Comments (15)
Quick design:
apiVersion: image.toolkit.fluxcd.io
kind: ImageRepository
spec:
image: registry:8080/app-image
interval: 5m
certificateSecretRef:
name: registry-certs
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
stringData:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIICojCCAYoCCQC2/92/4xw9wjANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhy
...
k2vUMz8m
-----END CERTIFICATE-----
tls.crt: |
-----BEGIN CERTIFICATE-----
MIICmjCCAYICCQCaeupWLclBOzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARm
...
tNVsKCye54yh1rzTuadBa/I+myVpq+ynPp39k+F0fjVodOwyiTrzpHejyxHi9g==
-----END CERTIFICATE-----
tls.key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAxx3+wgas5lkzRilKR/4IG98FNGjQNJHD1KlVYQH8+NCN1veh
...
5tQ7MDVezip26NpQgZ07oZ9O8o28nONy9AgNmAFifeMIqZT085o=
-----END RSA PRIVATE KEY-----
An alternative would be to look for the certs in the secret referred to with secretRef
; however, those are often generated with kubectl create secret docker-regsitry ...
, and with automation, and either of those makes it inconvenient to include certificates. You can always name the same secret, if you put the certificates there.
When a certificate secret is included, the controller will look for those two fields, parse and use which of them is present for HTTPS requests. So you could include a CA certificate if you want to use TLS but don't need to authenticate with a client certificate; or, you could use a client certificate if you are authenticating with the certificate, but your server has a fancy CA-signed certificate itself.
The format is the one produced by kubectl create secret tls
, except for the additional ca.crt
. The controller will not require the type to be set.
EDIT: I just noticed kubectl create secret tls
.
from image-reflector-controller.
@bjornmagnusson flux v1's --registry-insecure-hosts
would try HTTPS with TLS_INSECURE_SKIP_VERIFY
, and failing that, use HTTP. I guess you used it for that first part, because you were using your own CA cert?
Supplying a custom client- and CA cert would be strictly better, because they would not bring TLS_INSECURE_SKIP_VERIFY
along with them -- so I want to make sure that you don't need the other bits of --registry-insecure-hosts
.
from image-reflector-controller.
We could use a shorter field name like certSecretRef
.
from image-reflector-controller.
@squaremo I would consider using the same key names we currently use for HelmRepositories https://toolkit.fluxcd.io/components/source/helmrepositories/#spec-examples
apiVersion: v1
kind: Secret
type: Opaque
data:
certFile: <BASE64>
keyFile: <BASE64>
caFile: <BASE64>
from image-reflector-controller.
I would consider using the same key names we currently use for HelmRepositories
Does HelmRepository eschew the format used by kubectl create secret tls
for the same reason I initially did? (to wit: I didn't know about it)
from image-reflector-controller.
Those keys names are part of the Helm API used for defining the repositories.yaml
, I think this API predates kubectl create secret tls
.
from image-reflector-controller.
Those keys names are part of the Helm API used for defining the
repositories.yaml
, I think this API predateskubectl create secret tls
.
Got it, they are from a parallel tradition :-) I guess I could look for either set of keys; I don't expect people to be creating secrets for this in the same way they'd create them for Helm; but it might avoid some surprises, so why not.
from image-reflector-controller.
As with Git and Helm we will provide a flux create secret tls
command that will generate a secret with certFile, keyFile and caFile keys. We already do that for Helm so adding the tls
command should take 5 minutes of copy/paste :))
from image-reflector-controller.
@squaremo if we standardise around kubernetes.io/tls
for ImageRepository
then how should we go about GitRepository
fluxcd/source-controller#93? Should we introduce a separate certSecretRef
field there too?
from image-reflector-controller.
There's problems either way around:
- a) secrets created with
kubectl create secret tls
don't have a ca cert -- you would have to add that yourself if you need it - b) the secrets for Helm etc. include username/password, which isn't necessary here since those are expected to come from an imagePullSecret
I think it makes more sense for Git and Helm to use their own format. Image repos are a special case because they use imagePullSecrets -- but because of a) above, I'm going to expect the Git/Helm format for certs, and support TLS secrets as a convenience only.
from image-reflector-controller.
You're right, both Helm and Git-over-https include username/password.
I'm going to expect the Git/Helm format for certs, and support TLS secrets as a convenience only.
Sounds great, thank you.
from image-reflector-controller.
Looks promising.
I wonder if there is any possibility that this kind of configuration can be done on a global level for the entire cluster? (as it applies to all automations in that cluster).
from image-reflector-controller.
Let me know when there is an version of image-reflector-controller to try out, and I will be happy to do it in our context.
from image-reflector-controller.
@bjornmagnusson This issue got automagically closed because I mentioned it in the pull request; the TLS certs bit of API should make its way into the next release, which will surely be soon!
from image-reflector-controller.
I'm going to expect the Git/Helm format for certs, and support TLS secrets as a convenience only.
In the end I just implemented secrets with the flux create secret
data keys (and see fluxcd/flux2#788).
I could add kubectl create secret tls
support in another PR. What do you think @bjornmagnusson, would you expect to be able to use kubectl create secret tls
?
from image-reflector-controller.
Related Issues (20)
- [RFC-004] Add `.spec.insecure` to `ImageRepository`
- Higher CPU usage without load
- ImagePolicy not able to correctly parse the image tags HOT 2
- Image repository port pruned from reflection request after 1000+ images HOT 3
- image-reflector-controller 0.40.0 breaking change gives no room for upgrading transparently HOT 2
- Confusing error message about successful image scan HOT 3
- ImageRepository fails to authenticate with Gitlab Repository HOT 5
- Add reconciler sharding capability based on label selector
- Feature request: Add policy for selecting as latest any alias tag that matches the `latest` tag HOT 5
- Failed to authenticate to ACR HOT 5
- unexpected status code 401 Unauthorized: Not Authorized HOT 2
- Unauthorized 401 for ImageRepository resources for ECR HOT 2
- Flux image reflector is not able to use Jfrog artifactroy HOT 1
- ImageRepository status.lastScanResult.latestTags not sorted acc. to semver HOT 4
- Add integration tests for ImagePolicy
- Add reconciliation interval to ImagePolicy
- Success reported on ImagePolicy when ImageRepository stalled
- One thing about my family 000jpkid HOT 1
- bug(helm/aws): unknown build error: failed to get credential from 'aws': not found, ResolveEndpointV2
- Controller shutdown doesn't wait for reconciles to finish HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from image-reflector-controller.