common root CA certs to authenticate registry.

// Config contains Docker registry client configuration.
type Config struct {
  Concurrency int           `yaml:"concurrency"`
  Timeout     time.Duration `yaml:"timeout"`
  Retries     int           `yaml:"retries"`
  PushRate    float64       `yaml:"push_rate"`
  // If not specify, a default chunk size will be used.
  // Set it to -1 to turn off chunk upload.
  // NOTE: gcr does not support chunked upload.
  PushChunk int64           `yaml:"push_chunk"`
  Security  security.Config{
    TLS       *httputil.TLSConfig `yaml:"tls"`
    BasicAuth *types.AuthConfig   `yaml:"basic"`
  }`yaml:"security"`
}

Configs can be passed in through the --registry-config flag, either as filepath, or as a raw json blob :

--registry-config='{"gcr.io": {"uber-container-tools/*": {"push_chunk": -1, "security": {"basic": {"username": "_json_key", "password": "<escaped key here>"}}}}}'

Consider using the great tool yq to convert your yaml configuration into the blob that can be passed in.

Examples

For the convenience to work with all public Docker Hub repositories including library/.*, a default config is provided:

index.docker.io:
  .*:
    security:
      tls:
        client:
          disabled: false
      // Docker Hub requires basic auth with empty username and password for all public repositories.
      basic:
        username: ""
        password: ""

Example config for GCR:

"gcr.io":
  "uber-container-tools/*":
    push_chunk: -1
    security:
      basic:
        username: _json_key
        password: |-
          {
              <json here>
          }

To configure your own registry endpoint, pass a custom configuration file to Makisu with --registry-config=${PATH_TO_CONFIG}.:

[registry]:
  [repo]:
    security:
      tls:
        client:
          disabled: false
          cert:
            path: <path to cert>
          key:
            path: <path to key>
          passphrase
            path: <path to passphrase>
        ca:
          cert:
            path: <path to ca certs, appends to system certs. A list of common ca certs are used if empty>
      basic:
        username: <username>
        password: <password>

Note: For the cert path, you can point to a directory containing your certificates. Makisu will then use all of the certs in that directory for TLS verification.

Cred helper

Makisu images (>= 0.1.8) contains ECR and GCR cred helper binaries. For ECR, you can export the following variables and you might need to export AWS_SDK_LOAD_CONFIG=true.

If you encounter a certificate validation errors (ex: x509: certificate signed by unknown authority) you might want to export the following variable SSL_CERT_DIR=/makisu-internal/certs/.

Example AWS ECR config:

"someawsregistry":
  "my-project/*":
    push_chunk: -1
    security:
      credsStore: ecr-login

Example GCR config:

"gcr.io":
  "my-project/*":
    push_chunk: -1
    security:
      credsStore: gcr

NB: You need to put your config files (ex: aws config/credentials file) inside the /makisu-internal/ dir (and use env variable to specify their locations) in order for the helpers to find and use them when building your images.

AWS EKS (IAM Roles for Service Accounts - IRSA)

Makisu cleans the environment variables when running so you will need to provide a AWS configuration file.

Example:

mkdir -p /makisu-internal/.aws/
cp ${AWS_WEB_IDENTITY_TOKEN_FILE} /makisu-internal/.aws/identity_creds
printf "\n[profile eks_role]\nregion = eu-west-3\nrole_arn=${AWS_ROLE_ARN}\nweb_identity_token_file=/makisu-internal/.aws/identity_creds\n" > /makisu-internal/.aws/config
export AWS_SDK_LOAD_CONFIG=true AWS_PROFILE=eks_role AWS_CONFIG_FILE=/makisu-internal/.aws/config SSL_CERT_DIR=/makisu-internal/certs/ SSL_CERT_FILE=/makisu-internal/certs/cacerts.pem

Using this example, we are setting an AWS profile (eks_role) that will assume the web identity provided to the pod by the EKS service account.

Using another cred helper

For now makisu handles ECR and GCR as lib instead of calling their binaries. If you want to use another docker credentials helper, add its binary in the directory /makisu-internal, with a name matching docker-credential-<cred-helper-name>, then in your configuration:

"example.com":
  "my-project/*":
    security:
      credsStore: <cred-helper-name>

Handling BLOB_UPLOAD_INVALID and BLOB_UPLOAD_UNKNOWN errors

If you encounter these errors when pushing your image to a registry, try to use the push_chunk: -1 option (some registries, despite implementing registry v2 do not support chunked upload, ECR and GCR being one example).

Handling certificate errors

If you encounter the following error lstat path: lstat /etc/ssl: no such file or directory, you should manually specify the SSL cert path. (makisu cleans the env var so the TLS client does not find the correct path if you did overwrite it via the SSL_CERT_DIR env var).

Example configuration:

"someawsregistry":
  "my-project/*":
    push_chunk: -1
    security:
      credsStore: ecr-login
      tls:
        ca:
          cert:
            path: /makisu-internal/certs/