Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Function support for private registry in RuntimeImageOverride #309

Open
RafaelPaulovic opened this issue Sep 27, 2023 · 4 comments
Open

Function support for private registry in RuntimeImageOverride #309

RafaelPaulovic opened this issue Sep 27, 2023 · 4 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@RafaelPaulovic
Copy link

RafaelPaulovic commented Sep 27, 2023
edited

Description

As a function runtime developer, I want to provide my own custom runtime image from a private registry so that I can have security and privacy into enterprise images.

Reasons

We have an internal custom runtime image that we don't want it to be publicly exposed. We want to run our custom runtime image in BTP Kyma where we shouldn't change its internal modules configurations.

Attachments

In our local Kyma setup with k3d, we append to the default kaniko arguments the k3d insecure registry available within the cluster: --insecure-registry=k3d-kyma-registry:5000. During function image build, kaniko can access and pull the custom runtime.

In BTP Kyma, changes to the serverless deployment are overwritten after some period of time, and we would need to push the custom runtime image to its internal registry so that it can access the image privately.

Error when trying to use a private repository from docker.io:

time="2023-09-27T14:38:57Z" level=info msg="Retrieving image manifest gmttosap/trial:latest"
time="2023-09-27T14:38:57Z" level=info msg="Retrieving image gmttosap/trial:latest from registry index.docker.io"
time="2023-09-27T14:38:57Z" level=error msg="Error while retrieving image from cache: gmttosap/trial:latest GET https://index.docker.io/v2/gmttosap/trial/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:gmttosap/trial Type:repository]]"
time="2023-09-27T14:38:57Z" level=info msg="Retrieving image manifest gmttosap/trial:latest"
time="2023-09-27T14:38:57Z" level=info msg="Retrieving image gmttosap/trial:latest from registry index.docker.io"
error building image: GET https://index.docker.io/v2/gmttosap/trial/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:gmttosap/trial Type:repository]]
@kwiatekus kwiatekus added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 30, 2023
@kwiatekus kwiatekus mentioned this issue Oct 30, 2023
Closed
@kwiatekus
Copy link
Contributor

kwiatekus commented Nov 2, 2023
edited

Its possible to read a user defined secret and inject it into filesystem of kaniko's build container

spec:
  runtime: ...
  runtimeImageOverride: ...
  runtimeImageOverridePullSecret: #reference to secret of type `dockerconfigjson`

In such case kaniko's dockerconfigjson file ( containing the srvls docker-registry config ) will be enriched with user provided pull secret

@kyma-bot
Copy link
Contributor

kyma-bot commented Jan 1, 2024

This issue or PR has been automatically marked as stale due to the lack of recent activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Close this issue or PR with /close

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

@kyma-bot kyma-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 1, 2024
@kyma-bot
Copy link
Contributor

kyma-bot commented Jan 8, 2024

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

@kyma-bot kyma-bot closed this as completed Jan 8, 2024
@kyma-bot
Copy link
Contributor

kyma-bot commented Jan 8, 2024

@kyma-bot: Closing this issue.

In response to this:

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kwiatekus kwiatekus removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 11, 2024
@kwiatekus kwiatekus reopened this Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kwiatekus @RafaelPaulovic @kyma-bot