我有一个托管在gitlab上的私有docker注册表,我想使用这个存储库为我的本地kubernetes集群提取图像:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 68m
K8s位于v1.22.5
上,是Docker Desktop"开箱即用"的单节点集群。我已经构建并部署了一个镜像到gitlab容器注册表registry.gitlab.com
。我已经做了什么:
- 执行命令
docker login -u <username> -p <password> registry.gitlab.com
- 将
~/.docker/config.json
文件修改为以下内容:{ "auths": { "registry.gitlab.com": {} }, "credsStore": "osxkeychain" }
- 创建了一个机密并将其部署到具有以下文件的群集:
apiVersion: v1 kind: Secret metadata: name: registry-key data: .dockerconfigjson: <base-64-encoded-.config.json-file> type: kubernetes.io/dockerconfigjson
- 已部署具有以下文件的应用程序:
apiVersion: apps/v1 kind: Deployment metadata: name: test-deployment labels: app: test-app spec: replicas: 1 selector: matchLabels: app: test-app template: metadata: labels: app: test-app spec: imagePullSecrets: - name: registry-key containers: - name: test-app image: registry.gitlab.com/<image-name>:latest imagePullPolicy: Always ports: - containerPort: 80
部署创建成功,但在检查吊舱(kubectl describe pod
(时,我发现以下事件:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 21s default-scheduler Successfully assigned default/test-deployment-87b5747b5-xdsl9 to docker-desktop
Normal BackOff 19s kubelet Back-off pulling image "registry.gitlab.com/<image-name>:latest"
Warning Failed 19s kubelet Error: ImagePullBackOff
Normal Pulling 7s (x2 over 20s) kubelet Pulling image "registry.gitlab.com/<image-name>:latest"
Warning Failed 7s (x2 over 19s) kubelet Failed to pull image "registry.gitlab.com/<image-name>:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://registry.gitlab.com/v2/<image-name>/manifests/latest": denied: access forbidden
Warning Failed 7s (x2 over 19s) kubelet Error: ErrImagePull
请提供可能导致这些错误的任何信息。
我通过编辑$ docker login
:生成的默认config.json
来解决问题
{
"auths": {
"registry.gitlab.com": {}
},
"credsStore": "osxkeychain"
}
成为
{
"auths": {
"registry.gitlab.com": {
"auth":"<access-token-in-plain-text>"
}
}
}
感谢巴拉在评论中提出这一点。我意识到在文件中以明文形式存储访问令牌可能不安全,但如果需要,可以更改为使用路径。
我还按照OzzieFZI的建议创建了这个秘密:
$ kubectl create secret docker-registry registry-key
--docker-server=registry.gitlab.com
--docker-username=<username>
--docker-password="$(cat /path/to/token.txt)"
您使用什么密码?
确认您是否正在使用对容器注册表具有读/写访问权限的个人访问令牌。您的用户名应该是gitlab用户名。我建议使用kubectl和一个以令牌为内容的txt文件来创建docker注册表秘密,这样就不必自己对dockerconfigjson进行编码。下面是一个例子。
$ kubectl create secret docker-registry registry-key
--docker-server=registry.gitlab.com
--docker-username=<username>
--docker-password="$(cat /path/to/token.txt)"
请参阅此处的命令文档
这里有一些更详细的内容,以防有人对此有问题。gitlab还引入了来自repository -> deploy tokens
选项卡的部署令牌,这意味着您不需要使用个人访问令牌。
创建身份验证以放入秘密资源
#!/bin/bash
if [ "$#" -ne 1 ]; then
printf "Invalid number of arguments" >&2
printf "./create_registry_secret.sh <GITLAB_DEPLOY_TOKEN>" >&2
exit 1;
fi
secret_gen_string='{"auths":{"https://registry.gitlab.com":{"username":"{{USER}}","password":"{{TOKEN}}","email":"{{EMAIL}}","auth":"{{SECRET}}"}}}'
gitlab_user=<YOUR_DEPLOY_TOKEN_USER>
gitlab_token=$1
gitlab_email=<YOUR_EMAIL_OR_WHATEVER>
gitlab_secret=$(echo -n "$gitlab_user:$gitlab_token" | base64 -w 0)
echo -n $secret_gen_string
| sed "s/{{USER}}/$gitlab_user/"
| sed "s/{{TOKEN}}/$gitlab_token/"
| sed "s/{{EMAIL}}/$gitlab_email/"
| sed "s/{{SECRET}}/$gitlab_secret/"
| base64 -w 0
使用秘密资源中的脚本输出
# A secret to pull container from gitlab registry
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
name: gitlab-pull-secret
data:
.dockerconfigjson: <GENERATED_SECRET>
引用容器定义中的机密
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-test-deployment
labels:
app.kubernetes.io/name: gitlab-test
spec:
selector:
matchLabels:
app.kubernetes.io/name: gitlab-test
replicas: 1
template:
metadata:
labels:
app.kubernetes.io/name: gitlab-test
spec:
containers:
- name: my-gitlab-container
image: registry.gitlab.com/group/project/image:tag
imagePullPolicy: Always
ports:
- containerPort: 3000
# Include the authentication for gitlab container registry
imagePullSecrets:
- name: gitlab-pull-secret
很抱歉这么晚才再次推出,但我一直在获得
Error: ErrImagePull
其中来自CCD_ 9的附加信息表示CCD_。
我尝试了上面的答案,但它们并没有导致工作状态(
构建完成后推送到GitLab注册表。我尝试了分配了不同权限的不同个人访问令牌,但我一直收到这个错误。。。