diff --git a/README.md b/README.md index 57c6937..155487c 100644 --- a/README.md +++ b/README.md @@ -175,35 +175,44 @@ spec: Now that we have a running `Service`, we need to expose it onto each Kubernetes `Node` so that Docker will see it as `localhost`. We can load a `Pod` on every -node by dropping a YAML file into the kubelet config directory -(/etc/kubernetes/manifests by default). +node by creating following daemonset. ```yaml -apiVersion: v1 -kind: Pod +apiVersion: extensions/v1beta1 +kind: DaemonSet metadata: name: kube-registry-proxy namespace: kube-system + labels: + k8s-app: kube-registry + kubernetes.io/cluster-service: "true" + version: v0.4 spec: - containers: - - name: kube-registry-proxy - image: gcr.io/google_containers/kube-registry-proxy:0.3 - resources: - limits: - cpu: 100m - memory: 50Mi - env: - - name: REGISTRY_HOST - value: kube-registry.kube-system.svc.cluster.local - - name: REGISTRY_PORT - value: "5000" - - name: FORWARD_PORT - value: "5000" - ports: - - name: registry - containerPort: 5000 - hostPort: 5000 + template: + metadata: + labels: + k8s-app: kube-registry + kubernetes.io/name: "kube-registry-proxy" + kubernetes.io/cluster-service: "true" + version: v0.4 + spec: + containers: + - name: kube-registry-proxy + image: gcr.io/google_containers/kube-registry-proxy:0.4 + resources: + limits: + cpu: 100m + memory: 50Mi + env: + - name: REGISTRY_HOST + value: kube-registry.kube-system.svc.cluster.local + - name: REGISTRY_PORT + value: "5000" + ports: + - name: registry + containerPort: 80 + hostPort: 5000 ``` diff --git a/images/Dockerfile b/images/Dockerfile index 7a5b762..7b0d732 100644 --- a/images/Dockerfile +++ b/images/Dockerfile @@ -12,15 +12,16 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM haproxy:1.5 -MAINTAINER Muhammed Uluyol +FROM nginx:1.11 +MAINTAINER Matthew Fisher -RUN apt-get update && apt-get install -y dnsutils +RUN apt-get update \ + && apt-get install -y \ + curl \ + --no-install-recommends \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/man /usr/share/doc -ADD proxy.conf.insecure.in /proxy.conf.in -ADD run_proxy.sh /usr/bin/run_proxy +COPY rootfs / -RUN chown root:users /usr/bin/run_proxy -RUN chmod 755 /usr/bin/run_proxy - -CMD ["/usr/bin/run_proxy"] +CMD ["/bin/boot"] diff --git a/images/Makefile b/images/Makefile index 26a6b24..4478532 100644 --- a/images/Makefile +++ b/images/Makefile @@ -14,7 +14,7 @@ .PHONY: build push vet test clean -TAG = 0.3 +TAG = 0.4 REPO = gcr.io/google_containers/kube-registry-proxy build: diff --git a/images/proxy.conf.in b/images/proxy.conf.in deleted file mode 100644 index b7a18f9..0000000 --- a/images/proxy.conf.in +++ /dev/null @@ -1,17 +0,0 @@ -global - maxconn 1024 - -defaults - mode http - retries 3 - option redispatch - timeout client 1s - timeout server 5s - timeout connect 5s - -frontend forwarder - bind *:%FWDPORT% - default_backend registry - -backend registry - server kube-registry %HOST%:%PORT% ssl verify required ca-file %CA_FILE% diff --git a/images/proxy.conf.insecure.in b/images/proxy.conf.insecure.in deleted file mode 100644 index d70ff56..0000000 --- a/images/proxy.conf.insecure.in +++ /dev/null @@ -1,17 +0,0 @@ -global - maxconn 1024 - -defaults - mode http - retries 3 - option redispatch - timeout client 1s - timeout server 5s - timeout connect 5s - -frontend forwarder - bind *:%FWDPORT% - default_backend registry - -backend registry - server kube-registry %HOST%:%PORT% diff --git a/images/rootfs/bin/boot b/images/rootfs/bin/boot new file mode 100755 index 0000000..04262b4 --- /dev/null +++ b/images/rootfs/bin/boot @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +# fail if no hostname is provided +REGISTRY_HOST=${REGISTRY_HOST:?no host} +REGISTRY_PORT=${REGISTRY_PORT:-5000} + +# we are always listening on port 80 +# https://github.com/nginxinc/docker-nginx/blob/43c112100750cbd1e9f2160324c64988e7920ac9/stable/jessie/Dockerfile#L25 +PORT=80 + +sed -e "s/%HOST%/$REGISTRY_HOST/g" \ + -e "s/%PORT%/$REGISTRY_PORT/g" \ + -e "s/%BIND_PORT%/$PORT/g" \ + /etc/nginx/conf.d/default.conf + +# wait for registry to come online +while ! curl -sS "$REGISTRY_HOST:$REGISTRY_PORT" &>/dev/null; do + printf "waiting for the registry (%s:%s) to come online...\n" "$REGISTRY_HOST" "$REGISTRY_PORT" + sleep 1 +done + +printf "starting proxy...\n" +exec nginx -g "daemon off;" "$@" diff --git a/images/rootfs/etc/nginx/conf.d/default.conf.in b/images/rootfs/etc/nginx/conf.d/default.conf.in new file mode 100644 index 0000000..ecd95fd --- /dev/null +++ b/images/rootfs/etc/nginx/conf.d/default.conf.in @@ -0,0 +1,28 @@ +# Docker registry proxy for api version 2 + +upstream docker-registry { + server %HOST%:%PORT%; +} + +# No client auth or TLS +# TODO(bacongobbler): experiment with authenticating the registry if it's using TLS +server { + listen %BIND_PORT%; + server_name localhost; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + location / { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; + } + + include docker-registry.conf; + } +} diff --git a/images/rootfs/etc/nginx/docker-registry.conf b/images/rootfs/etc/nginx/docker-registry.conf new file mode 100644 index 0000000..7dc8cff --- /dev/null +++ b/images/rootfs/etc/nginx/docker-registry.conf @@ -0,0 +1,6 @@ +proxy_pass http://docker-registry; +proxy_set_header Host $http_host; # required for docker client's sake +proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_read_timeout 900; diff --git a/images/rootfs/etc/nginx/nginx.conf b/images/rootfs/etc/nginx/nginx.conf new file mode 100644 index 0000000..54ecc88 --- /dev/null +++ b/images/rootfs/etc/nginx/nginx.conf @@ -0,0 +1,26 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + + keepalive_timeout 65; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/images/run_proxy.sh b/images/run_proxy.sh deleted file mode 100644 index 9d0b604..0000000 --- a/images/run_proxy.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env bash -# Copyright 2015 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -REGISTRY_HOST=${REGISTRY_HOST:?no host} -REGISTRY_PORT=${REGISTRY_PORT:-5000} -REGISTRY_CA=${REGISTRY_CA:-/var/run/secrets/kubernetes.io/serviceaccount/ca.crt} -FORWARD_PORT=${FORWARD_PORT:-5000} -sed -e "s/%HOST%/$REGISTRY_HOST/g" \ - -e "s/%PORT%/$REGISTRY_PORT/g" \ - -e "s/%FWDPORT%/$FORWARD_PORT/g" \ - -e "s|%CA_FILE%|$REGISTRY_CA|g" \ - /proxy.conf - -# wait for registry to come online -while ! host "$REGISTRY_HOST" &>/dev/null; do - printf "waiting for %s to come online\n" "$REGISTRY_HOST" - sleep 1 -done - -printf "starting proxy\n" -exec haproxy -f /proxy.conf "$@"