Comments (5)
Hi @sebgl - this request makes sense and I'd like to support private registries.
Questions:
-
Can swarm secrets replace the plaintext environmental variables?
-
Could you have to support multiple private registries at once? If that were the case how would that be possible with the proposal?
-
Do you have a 1-liner to start a private registry with username/password enabled (TLS?)
-
Could the existing credentials store be used instead?
~/.docker/config.json
https://github.com/docker/cli/blob/dee8e6ab2da3fe1f57f57de6c009a9256040d1d0/cli/command/cli.go#L110
from faas.
Hi @alexellis , thanks for the quick answer.
My use case (having only one single registry) is a tiny subcase of the more general one.
Since this might interest you: we're basically adding another API in front of the gateway to handle authentication, permissions, etc. This API is also responsible for building and pushing docker images, since we want users to give us code, not docker images. Hence we only need one private registry (ours, not the user's one). For now this is just a prototype, for fun :)
You're right in all questions that this should be handled in a more general way in FaaS gateway.
-
Multiple private registries
Yes ! Should this be a fixed list of allowed registries? Or should users be able to "add" access to new registries whenever they want via the gateway API (can play nice with registry permissions)? The latter seems more interesting but also a bit more complex to handle. I love how small and simple the codebase of FaaS is. -
Credential store & swarm secrets
Indeed, environment variables do not seem right. Unless I have misunderstood something, we need all deployed gateways to be in possession of all registry secrets, so that they can pass the appropriate one (based on the docker image name prefix) to the swarm service create API.
Best choice seems to store registries credentials as swarm secrets available from all deployed gateways. Could be as a/run/secrets/config.json
file store. I'm just a bit concerned about updating this file if registries can be added/removed at runtime as discussed above.
Another way of handling both points above could be to allow users to provide registry credentials as a parameter in POST /system/functions: then we don't need to store credentials at all. What do you think?
- 1-liner to start a private registry
That's not exactly one line, but I've set up this gist with instructions: https://gist.github.com/sebgl/3c97c379ddc77c65c44d47e6b745fa10
Easiest way I found is to spawn a VM somewhere with DNS registered and port 443 open to the world for LetsEncrypt certificates generation, then run the docker-compose file as described in the gist.
Running with self-signed certificates on localhost with swarm involves more tricks.
from faas.
What are you calling your API for building Docker images from code? it sounds like it has overlap with the FaaS CLI - https://github.com/alexellis/faas-cli
Are we already connected on Twitter or Linked in? If you can send me your email address I'll invite you the slack community where we're collaborating around FaaS.
I recently moved the UI under the /ui/ prefix, so that for security you could effectively keep /ui and /system within a blacklist and just expose /function via reverse proxy.
Who are you working with when you say we?
from faas.
Let's discuss it on Slack :)
from faas.
Fixed by #87
from faas.
Related Issues (20)
- how can I specific replicas number of a function in k8s ? HOT 1
- Is Docker Swarm supported? HOT 1
- Cannot connect to OpenFaaS on URL: http://xx.xxxx:31112 HOT 1
- Request for CUDA access HOT 4
- how OpenFaaS handles concurrent requests in the function? HOT 1
- Function execution is not stateless HOT 2
- Can multiple functions be run on a single runtime? HOT 1
- Question: Import path for common modules HOT 2
- requests schedule policy in openfaas HOT 1
- Is there a workflow tool for OpenFaaS? HOT 3
- some companies appear twice in the adopters list HOT 2
- Support Azure service bus topic/subscription HOT 1
- RPC and openfaas HOT 1
- Question about OpenAPI Spec 3.1 HOT 2
- [Improvement] OpenFaaS operator installation
- The README.md under fass/api-docs has an incorrect URL to the api spec file
- Setup repository locally
- Function failed to deploy with status code: 500 HOT 2
- Openfaas install gateway Crash HOT 2
- Consultation on the usage permissions of the community version
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from faas.