堆栈内存溢出
  简体   繁体   English

IBM Cloud:从 Terraform 访问容器注册表

[英]IBM Cloud: Access container registry from Terraform

 原文  2020-10-20 11:02:38       kubernetes/ terraform/ ibm-cloud/ terraform-provider-ibm

问题描述

I am using IBM Cloud and its Terraform provider .我正在使用IBM Cloud 及其 Terraform provider Now, I would like to deploy a container image off the IBM Cloud Container Registry and need to provide pull secrets .现在,我想从IBM Cloud Container Registry部署一个容器映像, 并且需要提供 pull secrets How can I do that using Terraform?我如何使用 Terraform 做到这一点?

3 个解决方案

解决方案1
 2 已采纳  2020-10-20 11:15:31

Creating pull secrets via Terraform and then using them to pull a container image off the IBM Cloud Container Registry is possible with some configuration.通过 Terraform 创建 pull secret,然后使用它们从 IBM Cloud Container Registry 中提取容器映像,可以通过一些配置。

First, I have a template file for the Docker configuration named docker_config.json :首先,我有一个名为docker_config.json的 Docker 配置模板文件:

{"auths":{"${docker-server}":{"username":"${docker-username}","password":"${docker-password}","email":"${docker-email}","auth":"${auth}"}}}

That file is referenced from the Terraform code:该文件是从 Terraform 代码中引用的:

# template for container registry secrets
data "template_file" "docker_config_script" {
  template = file("${path.module}/docker_config.json")
  vars = {
    docker-username = "iamapikey"
    docker-password = var.ibmcloud_api_key
    docker-server   = var.docker-server
    docker-email    = var.docker-email
    auth            = base64encode("iamapikey:${var.ibmcloud_api_key}")
  }
}

# Create secrets to access IBM Container Registry to pull container image
resource "kubernetes_secret" "registry_secrets" {
  metadata {
    name      = "my-docker-registry"
    namespace = var.iks_namespace
  }

  data = {
    ".dockerconfigjson" = data.template_file.docker_config_script.rendered
  }

  type = "kubernetes.io/dockerconfigjson"
}

The above code first reads the template and fills it with values from environment variables or current state.上面的代码首先读取模板并用来自环境变量或当前状态的值填充它。 Thereafter, it creates a Kubernetes secret my-docker-registry of type Docker configuration.此后,它会创建一个 Docker 配置类型的 Kubernetes 机密my- docker -registry Later on, that secret can be referenced as image_pull_secret in the deployment configuration.稍后,该机密可以在部署配置中作为image_pull_secret引用。

The above is a generic approach.以上是通用方法。 Depending on your account setup, individual user and service ID privileges in that account and how the Kubernetes cluster was created, you may be able to use a pre-created pull secret.根据您的帐户设置、该帐户中的个人用户和服务 ID 权限以及 Kubernetes 集群的创建方式,您可以使用预先创建的拉取密钥。 See this part in the IBM Cloud Kubernetes Service docs on how to authorize pulling images from private registries . 请参阅 IBM Cloud Kubernetes Service 文档中的这一部分,了解如何授权从私有注册表中提取映像

解决方案2
 1  2020-10-20 13:17:54

Also bear in mind that your cluster may already have suitable image pull secrets.还要记住,您的集群可能已经有合适的镜像拉取机密。

By default, new IBM Cloud Kubernetes Service clusters get a secret ( all-icr-io ) containing credentials that will give read access to all images in IBM Cloud Container Registry namespaces owned by the same account as the cluster.默认情况下,新的 IBM Cloud Kubernetes Service 集群会获得一个包含凭证的机密 ( all-icr-io ),这些凭证将授予对与集群相同帐户拥有的 IBM Cloud Container Registry 名称空间中的所有映像的读取访问权限。 https://cloud.ibm.com/docs/containers?topic=containers-registry#cluster_registry_auth_default https://cloud.ibm.com/docs/containers?topic=containers-registry#cluster_registry_auth_default

解决方案3
 1  2020-10-21 08:16:07

Alternatively, you can also import an existing pull secret all-icr-io that comes with an IKS cluster following the below steps或者,您也可以按照以下步骤导入 IKS 集群附带的现有 pull secret all-icr-io

main.tf主文件

resource "kubernetes_secret" "all_icr_io" {
  # (resource arguments)
}

provider.tf提供者.tf

terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "1.13.2"
    }
  }
}

provider "kubernetes" {
  # Configuration options
}

On a terminal:在终端上:

terraform import kubernetes_secret.all_icr_io default/all-icr-io

To confirm,确认,

terraform show

Result:结果:

# kubernetes_secret.all_icr_io:
resource "kubernetes_secret" "all_icr_io" {
    data = (sensitive value)
    id   = "default/all-icr-io"
    type = "kubernetes.io/dockerconfigjson"

    metadata {
        annotations      = {}
        generation       = 0
        labels           = {}
        name             = "all-icr-io"
        namespace        = "default"
        resource_version = "267"
        self_link        = "/api/v1/namespaces/default/secrets/all-icr-io"
        uid              = "0dea7ee0-ab03-4fc1-a4e4-b2xxxxxxx"
    }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 kubernetes无法从ibm云注册表中提取某些图像 - kubernetes can't pull certain images from ibm cloud registry 访问IBM Cloud中的Kubernetes - Access to Kubernetes in IBM Cloud Google Cloud Composer 从 Google Container Registry 中提取过时的镜像 - Google Cloud Composer pulls stale image from Google Container Registry Google Cloud Container Registry拒绝来自docker push的连接 - Google Cloud Container Registry refuses connection from docker push OpenShift上的Jfrog容器注册表(JFrog Cloud)配置 - Jfrog container registry (JFrog cloud) configuration on openshift IBM Cloud Function - 连接到 Kubernetes 容器 - IBM Cloud Function - Connecting to Kubernetes container IBM Cloud Private CE-未经授权访问目录 - IBM Cloud Private CE - Unauthorized Access to Catalog Google云端平台:无法从Container Engine访问Pubsub - Google Cloud Platform: cannot access Pubsub from Container Engine 来自内部注册表的Openshift Job容器映像 - Openshift Job container image from internal registry 来自Azure容器注册表的测试图像 - test image from azure container registry
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM