Prepare the cache deployment

Following cache preparation, you will have the following file structure on your workstation:

├── dtrcache.yaml
├── config.yaml
└── certs
    ├── cache.cert.pem
    ├── cache.key.pem
    └── dtr.cert.pem
dtrcache.yaml

The YAML file that allows you to deploy the cache with a single command.

config.yaml

The cache configuration file.

certs

The certificates subdirectory.

cache.cert.pem

The cache public key certificate, including any intermediaries.

cache.key.pem

The cache private key.

dtr.cert.pem

The MSR CA certificate.

Create the MSR cache certificates

To deploy the MSR cache with a TLS endpoint you must generate a TLS ceritificate and key from a certificate authority.

The manner in which you expose the MSR cache changes the Storage Area Networks (SANs) that are required for the certificate. For example:

  • To deploy the MSR cache with an ingress object you must use an external MSR cache address that resolves to your ingress controller as part of your certificate.

  • To expose the MSR cache through a Kubernetes Cloud Provider, you must have the external Loadbalancer address as part of your certificate.

  • To expose the MSR cache through a Node port or a host port you must use a Node FQDN (Fully Qualified Domain Name) as a SAN in your certificate.

Create the MSR cache certficates:

  1. Create a cache certificate:

    ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -m PEM
    
  2. Create a directory called certs.

  3. In the certs directory, place the newly created certificate cache.cert.pem and key cache.key.pem for your MSR cache.

  4. Place the certificate authority in the certs directory, including any intermedite certificate authorities of the certificate from your MSR deployment. If your MSR deployment uses cert-manager, use kebectl to source this from the main MSR deployment.

    kubectl get secret msr-nginx-ca-cert -o go-template='{{ index .data "ca.crt" | base64decode }}'
    

Note

If cert-manager is not in use, you must provide your custom nginx.webtls certificate.

Configure the MSR cache

The MSR cache takes its configuration from a configuration file that you mount into the container.

You can edit the following MSR cache configuration file for your environment, entering the relevant external MSR cache, worker node, or external loadbalancer FQDN. Once you have configured the cache it fetches image layers from MSR and maintains a local copy for 24 hours. If a user requests the image layer after that period, the cache fetches it again from MSR.

cat > config.yaml <<EOF
version: 0.1
log:
  level: info
storage:
  delete:
    enabled: true
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: 0.0.0.0:443
  secret: generate-random-secret
  host: https://<external-fqdn-dtrcache> # Could be MSR Cache / Loadbalancer / Worker Node external FQDN
  tls:
    certificate: /certs/cache.cert.pem
    key: /certs/cache.key.pem
middleware:
  registry:
      - name: downstream
        options:
          blobttl: 24h
          upstreams:
            - https://<msr-url> # URL of the Main MSR Deployment
          cas:
            - /certs/msr.cert.pem
EOF

By default, the cache stores image data inside its container. Thus, if something goes wrong with the cache service and Kubernetes deploys a new Pod, cached data is not persisted. The data is not lost, however, as it persists in the primary MSR.

Note

Kubernetes persistent volumes or persistent volume claims must be in use to provide persistent backend storage capabilities for the cache.

Define Kubernetes resources

The Kubernetes manifest file you use to deploy the MSR cache is independent from how you choose to expose the MSR cache within your environment.

cat > dtrcache.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dtr-cache
  namespace: dtr
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dtr-cache
  template:
    metadata:
      labels:
        app: dtr-cache
      annotations:
       seccomp.security.alpha.kubernetes.io/pod: docker/default
    spec:
      containers:
        - name: dtr-cache
          image: mirantis/{{ page.dtr_namespace }}/dtr-content-cache:2.9.16
          command: ["bin/sh"]
          args:
            - start.sh
            - /config/config.yaml
          ports:
          - name: https
            containerPort: 443
          volumeMounts:
          - name: dtr-certs
            readOnly: true
            mountPath: /certs/
          - name: dtr-cache-config
            readOnly: true
            mountPath: /config
      volumes:
      - name: dtr-certs
        secret:
          secretName: dtr-certs
      - name: dtr-cache-config
        configMap:
          defaultMode: 0666
          name: dtr-cache-config
EOF