Write it down while it’s hot for your future self
preface
Recently, I have been building the devOPS platform of the team. One step is to package the code into docker image through Gitlab-Runner and push it to Harbor warehouse. Then, K8S cluster will pull the image from Harbor.
Considering the security of Docker images, it is necessary to set the project storing docker images in Harbor as private. In this case, Harbor authentication information is required for push and pull images. Therefore, this article is to record how to push and pull the image of the private Docker image repository
Harbor Account preparation
Harbor offers two types of accounts, one for regular users and one for bots. Robot users, through token access, provide account expiration time, fine-grained access to mirror resources: pull, push, view, delete, and so on. Considering the business characteristics of CICD, robot users are selected here. Create a robot user named robot$push_pull with permissions for pushable and pull-able images.
Mirror push
Before pushing docker image to Harbor private warehouse, if you have not logged in the private warehouse before, you need to:
docker login -u${harbor_account} -p${harbor_passwd} -h${harbor_ip}
Copy the codeHere:
harbor_account: the bot account we createdrobot$push_pullharbot_passwd: indicates the token corresponding to the robot accountharbot_ipHarbor’s private warehouse address
After a successful login, a ~/.docker/config.json file will be generated. Config. json stores the login information of the robot account.
Docker login can be written as a command to.gitlab-ci.yml, Then configure ${harbor_account}, ${harbor_passwd}, ${harbor_ip} as variables in gitlab or gitlab-runner system. You can also distribute ~/.docker/config.json to the respective gitlab-runner systems, so that you don’t need to docker login every time.
Image acquisition
To obtain a private image in K8S, create a secret resource: imagePullSecrets. There are two ways to create this resource:
Method 1: Passkubectl create secret docker-registryCommand:
Kubectl create secret docker-registry harbor-pullpush-key --docker-server=10.1.32.6:28080 --docker-username=robot$push_pull --docker-password=#{robot$push_pull token} -n #{namespace}Copy the codeharbor-pullpush-key: k8s secret Namedocker-serverAddress: Harbordocker-username: Robot account namedocker-password: Robot tokennamespace: Must be under the same namesapce as the corresponding service, so this is mandatory
Method 2: Manually create harbor-pullpush-secret.yml
The idea is to base64 the config.json file and put it in the harbor-pullpush-secret.yml file.
Config. json base64 encoding:
cat ~/.docker/config.json | base64 -w
Copy the codeCreate a harbor-pullpush-secret.yml file with the following contents (.dockerconfigjson is the output above) :
ApiVersion: v1 kind: Secret metadata: name: harp-pullpush-key namespace: ${specify your namespace} type: Kubernetes. IO/dockerconfigjson data: dockerconfigjson: ${config. The corresponding base64 encoded json string}Copy the codeCreate the Secret resource
kubectl apply -f harbor-pullpush-secret.yml
Copy the codeUse mirroring in K8S
apiVersion: apps/v1 kind: Deployment metadata: name: my-app spec: replicas: 1 selector: matchLabels: app: my-app template: metadata: labels: app: my-app spec: containers: - name: my-app image: 10.1.32.6:28080/my-app:latest # imagePullPolicy: Always ports: -containerPort: 10.1.32.6:28080/my-app:latest # 8080 imagePullSecrets: - name: harbor-pullpush-key # create harbor SecretsCopy the code