Support custom image from `hub.docker.com/u/saferwall`

Question

Support custom image from `hub.docker.com/u/saferwall`

Closed this issue a year ago · 4 comments

I want to pull image from https://hub.docker.com/u/saferwall then custom image and upload to gcr.io.

I have uploaded to Container registry GCP but can't find value config to change default flow pull image from hub.docker.com to gcr.io.

So how i can change that config?

Answer 1 · 2023-03-06T05:56:07.000Z

Have you tried enabling privateRegistryServer in values.yaml

global:
  # email used to generate let's encrypt ssl cert.
  email: admin@mysaferwall.com
  # set to true when using a private docker registry.
  privateRegistryServer:
    enabled: false << set this one to true, and to token the token used to authenticate to gcr.io
    token: ""

When the private registry is enabled, the secret.yaml creates a secret with the name of regcred of type: kubernetes.io/dockerconfigjson that contains the token.:

{{ if eq .Values.global.privateRegistryServer.enabled true }}
apiVersion: v1
kind: Secret
metadata:
  name: regcred
data:
  .dockerconfigjson: {{ include "saferwall.private-registry.token" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}

And this is later used in every deployment to pull images from private registries:

      {{ if eq $root.Values.global.privateRegistryServer.enabled true }}
      imagePullSecrets:
        - name: regcred
      {{- end }}

And Google has a different JSON key schema:

{
"type": "service_account",
"project_id": "lian-empty-project",
"private_key_id": "abcd1234efgh",
"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATEKEY\n-----END PRIVATE KEY-----\n",
"client_email": "pull-images-from-registry@lian-empty-project.iam.gserviceaccount.com",
"client_id": "1234567",
"auth_uri": "https://accounts.google.com/o/oauth3/auth",
"token_uri": "https://accounts.google.com/o/oauth3/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth3/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/pull-images-from-registry%40lian-empty-project.iam.gserviceaccount.com"
}

{{/*
Create the docker private registry server token.
*/}}
{{- define "saferwall.private-registry.token" -}}
{{- if .Values.global.privateRegistryServer.enabled -}}
 <<  you should edit this one accordingly to the key schema
{{ printf "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"%s\"}}}" .Values.global.privateRegistryServer.token }}
{{- end -}}
{{- end -}}

Let's say you want to use a custom image for the multi-av avast:

multiav:
  enabled: true
  name: multiav
  vendors:
    avast:
      enabled: false
      replicas: 1
      containerPort: 50051
      image:
        repository: saferwall/goavast <<  <org/repo>
        tag: latest
        pullPolicy: Always

Answer 2 · 2023-03-06T10:17:02.000Z

Yep i will try it. I have a question about password download file sample on UI. I read saferwall/saferwall-api and found password of download file in /saferwall-api/internal/file/service.go.

It is hardcode, I want change it to my secret when deployment repo saferwall-api. Can I do it?
Please support me!

Answer 3 · 2023-03-06T10:27:04.000Z

You can't now but I can easily change that, I will externalize the password so that can be configurable.

Answer 4 · 2023-04-23T04:30:40.000Z

This has been fixed now to easily use any private docker registry container.

In the global helm values.yaml:

global:
  # set to true when using a private docker registry.
  privateRegistryServer:
    enabled: true
    imageCredentials:
      registry: quay.io
      username: mr-robot
      password: its-not-real