Merge pull request #227 from metal-stack/add-local-proxy-registries

Add pull-through caches for common container registries

Author: ostempel

Makefile

@@ -95,8 +95,12 @@ roll-certs:
 control-plane: control-plane-bake env
 	docker compose up --remove-orphans --force-recreate control-plane
 
+.PHONY: create-proxy-registries
+create-proxy-registries:
+	docker compose up -d --force-recreate proxy-docker proxy-ghcr proxy-gcr proxy-k8s proxy-quay
+
 .PHONY: control-plane-bake
-control-plane-bake:
+control-plane-bake: create-proxy-registries
 	@if ! which kind > /dev/null; then echo "kind needs to be installed"; exit 1; fi
 	@if ! kind get clusters | grep metal-control-plane > /dev/null; then \
 		kind create cluster $(KIND_ARGS) \

compose.yaml

@@ -26,13 +26,13 @@ services:
       - /bin/bash
       - -ce
       - |
-          ansible-playbook \
-            -i inventories/control-plane.yaml \
-            obtain_role_requirements.yaml
-          ansible-galaxy install --ignore-errors -r requirements.yaml
-          ansible-playbook \
-            -i inventories/control-plane.yaml \
-            deploy_control_plane.yaml --extra-vars "@.extra_vars.yaml"
+        ansible-playbook \
+          -i inventories/control-plane.yaml \
+          obtain_role_requirements.yaml
+        ansible-galaxy install --ignore-errors -r requirements.yaml
+        ansible-playbook \
+          -i inventories/control-plane.yaml \
+          deploy_control_plane.yaml --extra-vars "@.extra_vars.yaml"
 
   partition:
     image: ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
@@ -56,14 +56,14 @@ services:
       - /bin/bash
       - -ce
       - |
-          ansible-playbook \
-            -i inventories/control-plane.yaml \
-            obtain_role_requirements.yaml
-          ansible-galaxy install --ignore-errors -r requirements.yaml
-          ansible-playbook \
-            -i inventories/partition.yaml \
-            -i clab-mini-lab/ansible-inventory.yml \
-            deploy_partition.yaml --extra-vars "@.extra_vars.yaml"
+        ansible-playbook \
+          -i inventories/control-plane.yaml \
+          obtain_role_requirements.yaml
+        ansible-galaxy install --ignore-errors -r requirements.yaml
+        ansible-playbook \
+          -i inventories/partition.yaml \
+          -i clab-mini-lab/ansible-inventory.yml \
+          deploy_partition.yaml --extra-vars "@.extra_vars.yaml"
 
   metalctl:
     image: ghcr.io/metal-stack/metalctl:${METALCTL_IMAGE_TAG}
@@ -77,3 +77,80 @@ services:
       - ./files/rules.yaml:/tmp/rules.yaml
     network_mode: host
     command: --version
+
+  proxy-docker:
+    image: registry:3
+    restart: always
+    volumes:
+      - proxy-docker:/var/lib/registry
+    networks:
+      - kind
+    container_name: proxy-docker
+    environment:
+      - REGISTRY_PROXY_REMOTEURL="https://registry-1.docker.io"
+      - REGISTRY_PROXY_TTL=168h
+      - REGISTRY_STORAGE_DELETE_ENABLED=true 
+      - OTEL_TRACES_EXPORTER=none
+  proxy-gcr:
+    image: registry:3
+    restart: always
+    volumes:
+      - proxy-gcr:/var/lib/registry
+    networks:
+      - kind
+    container_name: proxy-gcr
+    environment:
+      - REGISTRY_PROXY_REMOTEURL="https://gcr.io"
+      - REGISTRY_PROXY_TTL=168h
+      - REGISTRY_STORAGE_DELETE_ENABLED=true 
+      - OTEL_TRACES_EXPORTER=none
+  proxy-ghcr:
+    image: registry:3
+    restart: always
+    volumes:
+      - proxy-ghcr:/var/lib/registry
+    networks:
+      - kind
+    container_name: proxy-ghcr
+    environment:
+      - REGISTRY_PROXY_REMOTEURL="https://ghcr.io"
+      - REGISTRY_PROXY_TTL=168h
+      - REGISTRY_STORAGE_DELETE_ENABLED=true 
+      - OTEL_TRACES_EXPORTER=none
+  proxy-k8s:
+    image: registry:3
+    restart: always
+    volumes:
+      - proxy-k8s:/var/lib/registry
+    networks:
+      - kind
+    container_name: proxy-k8s
+    environment:
+      - REGISTRY_PROXY_REMOTEURL="https://registry.k8s.io"
+      - REGISTRY_PROXY_TTL=168h
+      - REGISTRY_STORAGE_DELETE_ENABLED=true 
+      - OTEL_TRACES_EXPORTER=none
+  proxy-quay:
+    image: registry:3
+    restart: always
+    volumes:
+      - proxy-quay:/var/lib/registry
+    networks:
+      - kind
+    container_name: proxy-quay
+    environment:
+      - REGISTRY_PROXY_REMOTEURL="https://quay.io"
+      - REGISTRY_PROXY_TTL=168h
+      - REGISTRY_STORAGE_DELETE_ENABLED=true 
+      - OTEL_TRACES_EXPORTER=none
+volumes:
+  proxy-docker:
+  proxy-gcr:
+  proxy-ghcr:
+  proxy-k8s:
+  proxy-quay:
+
+networks:
+  kind:
+    name: kind
+    external: true

control-plane/config-patches/docker.io/hosts.toml

@@ -0,0 +1 @@
+[host."http://proxy-docker:5000"]

control-plane/config-patches/gcr.io/hosts.toml

@@ -0,0 +1 @@
+[host."http://proxy-gcr:5000"]

control-plane/config-patches/ghcr.io/hosts.toml

@@ -0,0 +1 @@
+[host."http://proxy-ghcr:5000"]

control-plane/config-patches/quay.io/hosts.toml

@@ -0,0 +1 @@
+[host."http://proxy-quay:5000"]

control-plane/config-patches/registry.k8s.io/hosts.toml

@@ -0,0 +1 @@
+[host."http://proxy-k8s:5000"]

control-plane/kind.yaml

@@ -4,17 +4,24 @@ networking:
   apiServerPort: 6443
   apiServerAddress: 0.0.0.0
 nodes:
-- role: control-plane
-  extraPortMappings:
-  - containerPort: 4443
-    hostPort: 4443
-    listenAddress: 0.0.0.0
-  - containerPort: 8080
-    hostPort: 8080
-    listenAddress: 0.0.0.0
-  - containerPort: 4150
-    hostPort: 4150
-    listenAddress: 0.0.0.0
-  - containerPort: 50051
-    hostPort: 50051
-    listenAddress: 0.0.0.0
+  - role: control-plane
+    extraMounts:
+      - hostPath: ./control-plane/config-patches
+        containerPath: /etc/containerd/certs.d
+    extraPortMappings:
+      - containerPort: 4443
+        hostPort: 4443
+        listenAddress: 0.0.0.0
+      - containerPort: 8080
+        hostPort: 8080
+        listenAddress: 0.0.0.0
+      - containerPort: 4150
+        hostPort: 4150
+        listenAddress: 0.0.0.0
+      - containerPort: 50051
+        hostPort: 50051
+        listenAddress: 0.0.0.0
+containerdConfigPatches:
+  - |-
+    [plugins."io.containerd.grpc.v1.cri".registry]
+      config_path = "/etc/containerd/certs.d"