fn icon indicating copy to clipboard operation
fn copied to clipboard

Published 20 hours ago verified publisher icon fnproject

Configuring a Fn Kubernetes deployment to use an insecure local Docker registry

Open fadams opened this issue 5 years ago • 0 comments

Hi, I've set up a pretty basic private Docker registry

docker run --rm -d \
    --name registry \
    -p 5000:5000 \
    registry:2

Which is pretty much the same as the example here https://github.com/fnproject/docs/blob/master/fn/operate/private_registries.md

I've set this up in my CLI context and I'm using mDNS/AVAHI so I can happily see my registry using $(hostname).local:5000. I've also configured my daemon.json on all the hosts that need to see the registry and I've logged into my K8s Nodes and proved that I can happily pull images from my local registry, so far so good.

What I'm not clear about however is what is the best/recommended way to enable the fn-runner to be able to use my local registry. I've docker execed into the fn-runner containers from my K8s Node and proved that they can actually ping the host running the registry, which is fine and as a first attempt what I did was essentially to bind-mount daemon.json from the Ks Node to the fn-runner.

What I did was to render the Fn helm chart

helm template --name fn --namespace fn fn-helm/fn > fn.yaml

Then edit the fn.yaml to modify the fn/templates/fn-runner-node-deployment.yaml bit to add

          volumeMounts:
          - mountPath: /etc/docker/daemon.json
            name: insecure-registry
      volumes:
      - name: insecure-registry
        hostPath:
          path: /etc/docker/daemon.json

As it happens this actually works fine because I've already got the daemon.json on my K8s Nodes to configure them to be aware of my registry, but I can't help think that there must be a neater way and I surely can't be the only person to have wanted to do this?

I know that there is a FN_REGISTRY env var and a --registry flag but those seem to be primarily aimed at the CLI and I don't need those on any of my CLI calls because I've set the registry in the context so I'm mainly concerned here with understanding the recommended approach for configuring the server and in particular for configuring a fn-runner in Kubernetes to be able to cleanly use a local insecure registry.

MTIA

fadams avatar Apr 11 '19 10:04 fadams