[helm] Fix reverse proxy for builtin registry #4711
Conversation
/werft with-installer /werft with-retag
|
Also assigning @aledbf here due to upcoming changes on self-hosted internal cert management |
| @@ -2,7 +2,7 @@ | |||
| # Licensed under the MIT License. See License-MIT.txt in the project root for license information. | |||
|
|
|||
| {{ if (index .Values "docker-registry" "enabled") }} | |||
| {{- $regName := include "gitpod.builtinRegistry.name" . -}} | |||
| {{- $regName := include "gitpod.builtinRegistry.internal_name" . -}} | |||
| {{ $cm := (index .Values "cert-manager") }} | |||
| {{- if $cm.enabled }} | |||
There was a problem hiding this comment.
@wulfthimm: The (self-signed) cert of the registry has always the internal domain registry.default.svc.cluster.local as domain, never the public registry.my-gitpod.example.com domain. Don't know how the cert-manager works but could this lead to problems with the cert-manager configuration here? Do we need to drop this?
|
@corneliusludmann I have a draft PR that improves the self-signed certificate generation and do not uses proxy to access the docker-registry. Please check #4592 |
Thanks for the hint, @aledbf! Big PR, couldn't go through everything. 😇 Does it mean that your PR solves the issues I posted in our slack channel |
Yes. I need to finish the PR before next Monday. |
|
@corneliusludmann I updated the PR and split the commits to be more clear about what is being changed |
|
/werft run 👍 started the job as gitpod-build-clu-fix-registry-reverse-proxy.1 |
There was a problem hiding this comment.
👍
Quick reasoning summary:
pull
- each registry-facade installs a re-direct in it's local
/etc/hosts:reg.${domain}:port-> registry-facade node port - this works because we issue publicly verifiable certs (Let's Encrypt) which include
reg.
push:
- prod/staging/devstaging: imagebuilder get's the properly configured GCP creds and the GCP registry has publicly verifiable certs
- builtin: our chart has an exception that makes the registry available at
registry.domain - the builtin case is broken because we never test it (neither staging nor devstaging)
- the fix works as advertised
|
/werft run with-clean-slate-deployment 👍 started the job as gitpod-build-clu-fix-registry-reverse-proxy.2 |
With the new proxy implementation with Caddy, the access to the built-in registry is over Caddy which serves the registry with the main proxy certificates instead of the registry certificates (SSL termination). That has the following implications:
I tested this on k3s with this setting and verified that the preview env still works.
Alternatives: The alternative would be to change the behavior of Caddy so that the proxy does not terminate SSL but does a raw redirect to the registry as it was in nginx (when this is possible with Caddy).
See also #4710
/cc @solomonope due to self-hosted
/cc @aledbf since you implemented the Caddy config