Identify mechanism to allow 'offline container registry'
As part of #694 (closed) we identified the when running our E2E suite, we find that tests dependant on runners appear to need to have the ability to connect to registry.gitlab.com to download the runners.
In Extend airgap to use gitaly cluster for a broad... (!1092 - merged) we added an exception to allow connecting to this URL but as !1092 (comment 1209361513) suggests, longer term it would be better if we had the ability to run some type of containerized registry which could be connected to the Offline Environment allowing us to have a completely isolated test environment.
Proposed Solution
As @willmeek suggested in !1092 (comment 1209361513) it seems a good solution for this issue is to use https://docs.docker.com/registry/
With this we can
- run a local docker registry
docker run -d -p 5000:5000 --name registry registry:2
- pull the runner image from the existing registry
<registry>/<image>:<tag>
- retag the image to point at our local registry
docker tag <registry>/<image>:<tag> localhost:5000/<image>:<tag>
- push the runner image to our local registry
localhost:50000/<registry>/<image>:<tag>
- use
QA_DEV_REGISTRYenvironment variable for airgapped tests to point at this local container registry - disconnect the registry image from the bridge network
docker network disconnect bridge registry
- connect the registry image to the internal airgapped network
docker network connect airgapped registry
Additional points to consider
- We may need to consider how our existing reporting works. With the gitlab-qa container being
airgappedwith no connection to the bridge network, we should validate that reporting to Sentry/Allure/etc that we do as part of the tests can still work.
If there are any issues with this - we may need the gitlab-qa container to remain connected to bothairgappedandbridgenetworks to allow this traffic to flow.