Merge pull request #263 from jumppad-labs/f-image-cache

F image cache

.github/workflows/build_and_deploy.yaml

@@ -117,7 +117,7 @@ jobs:
             /usr/local/bin/dnsname
 
   functional_test_docker:
-    name: Functional Test Docker
+    name: Test Docker
     runs-on: ubuntu-latest
     needs: functional_test_build
 
@@ -136,6 +136,7 @@ jobs:
           './examples/remote_exec',
           './examples/certificates',
           './examples/terraform',
+          './examples/registries',
         ]
 
     steps:
@@ -171,7 +172,7 @@ jobs:
           description: "Functional tests for docker: ${{matrix.folder}}"
 
   functional_test_podman:
-    name: Functional Test Podman
+    name: Test Podman
     runs-on: ubuntu-latest
     needs: functional_test_build
 
@@ -181,11 +182,11 @@ jobs:
       matrix:
         folder: [
           './examples/container',
-         # './examples/build',
-         './examples/docs',
-         # './examples/single_k3s_cluster',
-         # './examples/nomad',
-         # './examples/local_exec',
+          './examples/build',
+          './examples/docs',
+          './examples/nomad',
+          './examples/single_k3s_cluster',
+          './examples/multiple_k3s_clusters',
         ]
 
     steps:
@@ -260,7 +261,7 @@ jobs:
     needs:
   #    - test
       - functional_test_docker
-  #    - functional_test_podman
+      - functional_test_podman
   #     - e2e_mac
       - e2e_linux
     if: ${{ github.ref != 'refs/heads/main' }}
@@ -377,7 +378,7 @@ jobs:
     needs:
       - test
       - functional_test_docker
-      #- functional_test_podman
+      - functional_test_podman
       #- e2e_mac
       - e2e_linux
     if: ${{ github.ref == 'refs/heads/main' }}

ChangeLog.md

@@ -1,5 +1,73 @@
 # Change Log
 
+## version v0.5.60
+* Add capability to add custom container registries to the image cache
+
+  Nomad and Kuberentes clusters are started in a Docker container that does not save any state to the local disk.
+  This state includes and Docker Image cache, thefore every time an image is pulled to a new cluster it is downloaded
+  from the internet. This can be slow and bandwidth intensive. To solve this problem Jumppad implemented a pull through
+  cache that is used by all clusters. By default this cache supported the following registires:
+    - k8s.gcr.io 
+    - gcr.io 
+    - asia.gcr.io
+    - eu.gcr.io
+    - us.gcr.io 
+    - quay.io
+    - ghcr.io
+    - docker.pkg.github.com 
+
+  To support custom registries Jumppad has added a new resource type `container_registry`. This resource type can be used
+  to define either a local or remote registry. When a registry is defined it is added to the pull through cache and
+  any authnetication details are added to the cache meaning you do not need to authenticate each pull on the Nomad or 
+  Kubernetes cluster. Any defined registry must be configured to use HTTPS, the image cache can not be used to pull
+  from insecure registries.
+
+```hcl
+# Define a custom registry that does not use authentication
+resource "container_registry" "noauth" {
+  hostname = "noauth-registry.demo.gs" // cache can not resolve local jumppad.dev dns for some reason, 
+  // using external dns mapped to the local ip address
+}
+
+# Define a custom registry that uses authentication
+resource "container_registry" "auth" {
+  hostname = "auth-registry.demo.gs"
+  auth {
+    username = "admin"
+    password = "password"
+  }
+}
+```
+
+* Add capability to add insecure registries and image cache bypass to Kubernetes and Nomad clusters.
+
+  All images pulled to Nomad and Kubernetes clusters are pulled through the image cache. This cache is a Docker
+  container that is automatically started by Jumppad. To disable the cache and pull images directly from the internet
+  you can add the `no_proxy` parameter to the new docker config stanza. This will cause the cache to be bypassed and
+  the image to be pulled direct from the internet.
+
+  To support insecure registries you can add the `insecure_registries` parameter to the docker config stanza. This
+  must be used in conjunction with the `no_proxy` parameter as the image cache does not support insecure registries. 
+
+```hcl
+resource "nomad_cluster" "dev" {
+  client_nodes = 1
+
+  datacenter = "dc1"
+
+  network {
+    id = variable.network_id
+  }
+
+  // add configuration to allow cache bypass and insecure registry
+  config {
+    docker {
+      no_proxy            = ["insecure.container.jumppad.dev"]
+      insecure_registries = ["insecure.container.jumppad.dev:5003"]
+    }
+  }
+}
+```
 ## version v0.5.47
 * Fix isuse where filepath.Walk does not respect symlinks
 * Add `ignore` parameter to `build` resource to allow ignoring of files and folders

Makefile

@@ -1,7 +1,7 @@
 git_commit = $(shell git log -1 --pretty=format:"%H")
 
 test_unit:
-	go test -v -race ./pkg/config/resources/container
+	go test -v -race ./...
 
 test_functional:
 	go run main.go purge
@@ -21,6 +21,21 @@ test_functional:
 
 	go run main.go purge
 	go run main.go test ./examples/multiple_k3s_clusters
+
+	go run main.go purge
+	go run main.go test ./examples/local_exec
+
+	go run main.go purge
+	go run main.go test ./examples/remote_exec
+
+	go run main.go purge
+	go run main.go test ./examples/certificates
+
+	go run main.go purge
+	go run main.go test ./examples/terraform
+
+	go run main.go purge
+	go run main.go test ./examples/registiries
 
 test_e2e_cmd: install_local
 	jumppad up --no-browser ./examples/single_k3s_cluster

daemon.json

@@ -0,0 +1,10 @@
+{
+  "proxies": {
+    "http-proxy": "http://default.image-cache.jumppad.dev:3128",
+    "https-proxy": "http://default.image-cache.jumppad.dev:3128",
+    "no-proxy": "insecure.container.jumppad.dev"
+  },
+  "insecure-registries": [
+    "insecure.container.jumppad.dev:5003"
+  ]
+}

examples/build/build.hcl

@@ -47,7 +47,7 @@ resource "network" "onprem" {
 
 module "container" {
   disabled = !variable.container_enabled
-  source   = "./container"
+  source   = "${dir()}/container"
 
   variables = {
     image        = resource.build.app.image
@@ -58,7 +58,7 @@ module "container" {
 
 module "nomad" {
   disabled = !variable.nomad_enabled
-  source   = "./nomad"
+  source   = "${dir()}/nomad"
 
   variables = {
     image        = resource.build.app.image
@@ -69,7 +69,7 @@ module "nomad" {
 
 module "kubernetes" {
   disabled = !variable.kubernetes_enabled
-  source   = "./kubernetes"
+  source   = "${dir()}/kubernetes"
 
   variables = {
     image          = resource.build.app.image

examples/container/container.hcl

@@ -7,7 +7,6 @@ variable "envoy_version" {
 }
 
 resource "template" "consul_config" {
-
   source = <<-EOF
   data_dir = "{{ data_dir }}"
   log_level = "DEBUG"
@@ -55,9 +54,11 @@ resource "container" "consul_capabilities" {
   }
 
   capabilities {
-    add = ["NET_ADMIN"]
+    add  = ["NET_ADMIN"]
     drop = ["ALL"]
   }
+
+  privileged = true
 }
 
 resource "container" "consul_labels" {

examples/container/test/container.feature

@@ -3,26 +3,30 @@ Feature: Docker Container
   I should apply a blueprint which defines a simple container setup
   and test the resources are created correctly
 
-Scenario: Single Container from Local Blueprint
+Scenario: Docker Containers from Local Blueprint
   Given I have a running blueprint
   Then the following resources should be running
     | name                                            |
     | resource.network.consul                         |
     | resource.container.consul                       |
+    | resource.container.consul_labels                |
+    | resource.container.consul_capabilities          |
     | resource.sidecar.envoy                          |
   And the info "{.NetworkSettings.Ports['8501/tcp']}" for the running container "resource.container.consul" should exist
   And the info "{.NetworkSettings.Ports['8500/tcp'][0].HostPort}" for the running container "resource.container.consul" should equal "8500"
   And the info "{.NetworkSettings.Ports['8500/tcp'][0].HostPort}" for the running container "resource.container.consul" should contain "85"
   And a HTTP call to "http://consul.container.shipyard.run:8500/v1/status/leader" should result in status 200
 
-Scenario: Single Container from Local Blueprint with multiple runs
+Scenario: Docker Containers from Local Blueprint with multiple runs
   Given the environment variable "CONSUL_VERSION" has a value "<consul>"
   And the environment variable "ENVOY_VERSION" has a value "<envoy>"
   And I have a running blueprint
   Then the following resources should be running
     | name                                            |
     | resource.network.consul                         |
     | resource.container.consul                       |
+    | resource.container.consul_labels                |
+    | resource.container.consul_capabilities          |
     | resource.sidecar.envoy                          |
   And a HTTP call to "http://consul.container.shipyard.run:8500/v1/status/leader" should result in status 200
   And the response body should contain "10.6.0.200"

examples/container/test/vars.feature

@@ -15,6 +15,8 @@ Scenario: Single Container with jumppad Variables
     | name                                       |
     | resource.network.consul                    |
     | resource.container.consul                  |
+    | resource.container.consul_capabilities     |
+    | resource.container.consul_labels           |
     | resource.sidecar.envoy                     |
   And the info "{.Config.Env}" for the running container "resource.container.consul" should contain "something=set by test"
   And the info "{.Config.Env}" for the running container "resource.container.consul" should contain "foo=bah"

examples/nomad/nomad.hcl

@@ -39,11 +39,6 @@ resource "nomad_cluster" "dev" {
   copy_image {
     name = "consul:1.10.1"
   }
-
-  volume {
-    source      = "/tmp"
-    destination = "/files"
-  }
 }
 
 resource "template" "example_2" {