From 51ce56407a84a5e626a8dbf1f2d244306a1738b3 Mon Sep 17 00:00:00 2001 From: Ricardo Pardini Date: Fri, 3 Sep 2021 16:45:27 +0200 Subject: [PATCH 1/3] use GITHUB_TOKEN instead of PAT for ghcr.io publishing --- .github/workflows/master-latest.yaml | 4 ++-- .github/workflows/tags.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/master-latest.yaml b/.github/workflows/master-latest.yaml index 6784b45..5fa1220 100644 --- a/.github/workflows/master-latest.yaml +++ b/.github/workflows/master-latest.yaml @@ -36,8 +36,8 @@ jobs: uses: docker/login-action@v1 with: registry: ghcr.io - username: ${{ secrets.DOCKER_GITHUB_USERNAME }} - password: ${{ secrets.DOCKER_GITHUB_PAT }} + username: ${{ github.repository_owner }} # github username or org + password: ${{ secrets.GITHUB_TOKEN }} # github actions builtin token. repo has to have pkg access. # the arm64 is of course much slower due to qemu, so build and push amd64 **first** # due to the way manifests work, the gap between this and the complete push below diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml index 7976c31..c4ba67d 100644 --- a/.github/workflows/tags.yaml +++ b/.github/workflows/tags.yaml @@ -49,8 +49,8 @@ jobs: uses: docker/login-action@v1 with: registry: ghcr.io - username: ${{ secrets.DOCKER_GITHUB_USERNAME }} - password: ${{ secrets.DOCKER_GITHUB_PAT }} + username: ${{ github.repository_owner }} # github username or org + password: ${{ secrets.GITHUB_TOKEN }} # github actions builtin token. repo has to have pkg access. # the arm64 is of course much slower due to qemu, so build and push amd64 **first** # due to the way manifests work, the gap between this and the complete push below From 149da3b6f13463c560761b95832ca3f037965ddc Mon Sep 17 00:00:00 2001 From: Mahmoud Saada Date: Wed, 5 Jan 2022 17:57:42 -0500 Subject: [PATCH 2/3] docs: k3d integration (#112) * docs: k3d integration - Closes #111 * Update README.md --- README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/README.md b/README.md index 7c6fd67..a279964 100644 --- a/README.md +++ b/README.md @@ -210,6 +210,52 @@ done wait $pids # Wait for all configurations to end ``` +### K3D Cluster + +[K3d](https://k3d.io/) is similar to Kind but is based on k3s. In order to run with its registry you need to setup settings like shown below. + +```sh +# docker-registry-proxy +docker run -d --name registry-proxy --restart=always \ +-v /tmp/registry-proxy/mirror_cache:/docker_mirror_cache \ +-v /tmp/registry-proxy/certs:/ca \ +rpardini/docker-registry-proxy:0.6.4 + +export PROXY_HOST=registry-proxy +export PROXY_PORT=3128 +export NOPROXY_LIST="localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.local,.svc" + +cat < /etc/k3d-proxy-config.yaml +apiVersion: k3d.io/v1alpha3 +kind: Simple +name: mycluster +servers: 1 +agents: 0 +options: + k3d: + wait: true + timeout: "60s" + kubeconfig: + updateDefaultKubeconfig: true + switchCurrentContext: true +env: + - envVar: HTTP_PROXY=http://$PROXY_HOST:$PROXY_PORT + nodeFilters: + - all + - envVar: HTTPS_PROXY=http://$PROXY_HOST:$PROXY_PORT + nodeFilters: + - all + - envVar: NO_PROXY='$NOPROXY_LIST' + nodeFilters: + - all +volumes: + - volume: $REGISTRY_DIR/docker_mirror_certs/ca.crt:/etc/ssl/certs/registry-proxy-ca.pem + nodeFilters: + - all +EOF + +k3d cluster create --config /etc/k3d-proxy-config.yaml +``` ## Configuring the Docker clients using Docker Desktop for Mac From 45ad55d3f177d2005c796c85419e5cd2c2cde56f Mon Sep 17 00:00:00 2001 From: saces Date: Sat, 8 Jan 2022 01:29:18 +0100 Subject: [PATCH 3/3] add option to disable request buffering. If push is allowed, buffering requests can cause issues on slow upstreams. The put requests pile up, and since `proxy_ignore_client_abort` is on... ...the push fails. If you have trouble pushing, set `PROXY_REQUEST_BUFFERING`to false, then fix remainig issues/timeouts. Default is true to not change default behavior. --- Dockerfile | 5 +++++ README.md | 4 ++++ entrypoint.sh | 14 ++++++++++++++ nginx.conf | 3 +++ 4 files changed, 26 insertions(+) diff --git a/Dockerfile b/Dockerfile index c1e0f3f..925cb87 100644 --- a/Dockerfile +++ b/Dockerfile @@ -97,6 +97,11 @@ ENV MANIFEST_CACHE_DEFAULT_TIME="1h" # Should we allow actions different than pull, default to false. ENV ALLOW_PUSH="false" +# If push is allowed, buffering requests can cause issues on slow upstreams. +# If you have trouble pushing, set this to false first, then fix remainig timouts. +# Default is true to not change default behavior. +ENV PROXY_REQUEST_BUFFERING="true" + # Timeouts # ngx_http_core_module ENV SEND_TIMEOUT="60s" diff --git a/README.md b/README.md index a279964..25943c7 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,10 @@ for this to work it requires inserting a root CA certificate into system trusted - `hostname`s listed here should be listed in the REGISTRIES environment as well, so they can be intercepted. - Env `AUTH_REGISTRIES_DELIMITER` to change the separator between authentication info. By default, a space: "` `". If you use keys that contain spaces (as with Google Cloud Registry), you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=";;;"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:user1:pass1;;;registry2.com:user2:pass2`. - Env `AUTH_REGISTRY_DELIMITER` to change the separator between authentication info *parts*. By default, a colon: "`:`". If you use keys that contain single colons, you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=":::"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:::user1:::pass1 registry2.com:::user2:::pass2`. +- Env `PROXY_REQUEST_BUFFERING`: If push is allowed, buffering requests can cause issues on slow upstreams. +If you have trouble pushing, set this to `false` first, then fix remainig timeouts. +Default is `true` to not change default behavior. +ENV PROXY_REQUEST_BUFFERING="true" - Timeouts ENVS - all of them can pe specified to control different timeouts, and if not set, the defaults will be the ones from `Dockerfile`. The directives will be added into `http` block.: - SEND_TIMEOUT : see [send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout) - CLIENT_BODY_TIMEOUT : see [client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout) diff --git a/entrypoint.sh b/entrypoint.sh index 32ba88a..98574ed 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -254,6 +254,20 @@ echo -e "\nTimeout configs: ---" cat /etc/nginx/nginx.timeouts.config.conf echo -e "---\n" +# Request buffering +echo "" > /etc/nginx/proxy.request.buffering.conf +if [[ "a${PROXY_REQUEST_BUFFERING}" == "afalse" ]]; then + cat << EOD > /etc/nginx/proxy.request.buffering.conf + proxy_max_temp_file_size 0; + proxy_request_buffering off; + proxy_http_version 1.1; +EOD +fi + +echo -e "\nRequest buffering: ---" +cat /etc/nginx/proxy.request.buffering.conf +echo -e "---\n" + # Upstream SSL verification. echo "" > /etc/nginx/docker.verify.ssl.conf if [[ "a${VERIFY_SSL}" == "atrue" ]]; then diff --git a/nginx.conf b/nginx.conf index 897628e..5e03e36 100644 --- a/nginx.conf +++ b/nginx.conf @@ -227,6 +227,9 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/" proxy_read_timeout 900; + # Request buffering + include /etc/nginx/proxy.request.buffering.conf; + # Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time # will wait for the first to finish instead of doing multiple upstream requests. proxy_cache_lock on;