Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add spegel distributed registry mirror #8977

Merged
merged 7 commits into from
Jan 9, 2024
Merged

Add spegel distributed registry mirror #8977

merged 7 commits into from
Jan 9, 2024

Conversation

brandond
Copy link
Contributor

@brandond brandond commented Dec 1, 2023
edited
Loading

Proposed Changes

This embeds spegel, a distributed registry mirror, into the K3s supervisor. In addition to reducing traffic against upstream registries, this also allows airgap images preloaded onto one node to be transparently shared to other nodes as needed.

spegel consists of a registry API backed by the local containerd image store, and a distributed hash table that allows nodes to gossip about which images and blobs they have available.

The local registry mirror is injected into the containerd config as the first mirror endpoint, followed by the user-selected endpoints, and finally the default endpoint. If any node in the cluster has an image, it will be pulled from that node, instead of from the registry or registry mirror.

The embedded registry is enabled at a cluster level via a CLI flag. When enabled, all nodes will listen on port 5001 for P2P traffic, secured by a preshared key. Agents will have a new listener on port 6443 that hosts the registry endpoint. The registry API is served over HTTPS, and requires a valid client certificate for access.

This appears to add ~4.4MB to the size of the K3s release artifact.

Checklist:

  • Write up ADR supporting this new feature and get team+PM approval
  • Get spegel working embedded in supervisor endpoint
  • Add agents to spegel cluster, instead of just proxying back to servers
  • Remove hardcoded values and wire into node config
  • Add CLI flag to enable, instead of always being enabled
  • Require TLS auth for registry endpoint
  • Require private network with preshared key
  • Add tests.
  • Add ipv6 support and push upstream.
    Handled by upstream in Fix support for ipv6 spegel-org/spegel#284
  • Push embedding, https, and nonblocking containerd client support upstream
    spegel-org/spegel@main...k3s-io:spegel:k3s-main

Builds on:

Inspired by:

Resolves:

Use:

  1. Start servers with --embedded-registry
  2. In order to enable distributed mirroring of an upstream registry, reference it in the mirror section of registries.yaml on every node that you want to participate in the sharing of images. The registry does not need to have any endpoints, although it may. For example, this is a valid configuration: 
    mirrors:
  docker.io:
  registry.k8s.io:
  gcr.io:
  quay.io:
  ghcr.io:
  3. Nodes also may be started with --disable-default-registry-endpoint, in which case images will only be available via airgap tarball, distributed mirror, or user-configured mirror (in order of precendece)
  4. Check metrics:
    kubectl get --raw /api/v1/nodes/NODENAME/proxy/metrics | grep -F 'spegel_

Types of Changes

new feature

Verification

See above

Testing

E2e test added.

Linked Issues

  • TBD

User-Facing Change

Further Comments

@phillebaba phillebaba mentioned this pull request Dec 3, 2023
Merged
@onedr0p onedr0p mentioned this pull request Dec 3, 2023
Open
@phillebaba
Copy link
Contributor

We can check off ipv6 support as I have merged spegel-org/spegel#284.

@brandond brandond force-pushed the embed-spegel branch 3 times, most recently from 18656bf to 8611079 Compare December 6, 2023 10:32
@harsimranmaan
Copy link
Contributor

Thanks Brandon. I am really happy to see such good progress on this one. I can help test this. If you need support convincing the team or the PMs, you can count my vote (and perhaps @adrianmoye's too) :)

@brandond brandond changed the title [WIP] Add spegel distributed registry mirror Add spegel distributed registry mirror Dec 7, 2023
@brandond brandond marked this pull request as ready for review December 7, 2023 22:27
@brandond brandond requested a review from a team as a code owner December 7, 2023 22:27
@brandond brandond mentioned this pull request Dec 7, 2023
Closed
@onedr0p
Copy link
Contributor

onedr0p commented Dec 8, 2023
edited
Loading

It's truly amazing the work you put into integrating spegel @brandond and so quickly, can't wait to try it out. ❤️

@bk201 bk201 mentioned this pull request Dec 8, 2023
Closed
harsimranmaan
harsimranmaan reviewed Dec 8, 2023
View reviewed changes
pkg/spegel/spegel.go Outdated Show resolved Hide resolved
@adrianmoye
Copy link

Thanks @brandond for the great work! I really appreciate it. This looks like the perfect solution for me, with pinning images (a feature I wasn't aware of) being the final point for my requirements.
@harsimranmaan thanks for ping me on this.

@brandond brandond force-pushed the embed-spegel branch 4 times, most recently from 878f888 to a1a8fba Compare December 9, 2023 02:34
@twistedgrim
Copy link

I just learned about Spegel and tried out it out. Freaking amazing work! Looking forward to this!

@rlex
Copy link
Contributor

rlex commented Dec 10, 2023

spegel exposes some useful metrics, will they be exposed in case of running embedded spegel? Cannot find anything related in PR

@onedr0p
Copy link
Contributor

onedr0p commented Dec 10, 2023

It would be very helpful useful to have those metrics exposed, their grafana dashboard is quite nice for reviewing what's going on.

manuelbuil
manuelbuil previously approved these changes Jan 5, 2024
View reviewed changes
@brandond brandond requested review from dereknola, manuelbuil and a team January 5, 2024 20:45
@brandond
Pin images instead of locking layers with lease
d7d872a 
Layer leases never did what we wanted anyways, and this is the new approved interface for ensuring that images do not get GCd

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Move registries.yaml load into agent config
d24167a 
Moving it into config.Agent so that we can use or modify it outside the context of containerd setup

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Propagate errors up from config.Get
da52345 
Fixes crash when killing agent while waiting for config from server

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Add ADR for embedded registry
22337d2 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Add server CLI flag and config fields for embedded registry
234a5f3 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Add embedded registry implementation
17dfdb1 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Add e2e test for embedded registry mirror
6533a91 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond brandond merged commit 6072476 into k3s-io:master Jan 9, 2024
15 checks passed
This was referenced Jan 10, 2024
Merged
Merged
Merged
Closed
@fmunteanu fmunteanu mentioned this pull request Jan 28, 2024
Closed
@omnivagant omnivagant mentioned this pull request Jan 31, 2024
Open
@cguertin14 cguertin14 mentioned this pull request Feb 8, 2024
Merged
@brandond brandond deleted the embed-spegel branch June 6, 2024 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@galal-hussein galal-hussein galal-hussein approved these changes

@adrianmoye adrianmoye adrianmoye left review comments

@harsimranmaan harsimranmaan harsimranmaan approved these changes

@dereknola dereknola dereknola approved these changes

@manuelbuil manuelbuil manuelbuil approved these changes

@buroa buroa buroa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.