2020-11-27 01:13:50 UTC - Ning yougang: Ok, thanks! https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606439630351100?thread_ts=1606359548.346200&cid=C3TPCAQG1 ---- 2020-11-27 02:41:40 UTC - Ning yougang: Have someone meet below problem when build runtime python image? <https://github.com/apache/openwhisk-runtime-python/issues/94> https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606444900351800 ---- 2020-11-27 13:47:32 UTC - Joshua Dunham: Hey Everyone, If I want to be able to use a private registry using helm deployment can someone say how to add in the docker credentials after deployment? I don't want to add to helm b/c it will force *all* containers to come from local reg. I've manually added in the secret that the helm chart creates (dev-docker.registry.auth) but that's not enough. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606484852354900?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:25:14 UTC - Dominic Kim: So you already deployed ow with a registry, then in which case do you need another private registry? Is that for blackbox actions? https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606487114356600?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:32:47 UTC - Dominic Kim: JFYI, we create a service account for invokers and add `ImagePullSecret` to that account for a private registry. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606487567356900?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:33:32 UTC - Dominic Kim: But even if you don't create a service account, I think you can anyway add the ImagePullSecret. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606487612357100?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:34:08 UTC - Dominic Kim: For blackbox invocations, I think currently, it's not possible to invoke them without proper permission for images. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606487648357300?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:34:39 UTC - Dominic Kim: For example, if a userA use a namespaceA in a registry, and userB use a namespaceB in the registry, Invokers should be able to access both namespaces. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606487679357500?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:35:16 UTC - Dominic Kim: We(Naver) internally implemented a feature for users to setup their own secret in actions to pull their images. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606487716357700?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:48:49 UTC - Joshua Dunham: My setup is that I have Gitlab + Gitlab Reg and I have setup some containers (one to start) that is a py wrapper around external app. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606488529358000?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:50:45 UTC - Dominic Kim: So you want to deploy ow with the Gitlab reg or use it for actions? https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606488645358200?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:51:22 UTC - Joshua Dunham: Actually, sorry, I started with a more basic use. I also have a repo that I've extended the py3 image with some modules that would be common around any team deployment here. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606488682358400?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:51:33 UTC - Joshua Dunham: Some cloud type services we are running etc. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606488693358600?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:51:56 UTC - Joshua Dunham: I want to provide this as a base image (but with a specific name using --docker). https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606488716358800?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:52:11 UTC - Joshua Dunham: Next on my list it to deploy a C app with py3 wrapper. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606488731359000?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:53:02 UTC - Joshua Dunham: To answer your Q, I want to have gitlab reg (docker reg) be an alternate source to pull in images from. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606488782359200?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 14:59:30 UTC - Dominic Kim: So the image is for the custom docker(blackbox) action and the reg is different from the one you used to deploy ow. Would the image be used by multiple users from different reg namespaces? https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606489170361700?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 15:11:00 UTC - Joshua Dunham: Yes https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606489860361900?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 15:35:29 UTC - Joshua Dunham: I can start at the easy case though. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606491329362100?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 18:49:14 UTC - Dominic Kim: I believe ow should have a kind of “super” secret(at least read permission) to access all reg namespaces in this case. If this is not possible and arbitrary users will invoke the action with arbitrary reg namespaces, I think you need the same feature that we(naver) implemented which is not in the current upstream code base. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606502954368400?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:10:26 UTC - Joshua Dunham: I'm not sure of the topology here. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504226368600?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:10:49 UTC - Joshua Dunham: When I create an action using the --docker dlag it gets created. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504249368800?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:11:35 UTC - Joshua Dunham: When I attempt to trigger it, k8s shows the container attempting to instantiate itself but then I get a 4xx errror access denied. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504295369000?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:11:45 UTC - Joshua Dunham: Starting any other container in the provate reg works. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504305369200?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:11:57 UTC - Joshua Dunham: proivate* https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504317369400?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:12:02 UTC - Joshua Dunham: Private* https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504322369600?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:12:03 UTC - Joshua Dunham: heh https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504323369800?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:12:50 UTC - Joshua Dunham: I'm confused how the base k8s system is trying to start a container in a registry it has access to but can't. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504370370000?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:14:36 UTC - Joshua Dunham: For your question : "So the image is for the custom docker(blackbox) action and the reg is different from the one you used to deploy ow." I didn't provide any registry creds at start. If I do that I need to have all containers in my provate registry. I'm using it bare so it pulls from dockerhub. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504476370200?thread_ts=1606484852.354900&cid=C3TPCAQG1 ---- 2020-11-27 19:15:29 UTC - Joshua Dunham: For other question : "Would the image be used by multiple users from different reg namespaces?" I don't know what you mean by registry namespaces. I would say no since it's not compartmentalized like that at all. Same K8s namespace, same gitlab registry access. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1606504529370400?thread_ts=1606484852.354900&cid=C3TPCAQG1 ----
