为不会过期的谷歌容器注册表创建图像拉密? [英] Creating image pull secret for google container registry that doesn't expire?
问题描述
我试图让Kubernetes从另一个项目的Google Container Registry中下载图片。根据文档,您应该使用以下方式创建图像拉式秘密:
$ kubectl创建秘密docker-registry myregistrykey --docker-server = DOCKER_REGISTRY_SERVER --docker-username = DOCKER_USER --docker-密码= DOCKER_PASSWORD --docker-email = DOCKER_EMAIL
但我想知道 DOCKER_USER
和 DOCKER_PASSWORD
我应该使用Google Container Registry进行身份验证?查看 GCR文档,它表示密码是您可以通过运行获得的访问令牌:
$ gcloud auth打印存取令牌
这实际上有效......一段时间。问题似乎是这个访问令牌在一小时之后(我相信是)过期了。我需要一个密码(或者其他东西),在创建我的图像拉密时不会过期。否则,Kubernetes群集无法在一小时左右后下载新图像。什么是正确的方式来做到这一点?
这是非常棘手的,但经过很多线索和错误,我想我已经得到它的工作。
- 转至Google Developer Console> Api Manager>凭证,然后点击创建凭证并创建服务账户密钥 >
- 在服务帐户下选择new,并将新密钥命名为gcr(让密钥类型为json)
- 创建密钥并将文件存储磁盘(从这里开始我们假设它存储在
〜/ secret.json
中)
-
现在登录到GCR来自命令行的Docker:
$ b $ p$ docker login -e your@email.se -u _json_key -p$(cat〜/ secret。 json)https://eu.gcr.io
这将生成 https://eu.gcr.io 在您的
〜/ .docker / config.json
文件中。 在< https://下方复制JSON结构eu.gcr.io 添加到名为〜/ docker-config.json的新文件中,删除换行符!例如: -
Base64对此文件进行编码:
$ cat〜/ docker-config.json | base64
-
这将打印一个长的base64编码的字符串,复制该字符串并将其粘贴到图像拉密定义中(称为<
$ block $
$apiVersion:v1
类型:秘密
元数据:
名称:mykey
数据:
.dockercfg:<在这里粘贴base64编码的字符串>
类型:kubernetes.io/dockercfg
-
现在创建秘密:
$ kubectl create -f〜/ pullsecret.yaml
- 现在您可以从pod使用此拉式密码,例如:
apiVersion:v1
类型:Pod
元数据:
名称:foo
命名空间:awesomeapps
规范:
容器:
- image:janedoe / awesomeapp:v1
名称:foo
imagePullSecrets:
- name: mykey
或者将它添加到服务帐户。
I'm trying to get Kubernetes to download images from a Google Container Registry from another project. According to the docs you should create an image pull secret using:
$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
But I wonder what
DOCKER_USER
andDOCKER_PASSWORD
I should use for authenticating with Google Container Registry? Looking at the GCR docs it says that the password is the access token that you can get by running:$ gcloud auth print-access-token
This actually works... for a while. The problem seems to be that this access token expires after (what I believe to be) one hour. I need a password (or something) that doesn't expire when creating my image pull secret. Otherwise the Kubernetes cluster can't download the new images after an hour or so. What's the correct way to do this?
解决方案This is really tricky but after a lot of trail and error I think I've got it working.
- Go to the Google Developer Console > Api Manager > Credentials and click "Create credentials" and create a "service account key"
- Under "service account" select new and name the new key "gcr" (let the key type be json)
- Create the key and store the file on disk (from here on we assume that it was stored under
~/secret.json
) Now login to GCR using Docker from command-line:
$ docker login -e your@email.se -u _json_key -p "$(cat ~/secret.json)" https://eu.gcr.io
This will generate an entry for "https://eu.gcr.io" in your
~/.docker/config.json
file.Copy the JSON structure under "https://eu.gcr.io" into a new file called "~/docker-config.json", remove newlines! For example:
{"https://eu.gcr.io": { "auth": "<key>","email": "your@email.se"}}
Base64 encode this file:
$ cat ~/docker-config.json | base64
This will print a long base64 encoded string, copy this string and paste it into an image pull secret definition (called
~/pullsecret.yaml
):
apiVersion: v1 kind: Secret metadata: name: mykey data: .dockercfg: <paste base64 encoded string here> type: kubernetes.io/dockercfg
Now create the secret:
$ kubectl create -f ~/pullsecret.yaml
- Now you can use this pull secret from a pod, for example:
apiVersion: v1 kind: Pod metadata: name: foo namespace: awesomeapps spec: containers: - image: "janedoe/awesomeapp:v1" name: foo imagePullSecrets: - name: mykey
or add it to a service account.
这篇关于为不会过期的谷歌容器注册表创建图像拉密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
-
{https://eu.gcr.io:{auth:< key>,电子邮件:your@email.se}}