Protect well know registry from accidental push during tilt up

kubernetes-sigs · Jun 28, 2023 · d382fb0 · d382fb0
1 parent 9a6b99b
commit d382fb0
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/Tiltfile b/Tiltfile
@@ -42,8 +42,17 @@ os_arch = str(local("go env GOARCH")).rstrip("\n")
 if settings.get("trigger_mode") == "manual":
     trigger_mode(TRIGGER_MODE_MANUAL)
 
-if settings.get("default_registry") != "":
-    default_registry(settings.get("default_registry"))
+usingLocalRegistry = str(local("kubectl get cm -n kube-public local-registry-hosting || true", quiet = True))
+if not usingLocalRegistry:
+    if settings.get("default_registry") == "":
+        fail("default_registry is required when not using a local registry, please add it to your tilt-settings.yaml/json")
+
+    protectedRegistries = ["gcr.io/k8s-staging-cluster-api"]
+    if settings.get("default_registry") in protectedRegistries:
+        if settings.get("default_registry") not in settings.get("allowed_registries", []):
+            fail("current default_registry is protected, tilt cannot push images to it. Please select another default_registry or add '{}' to the allowed_registries list in your tilt-settings.yaml/json".format(settings.get("default_registry")))
+
+default_registry(settings.get("default_registry"))
 
 always_enable_providers = ["core"]
 

diff --git a/docs/book/src/developer/tilt.md b/docs/book/src/developer/tilt.md
@@ -69,8 +69,13 @@ If you prefer JSON, you can create a `tilt-settings.json` file instead. YAML wil
 **allowed_contexts** (Array, default=[]): A list of kubeconfig contexts Tilt is allowed to use. See the Tilt documentation on
 [allow_k8s_contexts](https://docs.tilt.dev/api.html#api.allow_k8s_contexts) for more details.
 
-**default_registry** (String, default=""): The image registry to use if you need to push images. See the [Tilt
+**allowed_registries** (Array, default=[]): A list of registry names that can be used as a default_registry; setting this
+value is required only if using a protected repo in `default_registry`.
+
+**default_registry** (String, default=[]): The image registry to use if you need to push images. See the [Tilt
 documentation](https://docs.tilt.dev/api.html#api.default_registry) for more details.
+Please note that, in case you are not using a local registry, this value is required; additionally, the Cluster API
+Tiltfile protects you from accidental push on `gcr.io/k8s-staging-cluster-api`.
 
 **build_engine** (String, default="docker"): The engine used to build images. Can either be `docker` or `podman`.
 NB: the default is dynamic and will be "podman" if the string "Podman Engine" is found in `docker version` (or in `podman version` if the command fails).