为不会过期的谷歌容器注册表创建图像拉取密码? [英] Creating image pull secret for google container registry that doesn't expire?
问题描述
我正在尝试让 Kubernetes 从另一个项目的 Google Container Registry 下载图像.根据 docs,您应该使用以下方法创建图像拉取密钥:
$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL但我想知道我应该使用什么 DOCKER_USER 和 DOCKER_PASSWORD 来对 Google Container Registry 进行身份验证?查看 GCR 文档,它说密码是您可以通过运行获得的访问令牌:
$ gcloud auth 打印访问令牌这确实有效……有一段时间了.问题似乎是这个访问令牌在(我认为是)一小时后过期.我需要一个在创建我的图像拉取密码时不会过期的密码(或其他东西).否则 Kubernetes 集群在一个小时左右后无法下载新镜像.这样做的正确方法是什么?
这真的很棘手,但经过大量的跟踪和错误后,我想我已经让它工作了.
- 转到 Google Developer Console > Api Manager > Credentials 并单击创建凭据"并创建服务帐户密钥"
- 在service account"下选择 new 并将新密钥命名为gcr"(让密钥类型为 json)
- 创建密钥并将文件存储在磁盘上(从这里我们假设它存储在
~/secret.json下) 现在从命令行使用 Docker 登录 GCR:
$ docker login -e your@email.se -u _json_key -p "$(cat ~/secret.json)" https://eu.gcr.io这将在您的
中为https://eu.gcr.io"生成一个条目~/.docker/config.json文件.将https://eu.gcr.io"下的 JSON 结构复制到一个新的名为~/docker-config.json"的文件,删除换行符!例如:
{"https://eu.gcr.io": { "auth": "","email": "your@email.se"}} Base64 编码这个文件:
$ cat ~/docker-config.json |base64这将打印一个很长的 base64 编码字符串,复制该字符串并将其粘贴到图像拉取机密定义中(称为
~/pullsecret.yaml):
<块引用>
apiVersion: v1种类:秘密元数据:名称:mykey数据:.dockercfg:<在此处粘贴 base64 编码的字符串>类型:kubernetes.io/dockercfg现在创建秘密:
$ kubectl create -f ~/pullsecret.yaml- 现在您可以使用这个从 pod 中提取的秘密,例如:
<块引用>
apiVersion: v1种类:豆荚元数据:名称: foo命名空间:awesomeapps规格:容器:- 图像:janedoe/awesomeapp:v1"名称: fooimagePullSecrets:- 名称:mykey或将其添加到 服务帐号.
I'm trying to get Kubernetes to download images from a Google Container Registry from another project. According to the docs you should create an image pull secret using:
$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
But I wonder what DOCKER_USER and DOCKER_PASSWORD I should use for authenticating with Google Container Registry? Looking at the GCR docs it says that the password is the access token that you can get by running:
$ gcloud auth print-access-token
This actually works... for a while. The problem seems to be that this access token expires after (what I believe to be) one hour. I need a password (or something) that doesn't expire when creating my image pull secret. Otherwise the Kubernetes cluster can't download the new images after an hour or so. What's the correct way to do this?
This is really tricky but after a lot of trail and error I think I've got it working.
- Go to the Google Developer Console > Api Manager > Credentials and click "Create credentials" and create a "service account key"
- Under "service account" select new and name the new key "gcr" (let the key type be json)
- Create the key and store the file on disk (from here on we assume that it was stored under
~/secret.json) Now login to GCR using Docker from command-line:
$ docker login -e your@email.se -u _json_key -p "$(cat ~/secret.json)" https://eu.gcr.ioThis will generate an entry for "https://eu.gcr.io" in your
~/.docker/config.jsonfile.Copy the JSON structure under "https://eu.gcr.io" into a new file called "~/docker-config.json", remove newlines! For example:
{"https://eu.gcr.io": { "auth": "<key>","email": "your@email.se"}}Base64 encode this file:
$ cat ~/docker-config.json | base64This will print a long base64 encoded string, copy this string and paste it into an image pull secret definition (called
~/pullsecret.yaml):
apiVersion: v1 kind: Secret metadata: name: mykey data: .dockercfg: <paste base64 encoded string here> type: kubernetes.io/dockercfg
Now create the secret:
$ kubectl create -f ~/pullsecret.yaml- Now you can use this pull secret from a pod, for example:
apiVersion: v1 kind: Pod metadata: name: foo namespace: awesomeapps spec: containers: - image: "janedoe/awesomeapp:v1" name: foo imagePullSecrets: - name: mykey
or add it to a service account.
这篇关于为不会过期的谷歌容器注册表创建图像拉取密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
