Mirror/k3s
1
0
Fork 0
mirror of https://github.com/k3s-io/k3s.git synced 2024-06-07 19:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add ADR for embedded registry

Browse Source 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
Brad Davidson 2023-12-07 22:26:06 +00:00 committed by Brad Davidson
parent 77846d63c1
commit b8f3967ad1
1 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
docs/adrs/embedded-registry.md Normal file
View File

@ -0,0 +1,43 @@
# Package spegel Distributed Registry Mirror
Date: 2023-12-07
## Status
Accepted
## Context
Embedded registry mirror support has been on the roadmap for some time, to address multiple challenges:
* Upstream registries may enforce pull limits or otherwise throttle access to images.
* In edge scenarios, bandwidth is at a premium, if external access is available at all.
* Distributing airgap image tarballs to nodes, and ensuring that images remain available, is an ongoing
hurdle to adoption.
* Deploying an in-cluster registry, or hosting a registry outside the cluster, put significant
burden on administrators, and suffer from chicken-or-egg bootstrapping issues.
An ideal embedded registry would have several characteristics:
* Allow stateless configuration such that nodes can come and go at any time.
* Integrate into existing containerd registry mirror support.
* Integrate into existing containerd image stores such that an additional copy of layer data is not required.
* Use existing cluster authentication mechanisms to prevent unauthorized access to the registry.
* Operate with minimal added CPU and memory overhead.
## Decision
* We will embed spegel within K3s, and use it to host a distributed registry mirror.
* The distributed registry mirror will be enabled cluster-wide via server CLI flag.
* Selection of upstream registries to mirror will be implemented via the existing `registries.yaml`
configuration file.
* The registry API will be served via HTTPS on every node's private IP at port 6443. On servers this will
use the existing supervisor listener; on agents a new listener will be created for this purpose.
* The default IPFS/libp2p port of 5001 will be used for P2P layer discovery.
* Access to the registry API and P2P network will require proof of cluster membership, enforced via
client certificate or preshared key.
* Hybrid/multicloud support is out of scope; when the distributed registry mirror is enabled, cluster
members are assumed to be directly accessible to each other via their internal IP on the listed ports.
## Consequences
* The size of our self-extracting binary and Docker images increase by several megabytes.
* We take on the support burden of keeping spegel up to date, and supporting its use within K3s.