Insecure private registry configuration

[exolain]

Hi all,

I was wondering, what is the best way to configure the "insecure-registries" setting that it would be done via /etc/docker/daemon.json configuration file? But using the bottlerocket settings ? I was checking the settings.container-registry.mirrors setting, but it seems to be it only allows https* endpoints.
Thanks!

[jpculp]

Hi @exolain! Sorry for the delayed response. At this time Bottlerocket doesn't support insecure registries, but let us look into this a bit further.

[exolain]

Hi @jpculp, thanks a lot for your response on this. Is there a separate thread/issue open that I can start watching? Just wanted to know what would be the best way to stay informed. Thanks!

[jpculp]

Hi @exolain, we're still discussing on our side, but we'll follow up here if we open up an issue.

[jpculp]

I've gone ahead and opened up issue #1950 so this doesn't get lost.

[exolain]

Thanks @jpculp . Really appreciate your assistance on this!

[cbgbt]

Thanks for chiming in with your interest, @exolain. Do you mind telling us a bit more about your use-case that prompts the desire for insecure registries?

[awoimbee]

Hi, I personally have https://github.com/containerSolutions/trow/ running on a nodePort, so I pull containers from 127.0.0.1:${NODEPORT}/, I use insecure-registries to make it work.

[exolain]

Hi @cbgbt ,

Thanks for following up. We have a local jfrog artifactory where we keep the container images, so we need to add it to the insecure-registries to make it work.

[cbgbt]

Thanks for providing more data about your usage here. I understand the desire for insecure registries, but I wonder if it might be the right choice to investigate using self-signed certificates in your cluster to secure these requests using SSL? We prefer to avoid adding settings which could lead users to less secure configurations, if possible.

@awoimbee it looks like the Trow installation video linked in the README has a step which generates and distributes a certificate pair. Would that work?

@exolain for JFrog Artifactory, it looks like they have instructions here for using Access to enable SSL.

Something that might be helpful for both cases is cert-manager, which I've been investigating to manage SSL certificate signing in my own clusters. It has a pretty wide set of support certificate authorities, including managing and rotating self-signed certificates. If either of Trow or Artifactory can work with Kubernetes certificate secrets, that might be a good way to go.

[awoimbee]

I'm trying bottlerocket right now and turns out that when pulling from 127.0.0.1, bottlerocket automatically uses HTTP (and doesn't even try HTTPS !!). This behavior is very different (and it makes a lot more sense) than what the amazonlinux EKS AMI does.
So I did not need to configure insecure-registries nor a TLS cert (lost some hours doing just that...).

containerd/containerd#3631

[arnaldo2792]

Hey @awoimbee , I think what you are experiencing is due to the containerd version used in Bottlerocket. Here you can see the logic containerd follows to generate the endpoints, and it defaults to http when the endpoint is 127.0.0.1 or localhost. So maybe the EKS ami uses a different containerd version, that doesn't include this logic? ¯_(ツ)_/¯