calico icon indicating copy to clipboard operation
calico copied to clipboard

Published 20 hours ago verified publisher icon projectcalico

Use quay.io as default to mitigate dockerhub rate limit errors

Open samip5 opened this issue 4 years ago • 9 comments

Expected Behavior

You can freely download the calico container images on a fresh cluster

Current Behavior

Due to Docker Hub ratelimits, re-building a cluster and having many containers pull from Docker Hub might result in hitting rate-limits.

Possible Solution

Push Calico containers to Github Container Registry (ghcr) or quay.io

Context

https://docs.docker.com/docker-hub/download-rate-limit/

samip5 avatar Aug 11 '21 15:08 samip5

It would be nice to cover the following images on a separate registry.

docker.io/calico/typha
docker.io/calico/node
docker.io/calico/kube-controllers

onedr0p avatar Aug 16 '21 13:08 onedr0p

@onedr0p @samip5 all of those images are also available on quay.io already.

Another solution would be to download once to a local registry and serve the images locally - this is definitely the best solution for production clusters as it (1) reduces dependency on external infrastructure and (2) reduces ingress traffic to the cluster to download new images (once, rather than once per-node).

caseydavenport avatar Aug 16 '21 22:08 caseydavenport

I'm going to leave this open, since we should probably consider switching to quay.io as our default registry (again).

caseydavenport avatar Aug 16 '21 22:08 caseydavenport

I did not know these were all on Quay, that's awesome! Seems like you need to modify some pipelines to push the multiarch images to quay and you'll be mostly set 👍🏼

onedr0p avatar Aug 16 '21 23:08 onedr0p

Seems like you need to modify some pipelines to push the multiarch images to quay and you'll be mostly set 👍🏼

I'll need to check if quay has finally started supporting multiarch images. We used to use quay as the default and swapped to dockerhub because at the time quay did not support multi-arch.

If that's changed that would be great, otherwise we have a tradeoff: ratelimit vs multi-arch support.

caseydavenport avatar Aug 16 '21 23:08 caseydavenport

haha, looks like you already found https://github.com/projectcalico/calico/issues/3520 and informed me that quay does now support multi-arch.

Yeah, we should probably start pushing multi-arch to quay and change our default.

caseydavenport avatar Aug 16 '21 23:08 caseydavenport

any further progress made here?

mkumatag avatar Oct 20 '21 17:10 mkumatag

This might be all that is required: https://github.com/projectcalico/go-build/pull/351

caseydavenport avatar Oct 26 '21 23:10 caseydavenport

Multi-arch images are on quay now, changing the default still hasn't happened but for anyone finding this you should just be able to switch to images from quay.io/calico/

caseydavenport avatar Aug 09 '22 16:08 caseydavenport

you should just be able to switch to images from quay.io/calico/

This may be daft question, but how is this done? Installing the tigera-operator using the helm chart doesn't appear to have this as a configuration option, only the following:

# Configuration for the tigera operator
tigeraOperator:
  image: tigera/operator
  version: v1.25.7
  registry: quay.io
calicoctl:
  image: docker.io/calico/ctl
  tag: v3.22.2

Is .Values.tigeraOperator.registry used as the registry for all the component images? Or can it only be configured after installation by editing the Installation custom resource.

macropin avatar Oct 28 '22 02:10 macropin

Answering my own question above: The following values.yaml is required to use quay.io as the registry source for the operator.

installation:
  registry: quay.io/

macropin avatar Nov 01 '22 23:11 macropin