Skip to content

Latest commit

 

History

History
74 lines (50 loc) · 2.85 KB

0111-support-insecure-registries.md

File metadata and controls

74 lines (50 loc) · 2.85 KB

Meta

  • Name: Support for pull images from or push images to insecure image registries.
  • Start Date: 2022-08-17
  • Author(s): wanjunlei
  • Status: Approved
  • RFC Pull Request: rfcs#229
  • CNB Pull Request: (leave blank)
  • CNB Issue: N/A
  • Supersedes: N/A

Summary

This RFC describes how to pull images from or push images to insecure image registries when building images using buildpacks.

Definitions

Insecure image registry - The insecure image registry mentioned in this RFC refers to the image registry using the http protocol, and with a non-internal ip or a domain name. Because currently buildpacks can access insecure image registries using internal ip.

Motivation

To fix issue Support insecure registries in non-daemon case.

To pull images from insecure image registries when building images using buildpacks, and push target images to insecure image registries after the build is complete.

What it is

With this RFC, user can use images in insecure image registries to build image, and push the compiled image to the insecure image registries like this.

creator --run-image=develoment-registry.com/run-java:v16 --insecure-registry=develoment-registry.com --insecure-registry=testing-registry.com testing-registry.com/java-sample:latest

The flag --insecure-registry will be added to analyzer, export, restorer, rebaser and image tool too.

How it Works

With this PR, the component that buildpacks used to operate images, already supports pulling images from or pushing images to insecure registries. We should create a image with insecure registry by calling NewImage like this

remote.NewImage(imageName, authn.DefaultKeychain, withRegistrySetting("mydomain.registry.com:1080", true, false)

The second parameter specify whether the registry is insecure. The third parameter can be always false.

It is necessary to judge whether the registry where this image is located is insecure. If so, it needs to set the insecure registry through WithRegistrySetting.

The NewImage can set base image and prev image using FromBaseImage and WithPreviousImage, so it may need to call WithRegistrySetting multiple times to set up multiple insecure registries.

Drawbacks

N/A

Alternatives

N/A

Unresolved Questions

N/A

Spec. Changes (OPTIONAL)

A new flag --insecure-registry will add to analyzer, creator, export, restorer, rebaser and image tool.