Merge branch 'master' of https://github.com/hishamanver/docker-registry-proxy into feature/dynamic-upstream-config-for-non-resolveable-hosts
commit
5ff1b0248e
|
@ -36,8 +36,8 @@ jobs:
|
||||||
uses: docker/login-action@v1
|
uses: docker/login-action@v1
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
username: ${{ secrets.DOCKER_GITHUB_USERNAME }}
|
username: ${{ github.repository_owner }} # github username or org
|
||||||
password: ${{ secrets.DOCKER_GITHUB_PAT }}
|
password: ${{ secrets.GITHUB_TOKEN }} # github actions builtin token. repo has to have pkg access.
|
||||||
|
|
||||||
# the arm64 is of course much slower due to qemu, so build and push amd64 **first**
|
# the arm64 is of course much slower due to qemu, so build and push amd64 **first**
|
||||||
# due to the way manifests work, the gap between this and the complete push below
|
# due to the way manifests work, the gap between this and the complete push below
|
||||||
|
|
|
@ -49,8 +49,8 @@ jobs:
|
||||||
uses: docker/login-action@v1
|
uses: docker/login-action@v1
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
username: ${{ secrets.DOCKER_GITHUB_USERNAME }}
|
username: ${{ github.repository_owner }} # github username or org
|
||||||
password: ${{ secrets.DOCKER_GITHUB_PAT }}
|
password: ${{ secrets.GITHUB_TOKEN }} # github actions builtin token. repo has to have pkg access.
|
||||||
|
|
||||||
# the arm64 is of course much slower due to qemu, so build and push amd64 **first**
|
# the arm64 is of course much slower due to qemu, so build and push amd64 **first**
|
||||||
# due to the way manifests work, the gap between this and the complete push below
|
# due to the way manifests work, the gap between this and the complete push below
|
||||||
|
|
|
@ -99,6 +99,11 @@ ENV MANIFEST_CACHE_DEFAULT_TIME="1h"
|
||||||
# Should we allow actions different than pull, default to false.
|
# Should we allow actions different than pull, default to false.
|
||||||
ENV ALLOW_PUSH="false"
|
ENV ALLOW_PUSH="false"
|
||||||
|
|
||||||
|
# If push is allowed, buffering requests can cause issues on slow upstreams.
|
||||||
|
# If you have trouble pushing, set this to false first, then fix remainig timouts.
|
||||||
|
# Default is true to not change default behavior.
|
||||||
|
ENV PROXY_REQUEST_BUFFERING="true"
|
||||||
|
|
||||||
# Timeouts
|
# Timeouts
|
||||||
# ngx_http_core_module
|
# ngx_http_core_module
|
||||||
ENV SEND_TIMEOUT="60s"
|
ENV SEND_TIMEOUT="60s"
|
||||||
|
|
50
README.md
50
README.md
|
@ -87,6 +87,10 @@ for this to work it requires inserting a root CA certificate into system trusted
|
||||||
- `hostname`s listed here should be listed in the REGISTRIES environment as well, so they can be intercepted.
|
- `hostname`s listed here should be listed in the REGISTRIES environment as well, so they can be intercepted.
|
||||||
- Env `AUTH_REGISTRIES_DELIMITER` to change the separator between authentication info. By default, a space: "` `". If you use keys that contain spaces (as with Google Cloud Registry), you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=";;;"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:user1:pass1;;;registry2.com:user2:pass2`.
|
- Env `AUTH_REGISTRIES_DELIMITER` to change the separator between authentication info. By default, a space: "` `". If you use keys that contain spaces (as with Google Cloud Registry), you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=";;;"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:user1:pass1;;;registry2.com:user2:pass2`.
|
||||||
- Env `AUTH_REGISTRY_DELIMITER` to change the separator between authentication info *parts*. By default, a colon: "`:`". If you use keys that contain single colons, you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=":::"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:::user1:::pass1 registry2.com:::user2:::pass2`.
|
- Env `AUTH_REGISTRY_DELIMITER` to change the separator between authentication info *parts*. By default, a colon: "`:`". If you use keys that contain single colons, you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=":::"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:::user1:::pass1 registry2.com:::user2:::pass2`.
|
||||||
|
- Env `PROXY_REQUEST_BUFFERING`: If push is allowed, buffering requests can cause issues on slow upstreams.
|
||||||
|
If you have trouble pushing, set this to `false` first, then fix remainig timeouts.
|
||||||
|
Default is `true` to not change default behavior.
|
||||||
|
ENV PROXY_REQUEST_BUFFERING="true"
|
||||||
- Env `UPSTREAM_MAPPINGS` to configure upstream server mappings (similar in functionality to /etc/hosts entries but with round-robin selection).
|
- Env `UPSTREAM_MAPPINGS` to configure upstream server mappings (similar in functionality to /etc/hosts entries but with round-robin selection).
|
||||||
Useful when configured resolvers are unable to resolve a host. e.g. `UPSTREAM_MAPPINGS="registry1=10.0.1.10:443,10.0.1.11 registry2=5.0.1.10"`
|
Useful when configured resolvers are unable to resolve a host. e.g. `UPSTREAM_MAPPINGS="registry1=10.0.1.10:443,10.0.1.11 registry2=5.0.1.10"`
|
||||||
- Timeouts ENVS - all of them can pe specified to control different timeouts, and if not set, the defaults will be the ones from `Dockerfile`. The directives will be added into `http` block.:
|
- Timeouts ENVS - all of them can pe specified to control different timeouts, and if not set, the defaults will be the ones from `Dockerfile`. The directives will be added into `http` block.:
|
||||||
|
@ -212,6 +216,52 @@ done
|
||||||
wait $pids # Wait for all configurations to end
|
wait $pids # Wait for all configurations to end
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### K3D Cluster
|
||||||
|
|
||||||
|
[K3d](https://k3d.io/) is similar to Kind but is based on k3s. In order to run with its registry you need to setup settings like shown below.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
# docker-registry-proxy
|
||||||
|
docker run -d --name registry-proxy --restart=always \
|
||||||
|
-v /tmp/registry-proxy/mirror_cache:/docker_mirror_cache \
|
||||||
|
-v /tmp/registry-proxy/certs:/ca \
|
||||||
|
rpardini/docker-registry-proxy:0.6.4
|
||||||
|
|
||||||
|
export PROXY_HOST=registry-proxy
|
||||||
|
export PROXY_PORT=3128
|
||||||
|
export NOPROXY_LIST="localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.local,.svc"
|
||||||
|
|
||||||
|
cat <<EOF > /etc/k3d-proxy-config.yaml
|
||||||
|
apiVersion: k3d.io/v1alpha3
|
||||||
|
kind: Simple
|
||||||
|
name: mycluster
|
||||||
|
servers: 1
|
||||||
|
agents: 0
|
||||||
|
options:
|
||||||
|
k3d:
|
||||||
|
wait: true
|
||||||
|
timeout: "60s"
|
||||||
|
kubeconfig:
|
||||||
|
updateDefaultKubeconfig: true
|
||||||
|
switchCurrentContext: true
|
||||||
|
env:
|
||||||
|
- envVar: HTTP_PROXY=http://$PROXY_HOST:$PROXY_PORT
|
||||||
|
nodeFilters:
|
||||||
|
- all
|
||||||
|
- envVar: HTTPS_PROXY=http://$PROXY_HOST:$PROXY_PORT
|
||||||
|
nodeFilters:
|
||||||
|
- all
|
||||||
|
- envVar: NO_PROXY='$NOPROXY_LIST'
|
||||||
|
nodeFilters:
|
||||||
|
- all
|
||||||
|
volumes:
|
||||||
|
- volume: $REGISTRY_DIR/docker_mirror_certs/ca.crt:/etc/ssl/certs/registry-proxy-ca.pem
|
||||||
|
nodeFilters:
|
||||||
|
- all
|
||||||
|
EOF
|
||||||
|
|
||||||
|
k3d cluster create --config /etc/k3d-proxy-config.yaml
|
||||||
|
```
|
||||||
|
|
||||||
## Configuring the Docker clients using Docker Desktop for Mac
|
## Configuring the Docker clients using Docker Desktop for Mac
|
||||||
|
|
||||||
|
|
|
@ -278,6 +278,20 @@ echo -e "\nTimeout configs: ---"
|
||||||
cat /etc/nginx/nginx.timeouts.config.conf
|
cat /etc/nginx/nginx.timeouts.config.conf
|
||||||
echo -e "---\n"
|
echo -e "---\n"
|
||||||
|
|
||||||
|
# Request buffering
|
||||||
|
echo "" > /etc/nginx/proxy.request.buffering.conf
|
||||||
|
if [[ "a${PROXY_REQUEST_BUFFERING}" == "afalse" ]]; then
|
||||||
|
cat << EOD > /etc/nginx/proxy.request.buffering.conf
|
||||||
|
proxy_max_temp_file_size 0;
|
||||||
|
proxy_request_buffering off;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
EOD
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo -e "\nRequest buffering: ---"
|
||||||
|
cat /etc/nginx/proxy.request.buffering.conf
|
||||||
|
echo -e "---\n"
|
||||||
|
|
||||||
# Upstream SSL verification.
|
# Upstream SSL verification.
|
||||||
echo "" > /etc/nginx/docker.verify.ssl.conf
|
echo "" > /etc/nginx/docker.verify.ssl.conf
|
||||||
if [[ "a${VERIFY_SSL}" == "atrue" ]]; then
|
if [[ "a${VERIFY_SSL}" == "atrue" ]]; then
|
||||||
|
|
|
@ -230,6 +230,9 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
|
||||||
|
|
||||||
proxy_read_timeout 900;
|
proxy_read_timeout 900;
|
||||||
|
|
||||||
|
# Request buffering
|
||||||
|
include /etc/nginx/proxy.request.buffering.conf;
|
||||||
|
|
||||||
# Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time
|
# Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time
|
||||||
# will wait for the first to finish instead of doing multiple upstream requests.
|
# will wait for the first to finish instead of doing multiple upstream requests.
|
||||||
proxy_cache_lock on;
|
proxy_cache_lock on;
|
||||||
|
|
Loading…
Reference in New Issue