[英]IBM Cloud: Access container registry from Terraform
I am using IBM Cloud and its Terraform provider .我正在使用IBM Cloud 及其 Terraform provider 。 Now, I would like to deploy a container image off the IBM Cloud Container Registry and need to provide pull secrets .现在,我想从IBM Cloud Container Registry部署一个容器映像, 并且需要提供 pull secrets 。 How can I do that using Terraform?我如何使用 Terraform 做到这一点?
Creating pull secrets via Terraform and then using them to pull a container image off the IBM Cloud Container Registry is possible with some configuration.通过 Terraform 创建 pull secret,然后使用它们从 IBM Cloud Container Registry 中提取容器映像,可以通过一些配置。
First, I have a template file for the Docker configuration named docker_config.json :首先,我有一个名为docker_config.json的 Docker 配置模板文件:
{"auths":{"${docker-server}":{"username":"${docker-username}","password":"${docker-password}","email":"${docker-email}","auth":"${auth}"}}}
That file is referenced from the Terraform code:该文件是从 Terraform 代码中引用的:
# template for container registry secrets
data "template_file" "docker_config_script" {
template = file("${path.module}/docker_config.json")
vars = {
docker-username = "iamapikey"
docker-password = var.ibmcloud_api_key
docker-server = var.docker-server
docker-email = var.docker-email
auth = base64encode("iamapikey:${var.ibmcloud_api_key}")
}
}
# Create secrets to access IBM Container Registry to pull container image
resource "kubernetes_secret" "registry_secrets" {
metadata {
name = "my-docker-registry"
namespace = var.iks_namespace
}
data = {
".dockerconfigjson" = data.template_file.docker_config_script.rendered
}
type = "kubernetes.io/dockerconfigjson"
}
The above code first reads the template and fills it with values from environment variables or current state.上面的代码首先读取模板并用来自环境变量或当前状态的值填充它。 Thereafter, it creates a Kubernetes secret my-docker-registry of type Docker configuration.此后,它会创建一个 Docker 配置类型的 Kubernetes 机密my- docker -registry 。 Later on, that secret can be referenced as image_pull_secret in the deployment configuration.稍后,该机密可以在部署配置中作为image_pull_secret引用。
The above is a generic approach.以上是通用方法。 Depending on your account setup, individual user and service ID privileges in that account and how the Kubernetes cluster was created, you may be able to use a pre-created pull secret.根据您的帐户设置、该帐户中的个人用户和服务 ID 权限以及 Kubernetes 集群的创建方式,您可以使用预先创建的拉取密钥。 See this part in the IBM Cloud Kubernetes Service docs on how to authorize pulling images from private registries . 请参阅 IBM Cloud Kubernetes Service 文档中的这一部分,了解如何授权从私有注册表中提取映像。
Also bear in mind that your cluster may already have suitable image pull secrets.还要记住,您的集群可能已经有合适的镜像拉取机密。
By default, new IBM Cloud Kubernetes Service clusters get a secret ( all-icr-io
) containing credentials that will give read access to all images in IBM Cloud Container Registry namespaces owned by the same account as the cluster.默认情况下,新的 IBM Cloud Kubernetes Service 集群会获得一个包含凭证的机密 ( all-icr-io
),这些凭证将授予对与集群相同帐户拥有的 IBM Cloud Container Registry 名称空间中的所有映像的读取访问权限。 https://cloud.ibm.com/docs/containers?topic=containers-registry#cluster_registry_auth_default https://cloud.ibm.com/docs/containers?topic=containers-registry#cluster_registry_auth_default
Alternatively, you can also import an existing pull secret all-icr-io
that comes with an IKS cluster following the below steps或者,您也可以按照以下步骤导入 IKS 集群附带的现有 pull secret all-icr-io
main.tf主文件
resource "kubernetes_secret" "all_icr_io" {
# (resource arguments)
}
provider.tf提供者.tf
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "1.13.2"
}
}
}
provider "kubernetes" {
# Configuration options
}
On a terminal:在终端上:
terraform import kubernetes_secret.all_icr_io default/all-icr-io
To confirm,确认,
terraform show
Result:结果:
# kubernetes_secret.all_icr_io:
resource "kubernetes_secret" "all_icr_io" {
data = (sensitive value)
id = "default/all-icr-io"
type = "kubernetes.io/dockerconfigjson"
metadata {
annotations = {}
generation = 0
labels = {}
name = "all-icr-io"
namespace = "default"
resource_version = "267"
self_link = "/api/v1/namespaces/default/secrets/all-icr-io"
uid = "0dea7ee0-ab03-4fc1-a4e4-b2xxxxxxx"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.