当前位置：网站首页>Harbor image pull voucher configuration

Harbor image pull voucher configuration

2022-06-10 19:49:00 【51CTO】

Mirror pull voucher

The theme ： stay k8s establish Pod In the process , from Harbor The private image warehouse downloads images .Harbor To ensure the security of the image , You need to configure Secret Only from Harbor Download mirroring . Public warehouses do not need to be configured .

Before in my column 《Harbor Treasure 》 I share Harbor Series of articles .

This issue will continue to share in k8s How to pull from the container Harbor Private image in .

Harbor We can pull the public image in , However, some private images cannot be directly pulled to . We can use Secret Pull the private image from the resource object , The following are the detailed operation steps .

Harbor Address ： https://192.168.2.250:443

Harbor user ：admin

Harbor password ：Harbor12345

At the end of the paper, record the problems encountered and solutions ！

1、 Sign in Harbor

After successful login, it will be in ~/.docker/config.json Record login information in the file , Then, based on this information, create Secret, Through the container imagePullSecret Specify the Secret To implement authentication , To pull the private image .

If you log in Harbor Failure , Please check the problem solving in the column .

       
       # docker login -u admin -p Harbor12345 192.168.2.250:443
       
WARNING! Using 
       
       --password via the CLI is insecure. Use 
       
       --password
       
       -stdin.
       
WARNING! Your password will be stored unencrypted 
       
       in /root/.docker/config.json.
       
Configure a credential helper to remove this warning. See
       
https://docs.docker.com/engine/reference/commandline/login/
       
       #credentials-store
       
Login Succeeded       // Login successful 
      
1.
2.
3.
4.
5.
6.

      
      
       
       # cat ~/.docker/config.json
       
       
{
       
       
  "auths": {
       
       
    "192.168.2.250:443": {
       
       
      "auth": "YWRtaW46SGFyYm9yMTIzNDU="
       
       
    }
       
       
  },
       
       
  "HttpHeaders": {
       
       
    "User-Agent": "Docker-Client/19.03.8 (linux)"
       
       
  }
       
       
}
      
      
      
      
       
       1.
       
       2.
       
       3.
       
       4.
       
       5.
       
       6.
       
       7.
       
       8.
       
       9.
       
       10.
       
       11.

2、 use BASH64 Encode and parse key data

Click Create Secret You need to use the parsed results when ;-w 0 Indicates that the generated secret key does not transfer to another line , If the default line conversion is not in the correct format, an error will occur .

      
      
       
       # cat ~/.docker/config.json  | base64 -w 0
       
       
ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjIuMjUwOjQ0MyI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0=
      
      
      
      
       
       1.
       
       2.

3、 establish Secret Mirror pull voucher

.dockerconfigjson The value of is the second 2 The result of step analysis （ Copy the results there ）

      
      
       
       # vim  harbor-image-secret.yaml
       
       
apiVersion: v1
       
       
kind: Secret
       
       
metadata:
       
       
  name: harbor-pull
       
       
type: kubernetes.io/dockerconfigjson
       
       
data:
       
       
  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjIuMjUwOjQ0MyI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0=
      
      
      
      
       
       1.
       
       2.
       
       3.
       
       4.
       
       5.
       
       6.
       
       7.
       
       8.

      
      
       
       # kubectl apply  -f harbor-image-secret.yaml 
       
       
secret/harbor-pull created
       
       
# kubectl get secret
       
       
NAME                  TYPE                                  DATA   AGE
       
       
default-token-qqjxn   kubernetes.io/service-account-token   3      13d
       
       
harbor-pull           kubernetes.io/dockerconfigjson        1      52s
      
      
      
      
       
       1.
       
       2.
       
       3.
       
       4.
       
       5.
       
       6.

Command line creation secret The method of is shown in kubectl create secret -h To create , We will not elaborate here .

4、 Use image pull credentials in the container to pull private images

This office pulls the private image 192.168.2.250:443/muli/tomcat:8.5.34-jre8-alpine For example .

      
      
       
       # cat tomcat-pod1.yaml
       
       
kind: Pod
       
       
apiVersion: v1
       
       
metadata: 
       
       
  name: tomcat-v2.3.1
       
       
  namespace: test
       
       
spec: 
       
       
  imagePullSecrets:
       
       
   - name: image-secret
       
       
     containers: 
       
       
   - name: tomcat-po
       
       
     image: 192.168.2.250:443/muli/tomcat:8.5.34-jre8-alpine
       
       
     imagePullPolicy: IfNotPresent
       
       
# kubectl apply -f   tomcat-pod1.yaml
       
       
pod/tomcat-v2.3.1 created
       
       
# kubectl get pods
       
       
NAME            READY   STATUS    RESTARTS   AGE
       
       
tomcat-v2.3.1   1/1     Running   0          20h
      
      
      
      
       
       1.
       
       2.
       
       3.
       
       4.
       
       5.
       
       6.
       
       7.
       
       8.
       
       9.
       
       10.
       
       11.
       
       12.
       
       13.
       
       14.
       
       15.
       
       16.
       
       17.
       
       18.