Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding documentation for TLS registries configuration #183

Merged
merged 27 commits into from
Nov 25, 2024
Merged
Changes from 20 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
129fc0c
adding documentation for tls registries configuration
Catalin-Stratulat-Ericsson Nov 13, 2024
b620d7d
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 13, 2024
c7068b9
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 13, 2024
e823320
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 13, 2024
b187beb
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 13, 2024
cb93ae4
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 13, 2024
37d71f9
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 13, 2024
f911b95
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 13, 2024
90b38c3
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 13, 2024
4f4c91d
Merge branch 'nephio-project:main' into tls-registries
Catalin-Stratulat-Ericsson Nov 18, 2024
48df676
ammending syntax comments & added extra documentation on logic flow
Catalin-Stratulat-Ericsson Nov 18, 2024
249fa69
added correct apostrophe
Catalin-Stratulat-Ericsson Nov 18, 2024
b779bed
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 18, 2024
57c1c4b
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 18, 2024
401ebff
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 18, 2024
4f27def
changed argument name and description to clarify logic
Catalin-Stratulat-Ericsson Nov 18, 2024
387d695
removed typo
Catalin-Stratulat-Ericsson Nov 18, 2024
bdac5ba
more argument renames for clarity
Catalin-Stratulat-Ericsson Nov 18, 2024
b0ed148
restructured function-runner private registries documentation for cla…
Catalin-Stratulat-Ericsson Nov 19, 2024
a762acf
changed title to clarify which porch component its based on
Catalin-Stratulat-Ericsson Nov 19, 2024
0f91716
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 20, 2024
c8d56d3
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 20, 2024
5d4a5bf
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 20, 2024
fc54bbb
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 20, 2024
06f7dc7
Update content/en/docs/porch/using-porch/using-authenticated-private-…
Catalin-Stratulat-Ericsson Nov 20, 2024
3fd0e34
removed unnecessary note section + added numbering to sections
Catalin-Stratulat-Ericsson Nov 20, 2024
f9dab9b
fixed broken section link
Catalin-Stratulat-Ericsson Nov 20, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to cover each case in separate sections here, it's difficult to follow when the different configuraiton options are mixed together int he explanation.

Original file line number Diff line number Diff line change
@@ -1,15 +1,30 @@
---
title: "Using authenticated private registries"
title: "Using authenticated private registries with the Porch function runner"
type: docs
weight: 4
description: ""
---

The sections below will describe the different configuration options of the function runner pertaining to the image storage location of the kpt functions used by the function runner when rendering of the porch package occurs.
Catalin-Stratulat-Ericsson marked this conversation as resolved.
Show resolved Hide resolved

{{% alert title="Note" color="primary" %}}
Please note the function runner is setup to run by default with a public container registry such as [GCR](https://gcr.io/kpt-fn/). No further configuration is required if that is the intended use case.
Catalin-Stratulat-Ericsson marked this conversation as resolved.
Show resolved Hide resolved
However if a more customized setup is required please see the below configuration options
Catalin-Stratulat-Ericsson marked this conversation as resolved.
Show resolved Hide resolved
{{% /alert %}}

## Configuring function runner to operate with private container registries

If you wish to have a private container registry to store your kpt functions either online e.g. (Github's GHCR) or locally e.g. (Harbor or Jfrog) requiring authentication (username/password or token) then see below.
Catalin-Stratulat-Ericsson marked this conversation as resolved.
Show resolved Hide resolved

To enable the Porch function runner to pull kpt function images from authenticated private registries, the system requires:
Catalin-Stratulat-Ericsson marked this conversation as resolved.
Show resolved Hide resolved

1. Creating a kubernetes secret using a JSON file according to the Docker config schema, containing valid credentials for each authenticated registry.
1. Creating a Kubernetes secret using a JSON file according to the Docker config schema, containing valid credentials for each authenticated registry.
2. Mounting this new secret as a volume on the function runner.
3. Providing the path of the mounted secret to the function runner using the argument `--registry-auth-secret-path`
3. Configuring private registry functionality in the function runner's arguments:
1. Enabling the functionality using the argument *--enable-private-registries*.
2. Providing the path and name of the mounted secret using the arguments *--registry-auth-secret-path* and *--registry-auth-secret-name* respectively.

### Kubernetes secret setup for private registry using docker config

An example template of what a docker *config.json* file looks like is as follows below. The base64 encoded value *bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=* of the *auth* key decodes to *my_username:my_password*, which is the format used by the config when authenticating.

Expand Down Expand Up @@ -50,43 +65,101 @@ metadata:
type: kubernetes.io/dockerconfigjson
```

Next you must mount the secret as a volume on the function runner deployment. Add the following snippet to the Deployment object in the *2-function-runner.yaml* file:
### Mounting docker config secret to the function runner

Next you must mount the secret as a volume on the function runner deployment. Add the following sections to the Deployment object in the *2-function-runner.yaml* file:

```yaml
volumeMounts:
- mountPath: /pod-cache-config
name: pod-cache-config-volume
- mountPath: /var/tmp/auth-secret
name: docker-config
readOnly: true
volumes:
- name: pod-cache-config-volume
configMap:
name: pod-cache-config
- name: docker-config
secret:
secretName: <SECRET_NAME>
```

You may specify your desired `mountPath:` so long as the function runner can access it.
You may specify your desired paths for each `mountPath:` so long as the function runner can access them.

{{% alert title="Note" color="primary" %}}
The chosen `mountPath:` should use its own, dedicated sub-directory, so that it does not overwrite access permissions of the existing directory. For example, if you wish to mount on `/var/tmp` you should use `mountPath: /var/tmp/<SUB_DIRECTORY>` etc.
{{% /alert %}}

Lastly you must enable private registry functionality along with providing the path and name of the secret. Add the `--enable-private-registry`, `--registry-auth-secret-path` and `--registry-auth-secret-name` arguments to the function-runner Deployment object in the *2-function-runner.yaml* file:
### Configuring function runner environment variables for private registries

Lastly you must enable private registry functionality along with providing the path and name of the secret. Add the `--enable-private-registries`, `--registry-auth-secret-path` and `--registry-auth-secret-name` arguments to the function-runner Deployment object in the *2-function-runner.yaml* file:

```yaml
command:
- /server
- --config=/config.yaml
- --enable-private-registry=true
- --enable-private-registries=true
- --registry-auth-secret-path=/var/tmp/auth-secret/.dockerconfigjson
- --registry-auth-secret-name=<SECRET_NAME>
- --functions=/functions
- --pod-namespace=porch-fn-system
```

The `--enable-private-registry`, `--registry-auth-secret-path` and `--registry-auth-secret-name` arguments have default values of *false*, */var/tmp/auth-secret/.dockerconfigjson* and *auth-secret* respectively; however, these should be overridden to enable the functionality and match user specifications.
The `--enable-private-registries`, `--registry-auth-secret-path` and `--registry-auth-secret-name` arguments have default values of *false*, */var/tmp/auth-secret/.dockerconfigjson* and *auth-secret* respectively; however, these should be overridden to enable the functionality and match user specifications.

With this last step, if your Porch package uses kpt function images stored in an private registry (for example `- image: ghcr.io/private-registry/set-namespace:customv2`), the function runner will now use the secret info to replicate your secret on the `porch-fn-system` namespace and specify it as an `imagePullSecret` for the function pods, as documented [here](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).

## Configuring function runner to use custom TLS for private container registries

If your private container registry uses a custom certificate for TLS authentication then extra configuration is required for the function runner to integrate with. See below

1. Creating a Kubernetes secret using TLS information valid for all private registries you wish to use.
2. Mounting the secret containing the registries' TLS information to the function runner similarly to step 2.
3. Enabling TLS functionality and providing the path of the mounted secret to the function runner using the arguments *--enable-private-registries-tls* and *--tls-secret-path* respectively.

### Kubernetes secret layout for TLS certificate

A typical secret containing TLS information will take on the a similar format to the following:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: <TLS_SECRET_NAME>
namespace: porch-system
data:
<CA_FILE_NAME>: <PEM_CERT_DATA>
type: kubernetes.io/tls
```

{{% alert title="Note" color="primary" %}}
The content in *<PEM_CERT_DATA>* must be in PEM (Privacy Enhanced Mail) format, and the *<CA_FILE_NAME>* must be *ca.crt* or *ca.pem*. No other values are accepted.
{{% /alert %}}

### Mounting TLS certificate secret to the function runner

The TLS secret must then be mounted onto the function runner similarly to how the docker config secret was done previously [here](#mounting-docker-config-secret-to-the-function-runner).

```yaml
volumeMounts:
- mountPath: /var/tmp/tls-secret/
name: tls-registry-config
readOnly: true
volumes:
- name: tls-registry-config
secret:
secretName: <TLS_SECRET_NAME>
```

With this last step, if your Porch package uses a custom kpt function image stored in an authenticated private registry (for example `- image: ghcr.io/private-registry/set-namespace:customv2`), the function runner will now use the secret info to replicate your secret on the `porch-fn-system` namespace and specify it as an `imagePullSecret` for the function pods, as documented [here](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
### Configuring function runner environment variables for TLS on private registries

The *--enable-private-registries-tls* and *--tls-secret-path* variables are only required if a private registry has TLS enabled. They indicate to the function runner that it should attempt authentication to the registry using TLS, and should use the TLS certificate information found on the path provided in *--tls-secret-path*.

```yaml
command:
- --enable-private-registries-tls=true
- --tls-secret-path=/var/tmp/tls-secret/
```

The *--enable-private-registries-tls* and *--tls-secret-path* arguments have default values of *false* and */var/tmp/tls-secret/* respectively; however, these should be configured by the user and are only necessary when using a private registry secured with TLS.

### Function runner logic flow when TLS registries are enabled

It is important to note that enabling TLS registry functionality makes the function runner attempt connection to the registry provided in the porch file using the mounted TLS certificate. If this certificate is invalid for the provided registry, it will try again using the Intermediate Certificates stored on the machine for use in TLS with "well-known websites" (e.g. GitHub). If this also fails, it will attempt to connect without TLS: if this last resort fails, it will return an error to the user.

{{% alert title="Note" color="primary" %}}
It is vital that the user has pre-configured the Kubernetes node which the function runner is operating on with the same TLS certificate information as is used in the *<TLS_SECRET_NAME>* secret. If this is not configured correctly, then even if the certificate is correctly configured in the function runner, the kpt function will not run - the function runner will be able to pull the image, but the KRM function pod created to run the function will fail with the error *x509 certificate signed by unknown authority*.
This pre-configuration setup is heavily cluster/implementation-dependent - consult your cluster's specific documentation about adding self-signed certificates or private/internal CA certs to your cluster.
{{% /alert %}}
Loading