- Notifications
You must be signed in to change notification settings - Fork26
mutating webhook which rewrites container images to use a Harbor proxy cache
License
indeedeng/harbor-container-webhook
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A kubernetes mutating webhook which rewrites container images to use a Harbor proxy cache.This is typically useful for mirroring public registries that have low rate limits, such as dockerhub, or limitingpublic bandwidth usage, by mirroring images in a local Harbor registry.
harbor-container-webhook inspects pod requests in a kubernetes cluster and rewrites the container image registry ofmatching images.
Requires kubernetes 1.17+ and can either be installed via helm or bare manifests.
Option 1: Install from chart repository
helm repo add harbor-container-webhook https://indeedeng.github.io/harbor-container-webhook/helm install harbor-container-webhook harbor-container-webhook/harbor-container-webhook -n harbor-container-webhook --create-namespace
Option 2: Install chart from local build
Build and install the Helm chart locally after cloning the repository.
make helm.buildhelm install harbor-container-webhook ./bin/chart/harbor-container-webhook.tgz -n harbor-container-webhook --create-namespace
The harbor-container-webhook rewrites are managed by configuration rules. Each rule contains a list of regularexpressions to match on, as well as an optional list of regular expressions to exclude. For each container imagereference which matches at least one match rule and none of the exclusion rules, then the registry is replacedby thereplace contents of the rule. IfcheckUpstream is enabled, the webhook will first fetch the manifestthe rewritten container image reference and verify it exists before rewriting the image.
Example configuration:
port:9443certDir:"./hack/certs"healthAddr:":8080"metricsAddr:":8081"rules: -name:'docker.io rewrite rule'# image refs must match at least one of the rules, and not match any excludesmatches: -'^docker.io'excludes:# for example, exclude ubuntu from harbor's proxy cache -'^docker.io/(library/)?ubuntu:.*$'replace:'harbor.example.com/dockerhub-proxy'checkUpstream:false -name:'docker.io ubuntu rewrite rule'# image refs must match at least one of the rules, and not match any excludesmatches: -'^docker.io/(library/)?ubuntu:.*$'replace:'harbor.example.com/ubuntu-proxy'checkUpstream:true# tests if the manifest for the rewritten image existsauthSecretName:harbor-example-image-pull-secret# optional, defaults to "" - secret in the webhook namespace for authenticating to harbor.example.com
make help prints out the help info for local development:
build Build binary for the specified archdocker.build Build the docker imagefmt ensure consistent code stylegenerate Generate codehack-test curl the admission and no-op json bodies to the webhookhack build and run the webhook w/hack confighelm.build Build helm charthelm.docs Generate helm docshelp displays this help messagelint run golangci-linttest Run testsEnsure tests and linters pass withmake lint test.
The webhook can be run locally withmake hack and thenmake hack-test to submit sample responses to the webhook.
We welcome contributions! Feel free to help make the harbor-container-webhook better.
harbor-container-webhook is governed by theContributer Covenant v1.4.1
For more information please contactopensource@indeed.com.
The harbor-container-webhook is open source under theApache 2 license.
About
mutating webhook which rewrites container images to use a Harbor proxy cache
Topics
Resources
License
Code of conduct
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Contributors10
Uh oh!
There was an error while loading.Please reload this page.