faas-rs/faas
1
0
Fork 0
mirror of https://github.com/openfaas/faas.git synced 2025-06-10 09:16:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
faas/docs/managing-images.md
Sebastien Guilloux 9e711b3b5d Handle private docker registry auth 
This adds support for private docker registries, by adding
an optional `registryAuth` field in the CreateFunctionRequest.
Auth must be passed as base64-encoded basic auth, similar to
how done in Docker file store credentials (~/.docker/config.json).
Credentials are then passed to swarm at service creation.
2017-05-30 17:10:34 +01:00

2.7 KiB
Raw Blame History

Managing images

Using private Docker registries

FaaS supports running functions from Docker images in private Docker registries. The registry credentials can be passed on function deployment, and are then handled by Swarm for image polling.

Deploy functions with private registries credentials

A POST request on /system/function allows you to specify private registry credentials, as a base64-encoded basic auth (user:password).

curl -XPOST /system/functions -d {
    "service": "functionName",
    "image": "privateregistry.domain.com/user/function",
    "envProcess": "/usr/bin/myprocess",
    "network": "func_functions",
    "registryAuth": "dXNlcjpwYXNzd29yZA=="
}

Base64-encoded basic auth can be resolved using your registry username and password:

echo -n "user:password" | base64

You can also find it in your ~/.docker/config.json Docker credentials store, as a result of the docker login command:

cat ~/.docker/config.json
{
	"auths": {
		"privateregistry.domain.com": {
			"auth": "dXNlcjpwYXNzd29yZA=="
		}
	}
}

Deploy your own private Docker registry

If you wish to deploy your own private registry, you can follow Docker official documentation.

A quick way to get started for a private registry with TLS and authentication is to create a VM with port 443 open to the world (for letsencrypt registration), and a registered DNS ($YOURHOST). Then, create these two files in the current directory:

# docker-compose.yml
version: '2'

services:

  registry:
    restart: always
    image: registry:2
    ports:
      - 5000:5000
      - 443:5000
    environment:
      REGISTRY_AUTH: htpasswd
      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
      REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE: /letsencrypt/cache
      REGISTRY_HTTP_TLS_LETSENCRYPT_EMAIL: your@email.com
    volumes:
      - ./data:/var/lib/registry
      - ./auth:/auth
      - ./letsencrypt:/letsencrypt

# auth/htpasswd (generated with `docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword`)
testuser:$2y$05$Bl9siDMe7ieQHLM8e7ifaOklKrHmXymbMqfmqXs7zssj6MMGQW4le

Your registry is ready to be deployed by running docker-compose up -d.

On the client machine, you can now login and use the newly setup registry:

docker pull ubuntu && docker tag ubuntu $YOURHOST/ubuntu
docker login $YOURHOST # will add encoded registry credentials to ~/.docker/config.json
    Username: testuser
    Password: testpassword
docker push $YOURHOST/ubuntu

Images pushed to this registry can be used as functions with FaaS, provided you pass the appropriate registryAuth parameter at deployment time.