I am trying to understand the setup for DTR vis-a-vis multiple UCP clusters. I will have two UCP Clusters - one for Non-PROD and another for PROD.
I would ideally like to have only one DTR (makes sense to me with adequate RBAC roles configured, I don’t see a need for multiple DTRs)
Info from Docker Inc’s best practice
Unlike the separate production and non-production UCP clusters, enterprises commonly have a single master DTR cluster. This allows enforcement of enterprise processes such as Security Scanning in a centralized place. If pulling images from globally distributed locations takes too long then you can use the DTR Content Cache feature to create local caches.
Note: Policy enforcement on image signing will not currently work if you have your DTR in a separate cluster from UCP.
End of Info from the website
I am unclear whether it states running DTR as a separate 3rd Cluster (with the other two being PROD and NON-PROD UCP Clusters) is the best practice. If yes, Does this setup prevent us from using capabilities such as Image Signing? What are the trade-offs?
I am looking for clear recommendations in this space.
I have posted this query on Stackeoverflow