Hi all,
We’re using openBalena without the S3 container and set the S3 configurations to an S3 bucket of DigitalOcean (Spaces to be exact). This works fine, however, the registry gives the download URL’s of that S3 bucket, with credentials, to download the container image.
In most cases, this isn’t a problem, unless you’re dealing with a strict firewall, which is the case in some locations of our clients. So we’d like to find a way to proxy this bucket to a domain of our own, like s3.<balena-domain>. We know out of the box there’s an S3 container which will fix this, but using an external S3 provider requires less maintenance and is less expensive.
DigitalOcean has the ability to run make a CDN on a custom domain name, which proxies to the bucket. However, this is a CDN and thus not the bucket itself. So it’s only for getting data and not uploading data. In other words, we can’t use the URL of the CDN for our bucket endpoint, because it’ll fail.
I’ve checked, and the ‘open-balena-registry’ image uses the ‘docker-registry’ for it’s registry, which has the option to add a CDN via AWS CloudFront. We’re not using AWS CloudFront, so this isn’t possible for us, unfortunately.
So what we’d like is still use the external S3 provider, but when a device downloads the container images, it should use something like s3.<balena-domain>. Is this possible? 
TL;DR Is it possible to use an external S3 provider, but devices can download the images from a pre-defined URL that’s proxied to that external S3 provider / use a CDN?
Thanks in advance!
(I’ll add this as an option once it’s fixed to the Kubernetes chart).