diff --git a/build/lib/release.sh b/build/lib/release.sh index f02444d537..25a904cf4b 100644 --- a/build/lib/release.sh +++ b/build/lib/release.sh @@ -369,7 +369,6 @@ function kube::release::package_kube_manifests_tarball() { local dst_dir="${release_stage}/gci-trusty" mkdir -p "${dst_dir}" - cp "${src_dir}/kube-registry-proxy.yaml" "${dst_dir}/" cp "${src_dir}/kube-proxy.manifest" "${dst_dir}/" cp "${src_dir}/cluster-autoscaler.manifest" "${dst_dir}/" cp "${src_dir}/etcd.manifest" "${dst_dir}" diff --git a/cluster/addons/registry/README.md b/cluster/addons/registry/README.md deleted file mode 100644 index 59542355ed..0000000000 --- a/cluster/addons/registry/README.md +++ /dev/null @@ -1,274 +0,0 @@ -# Private Docker Registry in Kubernetes - -Kubernetes offers an optional private Docker registry addon, which you can turn -on when you bring up a cluster or install later. This gives you a place to -store truly private Docker images for your cluster. - -## How it works - -The private registry runs as a `Pod` in your cluster. It does not currently -support SSL or authentication, which triggers Docker's "insecure registry" -logic. To work around this, we run a proxy on each node in the cluster, -exposing a port onto the node (via a hostPort), which Docker accepts as -"secure", since it is accessed by `localhost`. - -## Turning it on - -Some cluster installs (e.g. GCE) support this as a cluster-birth flag. The -`ENABLE_CLUSTER_REGISTRY` variable in `cluster/gce/config-default.sh` governs -whether the registry is run or not. To set this flag, you can specify -`KUBE_ENABLE_CLUSTER_REGISTRY=true` when running `kube-up.sh`. If your cluster -does not include this flag, the following steps should work. Note that some of -this is cloud-provider specific, so you may have to customize it a bit. - -### Make some storage - -The primary job of the registry is to store data. To do that we have to decide -where to store it. For cloud environments that have networked storage, we can -use Kubernetes's `PersistentVolume` abstraction. The following template is -expanded by `salt` in the GCE cluster turnup, but can easily be adapted to -other situations: - - -```yaml -kind: PersistentVolume -apiVersion: v1 -metadata: - name: kube-system-kube-registry-pv - labels: - kubernetes.io/cluster-service: "true" -spec: -{% if pillar.get('cluster_registry_disk_type', '') == 'gce' %} - capacity: - storage: {{ pillar['cluster_registry_disk_size'] }} - accessModes: - - ReadWriteOnce - gcePersistentDisk: - pdName: "{{ pillar['cluster_registry_disk_name'] }}" - fsType: "ext4" -{% endif %} -``` - - -If, for example, you wanted to use NFS you would just need to change the -`gcePersistentDisk` block to `nfs`. See -[here](https://kubernetes.io/docs/user-guide/volumes.md) for more details on volumes. - -Note that in any case, the storage (in the case the GCE PersistentDisk) must be -created independently - this is not something Kubernetes manages for you (yet). - -### I don't want or don't have persistent storage - -If you are running in a place that doesn't have networked storage, or if you -just want to kick the tires on this without committing to it, you can easily -adapt the `ReplicationController` specification below to use a simple -`emptyDir` volume instead of a `persistentVolumeClaim`. - -## Claim the storage - -Now that the Kubernetes cluster knows that some storage exists, you can put a -claim on that storage. As with the `PersistentVolume` above, you can start -with the `salt` template: - - -```yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: kube-registry-pvc - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ pillar['cluster_registry_disk_size'] }} -``` - - -This tells Kubernetes that you want to use storage, and the `PersistentVolume` -you created before will be bound to this claim (unless you have other -`PersistentVolumes` in which case those might get bound instead). This claim -gives you the right to use this storage until you release the claim. - -## Run the registry - -Now we can run a Docker registry: - - -```yaml -apiVersion: v1 -kind: ReplicationController -metadata: - name: kube-registry-v0 - namespace: kube-system - labels: - k8s-app: kube-registry-upstream - version: v0 - kubernetes.io/cluster-service: "true" -spec: - replicas: 1 - selector: - k8s-app: kube-registry-upstream - version: v0 - template: - metadata: - labels: - k8s-app: kube-registry-upstream - version: v0 - kubernetes.io/cluster-service: "true" - spec: - containers: - - name: registry - image: registry:2 - resources: - limits: - cpu: 100m - memory: 100Mi - env: - - name: REGISTRY_HTTP_ADDR - value: :5000 - - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY - value: /var/lib/registry - volumeMounts: - - name: image-store - mountPath: /var/lib/registry - ports: - - containerPort: 5000 - name: registry - protocol: TCP - volumes: - - name: image-store - persistentVolumeClaim: - claimName: kube-registry-pvc -``` - - -## Expose the registry in the cluster - -Now that we have a registry `Pod` running, we can expose it as a Service: - - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-registry - namespace: kube-system - labels: - k8s-app: kube-registry-upstream - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "KubeRegistry" -spec: - selector: - k8s-app: kube-registry-upstream - ports: - - name: registry - port: 5000 - protocol: TCP -``` - - -## Expose the registry on each node - -Now that we have a running `Service`, we need to expose it onto each Kubernetes -`Node` so that Docker will see it as `localhost`. We can load a `Pod` on every -node by creating following daemonset. - - -```yaml -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - name: kube-registry-proxy - namespace: kube-system - labels: - k8s-app: kube-registry-proxy - kubernetes.io/cluster-service: "true" - version: v0.4 -spec: - template: - metadata: - labels: - k8s-app: kube-registry-proxy - kubernetes.io/name: "kube-registry-proxy" - kubernetes.io/cluster-service: "true" - version: v0.4 - spec: - containers: - - name: kube-registry-proxy - image: gcr.io/google_containers/kube-registry-proxy:0.4 - resources: - limits: - cpu: 100m - memory: 50Mi - env: - - name: REGISTRY_HOST - value: kube-registry.kube-system.svc.cluster.local - - name: REGISTRY_PORT - value: "5000" - ports: - - name: registry - containerPort: 80 - hostPort: 5000 -``` - - -When modifying replication-controller, service and daemon-set defintions, take -care to ensure _unique_ identifiers for the rc-svc couple and the daemon-set. -Failing to do so will have register the localhost proxy daemon-sets to the -upstream service. As a result they will then try to proxy themselves, which -will, for obvious reasons, not work. - -This ensures that port 5000 on each node is directed to the registry `Service`. -You should be able to verify that it is running by hitting port 5000 with a web -browser and getting a 404 error: - -```console -$ curl localhost:5000 -404 page not found -``` - -## Using the registry - -To use an image hosted by this registry, simply say this in your `Pod`'s -`spec.containers[].image` field: - -```yaml - image: localhost:5000/user/container -``` - -Before you can use the registry, you have to be able to get images into it, -though. If you are building an image on your Kubernetes `Node`, you can spell -out `localhost:5000` when you build and push. More likely, though, you are -building locally and want to push to your cluster. - -You can use `kubectl` to set up a port-forward from your local node to a -running Pod: - -```console -$ POD=$(kubectl get pods --namespace kube-system -l k8s-app=kube-registry-upstream \ - -o template --template '{{range .items}}{{.metadata.name}} {{.status.phase}}{{"\n"}}{{end}}' \ - | grep Running | head -1 | cut -f1 -d' ') - -$ kubectl port-forward --namespace kube-system $POD 5000:5000 & -``` - -Now you can build and push images on your local computer as -`localhost:5000/yourname/container` and those images will be available inside -your kubernetes cluster with the same name. - -# More Extensions - -- [Use GCS as storage backend](gcs/README.md) -- [Enable TLS/SSL](tls/README.md) -- [Enable Authentication](auth/README.md) - -## Future improvements - -* Allow port-forwarding to a Service rather than a pod (#15180) - - -[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/README.md?pixel)]() diff --git a/cluster/addons/registry/auth/README.md b/cluster/addons/registry/auth/README.md deleted file mode 100644 index 040c54bcb8..0000000000 --- a/cluster/addons/registry/auth/README.md +++ /dev/null @@ -1,92 +0,0 @@ -# Enable Authentication with Htpasswd for Kube-Registry - -Docker registry support a few authentication providers. Full list of supported provider can be found [here](https://docs.docker.com/registry/configuration/#auth). This document describes how to enable authentication with htpasswd for kube-registry. - -### Prepare Htpasswd Secret - -Please generate your own htpasswd file. Assuming the file you generated is `htpasswd`. -Creating secret to hold htpasswd... -```console -$ kubectl --namespace=kube-system create secret generic registry-auth-secret --from-file=htpasswd=htpasswd -``` - -### Run Registry - -Please be noted that this sample rc is using emptyDir as storage backend for simplicity. - - -```yaml -apiVersion: v1 -kind: ReplicationController -metadata: - name: kube-registry-v0 - namespace: kube-system - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" -spec: - replicas: 1 - selector: - k8s-app: kube-registry - version: v0 - template: - metadata: - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" - spec: - containers: - - name: registry - image: registry:2 - resources: - # keep request = limit to keep this container in guaranteed class - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 100m - memory: 100Mi - env: - - name: REGISTRY_HTTP_ADDR - value: :5000 - - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY - value: /var/lib/registry - - name: REGISTRY_AUTH_HTPASSWD_REALM - value: basic_realm - - name: REGISTRY_AUTH_HTPASSWD_PATH - value: /auth/htpasswd - volumeMounts: - - name: image-store - mountPath: /var/lib/registry - - name: auth-dir - mountPath: /auth - ports: - - containerPort: 5000 - name: registry - protocol: TCP - volumes: - - name: image-store - emptyDir: {} - - name: auth-dir - secret: - secretName: registry-auth-secret -``` - - -No changes are needed for other components (kube-registry service and proxy). - -### To Verify - -Setup proxy or port-forwarding to the kube-registry. Image push/pull should fail without authentication. Then use `docker login` to authenticate with kube-registry and see if it works. - -### Configure Nodes to Authenticate with Kube-Registry - -By default, nodes assume no authentication is required by kube-registry. Without authentication, nodes cannot pull images from kube-registry. To solve this, more documentation can be found [Here](https://github.com/kubernetes/kubernetes.github.io/blob/master/docs/concepts/containers/images.md#configuring-nodes-to-authenticate-to-a-private-repository). - - - - - -[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/auth/README.md?pixel)]() diff --git a/cluster/addons/registry/auth/registry-auth-rc.yaml b/cluster/addons/registry/auth/registry-auth-rc.yaml deleted file mode 100644 index 1af623d090..0000000000 --- a/cluster/addons/registry/auth/registry-auth-rc.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: v1 -kind: ReplicationController -metadata: - name: kube-registry-v0 - namespace: kube-system - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" -spec: - replicas: 1 - selector: - k8s-app: kube-registry - version: v0 - template: - metadata: - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" - spec: - containers: - - name: registry - image: registry:2 - resources: - # keep request = limit to keep this container in guaranteed class - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 100m - memory: 100Mi - env: - - name: REGISTRY_HTTP_ADDR - value: :5000 - - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY - value: /var/lib/registry - - name: REGISTRY_AUTH_HTPASSWD_REALM - value: basic_realm - - name: REGISTRY_AUTH_HTPASSWD_PATH - value: /auth/htpasswd - volumeMounts: - - name: image-store - mountPath: /var/lib/registry - - name: auth-dir - mountPath: /auth - ports: - - containerPort: 5000 - name: registry - protocol: TCP - volumes: - - name: image-store - emptyDir: {} - - name: auth-dir - secret: - secretName: registry-auth-secret \ No newline at end of file diff --git a/cluster/addons/registry/gcs/README.md b/cluster/addons/registry/gcs/README.md deleted file mode 100644 index 5706a848f8..0000000000 --- a/cluster/addons/registry/gcs/README.md +++ /dev/null @@ -1,81 +0,0 @@ -# Kube-Registry with GCS storage backend - -Besides local file system, docker registry also supports a number of cloud storage backends. Full list of supported backend can be found [here](https://docs.docker.com/registry/configuration/#storage). This document describes how to enable GCS for kube-registry as storage backend. - -A few preparation steps are needed. - 1. Create a bucket named kube-registry in GCS. - 1. Create a service account for GCS access and create key file in json format. Detail instruction can be found [here](https://cloud.google.com/storage/docs/authentication#service_accounts). - - -### Pack Keyfile into a Secret - -Assuming you have downloaded the keyfile as `keyfile.json`. Create secret with the `keyfile.json`... -```console -$ kubectl --namespace=kube-system create secret generic gcs-key-secret --from-file=keyfile=keyfile.json -``` - - -### Run Registry - - -```yaml -apiVersion: v1 -kind: ReplicationController -metadata: - name: kube-registry-v0 - namespace: kube-system - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" -spec: - replicas: 1 - selector: - k8s-app: kube-registry - version: v0 - template: - metadata: - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" - spec: - containers: - - name: registry - image: registry:2 - resources: - # keep request = limit to keep this container in guaranteed class - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 100m - memory: 100Mi - env: - - name: REGISTRY_HTTP_ADDR - value: :5000 - - name: REGISTRY_STORAGE - value: gcs - - name: REGISTRY_STORAGE_GCS_BUCKET - value: kube-registry - - name: REGISTRY_STORAGE_GCS_KEYFILE - value: /gcs/keyfile - ports: - - containerPort: 5000 - name: registry - protocol: TCP - volumeMounts: - - name: gcs-key - mountPath: /gcs - volumes: - - name: gcs-key - secret: - secretName: gcs-key-secret -``` - - - -No changes are needed for other components (kube-registry service and proxy). - - -[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/gcs/README.md?pixel)]() diff --git a/cluster/addons/registry/gcs/registry-gcs-rc.yaml b/cluster/addons/registry/gcs/registry-gcs-rc.yaml deleted file mode 100644 index e697403356..0000000000 --- a/cluster/addons/registry/gcs/registry-gcs-rc.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: ReplicationController -metadata: - name: kube-registry-v0 - namespace: kube-system - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" -spec: - replicas: 1 - selector: - k8s-app: kube-registry - version: v0 - template: - metadata: - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" - spec: - containers: - - name: registry - image: registry:2 - resources: - # keep request = limit to keep this container in guaranteed class - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 100m - memory: 100Mi - env: - - name: REGISTRY_HTTP_ADDR - value: :5000 - - name: REGISTRY_STORAGE - value: gcs - - name: REGISTRY_STORAGE_GCS_BUCKET - value: kube-registry - - name: REGISTRY_STORAGE_GCS_KEYFILE - value: /gcs/keyfile - ports: - - containerPort: 5000 - name: registry - protocol: TCP - volumeMounts: - - name: gcs-key - mountPath: /gcs - volumes: - - name: gcs-key - secret: - secretName: gcs-key-secret diff --git a/cluster/addons/registry/images/Dockerfile b/cluster/addons/registry/images/Dockerfile deleted file mode 100644 index 51464fe72a..0000000000 --- a/cluster/addons/registry/images/Dockerfile +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2016 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM nginx:1.11 - -RUN apt-get update \ - && apt-get install -y \ - curl \ - --no-install-recommends \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/man /usr/share/doc - -COPY rootfs / - -CMD ["/bin/boot"] diff --git a/cluster/addons/registry/images/Makefile b/cluster/addons/registry/images/Makefile deleted file mode 100644 index c1b64de1c2..0000000000 --- a/cluster/addons/registry/images/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2016 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -.PHONY: build push vet test clean - -TAG = 0.4 -REPO = gcr.io/google_containers/kube-registry-proxy - -build: - docker build --pull -t $(REPO):$(TAG) . - -push: - gcloud docker -- push $(REPO):$(TAG) diff --git a/cluster/addons/registry/images/rootfs/bin/boot b/cluster/addons/registry/images/rootfs/bin/boot deleted file mode 100755 index 04262b4642..0000000000 --- a/cluster/addons/registry/images/rootfs/bin/boot +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -# fail if no hostname is provided -REGISTRY_HOST=${REGISTRY_HOST:?no host} -REGISTRY_PORT=${REGISTRY_PORT:-5000} - -# we are always listening on port 80 -# https://github.com/nginxinc/docker-nginx/blob/43c112100750cbd1e9f2160324c64988e7920ac9/stable/jessie/Dockerfile#L25 -PORT=80 - -sed -e "s/%HOST%/$REGISTRY_HOST/g" \ - -e "s/%PORT%/$REGISTRY_PORT/g" \ - -e "s/%BIND_PORT%/$PORT/g" \ - /etc/nginx/conf.d/default.conf - -# wait for registry to come online -while ! curl -sS "$REGISTRY_HOST:$REGISTRY_PORT" &>/dev/null; do - printf "waiting for the registry (%s:%s) to come online...\n" "$REGISTRY_HOST" "$REGISTRY_PORT" - sleep 1 -done - -printf "starting proxy...\n" -exec nginx -g "daemon off;" "$@" diff --git a/cluster/addons/registry/images/rootfs/etc/nginx/conf.d/default.conf.in b/cluster/addons/registry/images/rootfs/etc/nginx/conf.d/default.conf.in deleted file mode 100644 index ecd95fd2fe..0000000000 --- a/cluster/addons/registry/images/rootfs/etc/nginx/conf.d/default.conf.in +++ /dev/null @@ -1,28 +0,0 @@ -# Docker registry proxy for api version 2 - -upstream docker-registry { - server %HOST%:%PORT%; -} - -# No client auth or TLS -# TODO(bacongobbler): experiment with authenticating the registry if it's using TLS -server { - listen %BIND_PORT%; - server_name localhost; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) - chunked_transfer_encoding on; - - location / { - # Do not allow connections from docker 1.5 and earlier - # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents - if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { - return 404; - } - - include docker-registry.conf; - } -} diff --git a/cluster/addons/registry/images/rootfs/etc/nginx/docker-registry.conf b/cluster/addons/registry/images/rootfs/etc/nginx/docker-registry.conf deleted file mode 100644 index 7dc8cfff26..0000000000 --- a/cluster/addons/registry/images/rootfs/etc/nginx/docker-registry.conf +++ /dev/null @@ -1,6 +0,0 @@ -proxy_pass http://docker-registry; -proxy_set_header Host $http_host; # required for docker client's sake -proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_read_timeout 900; diff --git a/cluster/addons/registry/images/rootfs/etc/nginx/nginx.conf b/cluster/addons/registry/images/rootfs/etc/nginx/nginx.conf deleted file mode 100644 index 54ecc888e5..0000000000 --- a/cluster/addons/registry/images/rootfs/etc/nginx/nginx.conf +++ /dev/null @@ -1,26 +0,0 @@ -user nginx; -worker_processes auto; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - - keepalive_timeout 65; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/cluster/addons/registry/registry-pv.yaml.in b/cluster/addons/registry/registry-pv.yaml.in deleted file mode 100644 index 196efa928d..0000000000 --- a/cluster/addons/registry/registry-pv.yaml.in +++ /dev/null @@ -1,17 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: kube-system-kube-registry-pv - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -spec: -{% if pillar.get('cluster_registry_disk_type', '') == 'gce' %} - capacity: - storage: {{ pillar['cluster_registry_disk_size'] }} - accessModes: - - ReadWriteOnce - gcePersistentDisk: - pdName: "{{ pillar['cluster_registry_disk_name'] }}" - fsType: "ext4" -{% endif %} diff --git a/cluster/addons/registry/registry-pvc.yaml.in b/cluster/addons/registry/registry-pvc.yaml.in deleted file mode 100644 index 35c7871771..0000000000 --- a/cluster/addons/registry/registry-pvc.yaml.in +++ /dev/null @@ -1,14 +0,0 @@ -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: kube-registry-pvc - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ pillar['cluster_registry_disk_size'] }} diff --git a/cluster/addons/registry/registry-rc.yaml b/cluster/addons/registry/registry-rc.yaml deleted file mode 100644 index a6648c7851..0000000000 --- a/cluster/addons/registry/registry-rc.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: v1 -kind: ReplicationController -metadata: - name: kube-registry-v0 - namespace: kube-system - labels: - k8s-app: kube-registry-upstream - version: v0 - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -spec: - replicas: 1 - selector: - k8s-app: kube-registry-upstream - version: v0 - template: - metadata: - labels: - k8s-app: kube-registry-upstream - version: v0 - kubernetes.io/cluster-service: "true" - spec: - containers: - - name: registry - image: registry:2.5.1 - resources: - # keep request = limit to keep this container in guaranteed class - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 100m - memory: 100Mi - env: - - name: REGISTRY_HTTP_ADDR - value: :5000 - - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY - value: /var/lib/registry - volumeMounts: - - name: image-store - mountPath: /var/lib/registry - ports: - - containerPort: 5000 - name: registry - protocol: TCP - volumes: - - name: image-store - persistentVolumeClaim: - claimName: kube-registry-pvc diff --git a/cluster/addons/registry/registry-svc.yaml b/cluster/addons/registry/registry-svc.yaml deleted file mode 100644 index 186e7559c6..0000000000 --- a/cluster/addons/registry/registry-svc.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: kube-registry - namespace: kube-system - labels: - k8s-app: kube-registry-upstream - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/name: "KubeRegistry" -spec: - selector: - k8s-app: kube-registry-upstream - ports: - - name: registry - port: 5000 - protocol: TCP diff --git a/cluster/addons/registry/tls/README.md b/cluster/addons/registry/tls/README.md deleted file mode 100644 index 7ba5cc628b..0000000000 --- a/cluster/addons/registry/tls/README.md +++ /dev/null @@ -1,116 +0,0 @@ -# Enable TLS for Kube-Registry - -This document describes how to enable TLS for kube-registry. Before you start, please check if you have all the prerequisite: - -- A domain for kube-registry. Assuming it is ` myregistrydomain.com`. -- Domain certificate and key. Assuming they are `domain.crt` and `domain.key` - -### Pack domain.crt and domain.key into a Secret - -```console -$ kubectl --namespace=kube-system create secret generic registry-tls-secret --from-file=domain.crt=domain.crt --from-file=domain.key=domain.key -``` - -### Run Registry - -Please be noted that this sample rc is using emptyDir as storage backend for simplicity. - - -```yaml -apiVersion: v1 -kind: ReplicationController -metadata: - name: kube-registry-v0 - namespace: kube-system - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" -spec: - replicas: 1 - selector: - k8s-app: kube-registry - version: v0 - template: - metadata: - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" - spec: - containers: - - name: registry - image: registry:2 - resources: - # keep request = limit to keep this container in guaranteed class - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 100m - memory: 100Mi - env: - - name: REGISTRY_HTTP_ADDR - value: :5000 - - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY - value: /var/lib/registry - - name: REGISTRY_HTTP_TLS_CERTIFICATE - value: /certs/domain.crt - - name: REGISTRY_HTTP_TLS_KEY - value: /certs/domain.key - volumeMounts: - - name: image-store - mountPath: /var/lib/registry - - name: cert-dir - mountPath: /certs - ports: - - containerPort: 5000 - name: registry - protocol: TCP - volumes: - - name: image-store - emptyDir: {} - - name: cert-dir - secret: - secretName: registry-tls-secret -``` - - -### Expose External IP for Kube-Registry - -Modify the default kube-registry service to `LoadBalancer` type and point the DNS record of `myregistrydomain.com` to the service external ip. - - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-registry - namespace: kube-system - labels: - k8s-app: kube-registry -# kubernetes.io/cluster-service: "true" - kubernetes.io/name: "KubeRegistry" -spec: - selector: - k8s-app: kube-registry - type: LoadBalancer - ports: - - name: registry - port: 5000 - protocol: TCP -``` - - -### To Verify - -Now you should be able to access your kube-registry from another docker host. -```console -docker pull busybox -docker tag busybox myregistrydomain.com:5000/busybox -docker push myregistrydomain.com:5000/busybox -docker pull myregistrydomain.com:5000/busybox -``` - - -[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/tls/README.md?pixel)]() diff --git a/cluster/addons/registry/tls/registry-tls-rc.yaml b/cluster/addons/registry/tls/registry-tls-rc.yaml deleted file mode 100644 index c2411c0524..0000000000 --- a/cluster/addons/registry/tls/registry-tls-rc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: v1 -kind: ReplicationController -metadata: - name: kube-registry-v0 - namespace: kube-system - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" -spec: - replicas: 1 - selector: - k8s-app: kube-registry - version: v0 - template: - metadata: - labels: - k8s-app: kube-registry - version: v0 -# kubernetes.io/cluster-service: "true" - spec: - containers: - - name: registry - image: registry:2 - resources: - # keep request = limit to keep this container in guaranteed class - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 100m - memory: 100Mi - env: - - name: REGISTRY_HTTP_ADDR - value: :5000 - - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY - value: /var/lib/registry - - name: REGISTRY_HTTP_TLS_CERTIFICATE - value: /certs/domain.crt - - name: REGISTRY_HTTP_TLS_KEY - value: /certs/domain.key - volumeMounts: - - name: image-store - mountPath: /var/lib/registry - - name: cert-dir - mountPath: /certs - ports: - - containerPort: 5000 - name: registry - protocol: TCP - volumes: - - name: image-store - emptyDir: {} - - name: cert-dir - secret: - secretName: registry-tls-secret - diff --git a/cluster/addons/registry/tls/registry-tls-svc.yaml b/cluster/addons/registry/tls/registry-tls-svc.yaml deleted file mode 100644 index a9d59f117d..0000000000 --- a/cluster/addons/registry/tls/registry-tls-svc.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: kube-registry - namespace: kube-system - labels: - k8s-app: kube-registry -# kubernetes.io/cluster-service: "true" - kubernetes.io/name: "KubeRegistry" -spec: - selector: - k8s-app: kube-registry - type: LoadBalancer - ports: - - name: registry - port: 5000 - protocol: TCP diff --git a/cluster/common.sh b/cluster/common.sh index 8d7f5479d7..7e5f35b526 100755 --- a/cluster/common.sh +++ b/cluster/common.sh @@ -518,9 +518,6 @@ LOGGING_DESTINATION: $(yaml-quote ${LOGGING_DESTINATION:-}) ELASTICSEARCH_LOGGING_REPLICAS: $(yaml-quote ${ELASTICSEARCH_LOGGING_REPLICAS:-}) ENABLE_CLUSTER_DNS: $(yaml-quote ${ENABLE_CLUSTER_DNS:-false}) CLUSTER_DNS_CORE_DNS: $(yaml-quote ${CLUSTER_DNS_CORE_DNS:-false}) -ENABLE_CLUSTER_REGISTRY: $(yaml-quote ${ENABLE_CLUSTER_REGISTRY:-false}) -CLUSTER_REGISTRY_DISK: $(yaml-quote ${CLUSTER_REGISTRY_DISK:-}) -CLUSTER_REGISTRY_DISK_SIZE: $(yaml-quote ${CLUSTER_REGISTRY_DISK_SIZE:-}) DNS_SERVER_IP: $(yaml-quote ${DNS_SERVER_IP:-}) DNS_DOMAIN: $(yaml-quote ${DNS_DOMAIN:-}) ENABLE_DNS_HORIZONTAL_AUTOSCALER: $(yaml-quote ${ENABLE_DNS_HORIZONTAL_AUTOSCALER:-false}) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 0ec9dd9d02..aed552d6c0 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -225,12 +225,6 @@ DNS_DOMAIN="${KUBE_DNS_DOMAIN:-cluster.local}" # Optional: Enable DNS horizontal autoscaler ENABLE_DNS_HORIZONTAL_AUTOSCALER="${KUBE_ENABLE_DNS_HORIZONTAL_AUTOSCALER:-true}" -# Optional: Install cluster docker registry. -ENABLE_CLUSTER_REGISTRY="${KUBE_ENABLE_CLUSTER_REGISTRY:-false}" -CLUSTER_REGISTRY_DISK="${CLUSTER_REGISTRY_PD:-${INSTANCE_PREFIX}-kube-system-kube-registry}" -CLUSTER_REGISTRY_DISK_SIZE="${CLUSTER_REGISTRY_DISK_SIZE:-200GB}" -CLUSTER_REGISTRY_DISK_TYPE_GCE="${CLUSTER_REGISTRY_DISK_TYPE_GCE:-pd-standard}" - # Optional: Install Kubernetes UI ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}" diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 662344b997..63b9403737 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -249,12 +249,6 @@ DNS_DOMAIN="cluster.local" # Optional: Enable DNS horizontal autoscaler ENABLE_DNS_HORIZONTAL_AUTOSCALER="${KUBE_ENABLE_DNS_HORIZONTAL_AUTOSCALER:-true}" -# Optional: Install cluster docker registry. -ENABLE_CLUSTER_REGISTRY="${KUBE_ENABLE_CLUSTER_REGISTRY:-false}" -CLUSTER_REGISTRY_DISK="${CLUSTER_REGISTRY_DISK:-${INSTANCE_PREFIX}-kube-system-kube-registry}" -CLUSTER_REGISTRY_DISK_SIZE="${CLUSTER_REGISTRY_DISK_SIZE:-200GB}" -CLUSTER_REGISTRY_DISK_TYPE_GCE="${CLUSTER_REGISTRY_DISK_TYPE_GCE:-pd-standard}" - # Optional: Install Kubernetes UI ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}" diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index e23c137bd2..88029dad58 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -2193,18 +2193,6 @@ EOF setup-kube-dns-manifest fi fi - if [[ "${ENABLE_CLUSTER_REGISTRY:-}" == "true" ]]; then - setup-addon-manifests "addons" "registry" - local -r registry_pv_file="${dst_dir}/registry/registry-pv.yaml" - local -r registry_pvc_file="${dst_dir}/registry/registry-pvc.yaml" - mv "${dst_dir}/registry/registry-pv.yaml.in" "${registry_pv_file}" - mv "${dst_dir}/registry/registry-pvc.yaml.in" "${registry_pvc_file}" - # Replace the salt configurations with variable values. - remove-salt-config-comments "${controller_yaml}" - sed -i -e "s@{{ *pillar\['cluster_registry_disk_size'\] *}}@${CLUSTER_REGISTRY_DISK_SIZE}@g" "${registry_pv_file}" - sed -i -e "s@{{ *pillar\['cluster_registry_disk_size'\] *}}@${CLUSTER_REGISTRY_DISK_SIZE}@g" "${registry_pvc_file}" - sed -i -e "s@{{ *pillar\['cluster_registry_disk_name'\] *}}@${CLUSTER_REGISTRY_DISK}@g" "${registry_pvc_file}" - fi if [[ "${ENABLE_NODE_LOGGING:-}" == "true" ]] && \ [[ "${LOGGING_DESTINATION:-}" == "elasticsearch" ]] && \ [[ "${ENABLE_CLUSTER_LOGGING:-}" == "true" ]]; then @@ -2262,12 +2250,6 @@ function start-image-puller { /etc/kubernetes/manifests/ } -# Starts kube-registry proxy -function start-kube-registry-proxy { - echo "Start kube-registry-proxy" - cp "${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/kube-registry-proxy.yaml" /etc/kubernetes/manifests -} - # Starts a l7 loadbalancing controller for ingress. function start-lb-controller { if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then @@ -2451,10 +2433,6 @@ else if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then start-kube-proxy fi - # Kube-registry-proxy. - if [[ "${ENABLE_CLUSTER_REGISTRY:-}" == "true" ]]; then - start-kube-registry-proxy - fi if [[ "${PREPULL_E2E_IMAGES:-}" == "true" ]]; then start-image-puller fi diff --git a/cluster/gce/manifests/kube-registry-proxy.yaml b/cluster/gce/manifests/kube-registry-proxy.yaml deleted file mode 100644 index f00142ad65..0000000000 --- a/cluster/gce/manifests/kube-registry-proxy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - name: kube-registry-proxy - namespace: kube-system - labels: - k8s-app: kube-registry - kubernetes.io/cluster-service: "true" - version: v0.4 -spec: - template: - metadata: - labels: - k8s-app: kube-registry - kubernetes.io/name: "kube-registry-proxy" - kubernetes.io/cluster-service: "true" - version: v0.4 - spec: - containers: - - name: kube-registry-proxy - image: gcr.io/google_containers/kube-registry-proxy:0.4 - resources: - limits: - cpu: 100m - memory: 50Mi - env: - - name: REGISTRY_HOST - value: kube-registry.kube-system.svc.cluster.local - - name: REGISTRY_PORT - value: "5000" - ports: - - name: registry - containerPort: 80 - hostPort: 5000 - diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index aba04a7246..795904ed9a 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -1014,15 +1014,6 @@ function create-master() { --type "${MASTER_DISK_TYPE}" \ --size "${MASTER_DISK_SIZE}" - # Create disk for cluster registry if enabled - if [[ "${ENABLE_CLUSTER_REGISTRY}" == true && -n "${CLUSTER_REGISTRY_DISK}" ]]; then - gcloud compute disks create "${CLUSTER_REGISTRY_DISK}" \ - --project "${PROJECT}" \ - --zone "${ZONE}" \ - --type "${CLUSTER_REGISTRY_DISK_TYPE_GCE}" \ - --size "${CLUSTER_REGISTRY_DISK_SIZE}" & - fi - # Create rule for accessing and securing etcd servers. if ! gcloud compute firewall-rules --project "${NETWORK_PROJECT}" describe "${MASTER_NAME}-etcd" &>/dev/null; then gcloud compute firewall-rules create "${MASTER_NAME}-etcd" \ @@ -1621,17 +1612,6 @@ function kube-down() { "${replica_pd}" fi - # Delete disk for cluster registry if enabled - if [[ "${ENABLE_CLUSTER_REGISTRY}" == true && -n "${CLUSTER_REGISTRY_DISK}" ]]; then - if gcloud compute disks describe "${CLUSTER_REGISTRY_DISK}" --zone "${ZONE}" --project "${PROJECT}" &>/dev/null; then - gcloud compute disks delete \ - --project "${PROJECT}" \ - --quiet \ - --zone "${ZONE}" \ - "${CLUSTER_REGISTRY_DISK}" - fi - fi - # Check if this are any remaining master replicas. local REMAINING_MASTER_COUNT=$(gcloud compute instances list \ --project "${PROJECT}" \ @@ -1880,11 +1860,6 @@ function check-resources() { return 1 fi - if gcloud compute disks describe --project "${PROJECT}" "${CLUSTER_REGISTRY_DISK}" --zone "${ZONE}" &>/dev/null; then - KUBE_RESOURCE_FOUND="Persistent disk ${CLUSTER_REGISTRY_DISK}" - return 1 - fi - # Find out what minions are running. local -a minions minions=( $(gcloud compute instances list \