#lax (2019-10)
A place for people in (and around!) Los Angeles
Archive: https://archive.sweetops.com/lax/
2019-10-14
Hear from @Jake Lundberg (HashiCorp) and his colleague next Thursday in Santa Monica!
1
1
@btai see this? https://www.meetup.com/lp/paymentchanges
oof I don’t like that @Erik Osterman (Cloud Posse)
I definitely don’t want our members pay to rsvp. at the same time I’d say our attendance rate is about 40~50% of the total rsvps
Technically they could show up without RSVPing.
2019-10-25
@btai @Corey Gale good tip yesterday at the meet up about setting up a pass thru registry for Docker to mitigate the effects of a Docker hub outage
I think mirroring the images to ECR is a PIA
But in researching this some more, I learned about the registry mirror option built into Docker
Pia?
(Pain in the ass)
I guess that makes it PITA
Looks like this is natively supported by Kops
So it seems like it’s easy enough to deploy a pass thru registry in cluster and then configure the mirror to use it
Not sure what happens if the mirror is offline - I presume it attempts upstream
@Corey Gale has joined the channel
@Jeremy G (Cloud Posse) we should add this to next rollout
Maybe go all the way and use something like Artifactory to be the pull-through cache for everything, not just docker images. https://jfrog.com/artifactory/features/
I just don’t know where the line is drawn between open source and enterprise. Artifactory is cool and all, but I know their pricing is insane.
2019-10-27
2019-10-28
@Erik Osterman (Cloud Posse) is there a big difference in registry mirroring vs just pushing to 2 different registries?
you could do them in parallel in ci step (push to codefreshf registry + push to ECR)
chances are you don’t rely on just your software
in our case: prometheus, grafana, keycloak, gatekeeper, kubecost, and 2 dozen other third-party vendors
sure you can take on the burden of pushing those to your own repos - that’s great (but a lot of work)
or you can just use a mirror that that has a pull-through cache (as you describe) and address the immediate risk of being crippled by upstream outages.
I’d argue:
1) from a security perspective, you should explicitly replicate or produce an image in your own repo for every package you depend on. for smaller team, this might be a lot of overhead. it will shield you also from upstream outages.
2) from an HA perspective, the registry mirror is sufficient.
80/20 rule
option (1) is 80% more work with 20% more benefit
great response erik