Earlier we explained how to build a nexus server, and how to build a docker private nexus mirror warehouse, the example we are manual docker loginlanding PW, and then pull the mirror and then run the command vessel. However, this approach is not feasible in the cluster kubernetes first, the different size of the project, the number of mirrors produced every day is different, if a large amount of warehouse manually perform every day docker pullto pull, very cumbersome and error-prone. second, clusters of different sizes, the number of nodes is different, ranging from Three five of as many as hundreds of thousands or even more we pull Taiwan and Taiwan is obviously very troublesome, too, there is a problem even execute commands using a batch script ansible: because different containers distributed on different nodes all mirrors are pulled with a batch script on all servers obviously will waste a lot of resources, and cluster expansion or contraction of the container will need to change the script, it is prone to error. this time we are more inclined to use kubernetes its powerful management capabilities. in fact, you can put kubernetes docker login information made secrets, explicitly specified to use when the container arrangement secret, Kube rnetes will automatically go to the designated when pulling on the PW mirror arrangement. We greatly facilitates automated process. Here we explain how to how to make a docker private warehouse pulling secrets and how to use when pulling mirror.
When we pull public warehouse mirror, you do not need to enter the account password, but private warehouses are often to be pulled after landing inside the mirror. To explain the nexus docker in front of PW when we have talked about before, all operations the premise is to use docker login -u 用户名 -p 密码 服务器the first landing PW we landed once again after the next landing fact, do not specify a username and password, for example, I can use the following command to log in directly:
[root@k8s-node1 ~]# docker login 192.168.124.43:8002
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-node1 ~]#
You can see not specify a user name and password we also landed. In fact, we for the first time after the successful landing, docker put login information exists ~/.docker/config.jsonin this document, we can look at
[root@k8s-node1 ~]# .
{
"auths": {
"192.168.124.43:8002": {
"auth": "YWRtaW46YWRtaW4xMjM="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.4 (linux)"
}
}[root@k8s-node1 ~]#
Creating kubernetes key based on existing login information docker
The following command
kubectl create secret generic regcred \
--from-file=.dockerconfigjson= ~/.docker/config.json \
--type=kubernetes.io/dockerconfigjsonThe above method with other methods to create kubernetes key and there is no difference, the key here is config.json .docker files in the directory.
Of course, if you want to generate more secrets out of control, such as specifying the name of the secrets of space, you can use yml file to create a declarative step above is slightly different, as follows
Name data field must be set to
.dockerconfigjsonConfig.json files to base64 encoded, then copy the encoded content to
.dockerconfigjsonfieldType to
kubernetes.io/dockerconfigjson
Example:
apiVersion: v1
kind: Secret
metadata:
name: myregistrykey
namespace: awesomeapps
data:
.dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==
type: kubernetes.io/dockerconfigjsonCommon error analysis:
error: no objects passed to createThis means that the information is invalid base64 encodingSecret "myregistrykey" is invalid: data[.dockerconfigjson]: invalid value ...This means that the success of base64 encoding, decoding but not to.docker/config.json
Directly from the command line to create a secret
The above information is secret storage has landed use docker created, if no docker landing, can also be created directly from the command line secret, the command format is as follows:
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>The following brief description of the above fields:
docker PW address Login name login password E-mail This field is non-mandatory
There is still based on the previous build nexus docker private warehouse as an example:
kubectl create secret docker-registry regcred --docker-server=192.168.124.43:8002 --docker-username=admin --docker-password=admin123It can create a secret.
View the key information
You can use the following command to view the key you just created:
kubectl get secret regcred --output=yaml[centos@k8s-master trackingapi]$ kubectl get secret regcred --output=yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyIxOTIuMTY4LjEyNC40Mzo4MDAyIjp7IlVzZXJuYW1lIjoiYWRtaW4iLCJQYXNzd29yZCI6ImFkbWluMTIzIiwiRW1haWwiOiIifX19
kind: Secret
metadata:
creationTimestamp: "2019-04-12T05:53:19Z"
name: regcred
namespace: default
resourceVersion: "3763835"
selfLink: /api/v1/namespaces/default/secrets/regcred
uid: 46028dd4-5ce7-11e9-bc12-0050568417a2
type: kubernetes.io/dockerconfigjson
[centos@k8s-master trackingapi]$Where the .dockerconfigjsonfield login information docker, we can view it by decoding base64:
kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode[centos@k8s-master trackingapi]$ kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
{"auths":{"192.168.124.43:8002":{"Username":"admin","Password":"admin123","Email":""}}}[centos@k8s-master trackingapi]$
You can see the information consistent enter a password when you create a more positive message to our
Note the above command line is generated by us, if the information is generated by the decoding config.json slightly different from the above. There is a key for decoding after config.json generated by the
authfield, it is still exist base64 encoded form we need to look again to decode the information to
such as
[centos@k8s-master trackingapi]$ echo "YWRtaW46YWRtaW4xMjM="|base64 --decode
admin:admin123
[centos@k8s-master trackingapi]$Create pod cartridge using a private key to pull the mirror
Assigned file example:
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-demo
spec:
restartPolicy: Never
containers:
- name: u-demo
image: 192.168.124.43:8002/ubuntu
imagePullPolicy: IfNotPresent
command: ["printenv"]
args: ["HOSTNAME"]
imagePullSecrets:
- name: regcredThe above example we used previously uploaded to the PW in a ubuntu mirror to create a pod, due after more than a mirror created soon be over. So we let print an environment variable information, and then use the log command to view, in order to prove the operation to be successful.
After the image is created, we look at the state of pod
[centos@k8s-master trackingapi]$ kubectl get po
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 552 23d
consul-0 1/1 Running 2 28h
consul-1 1/1 Running 3 28h
consul-2 1/1 Running 2 28h
helloworld-7fdc8d9855-ncfdz 1/1 Running 3 30d
hostaliases-pod 1/1 Running 0 3h42m
ubuntu-demo 0/1 Completed 0 50mYou can see the pod has been completed state, we used kubectl logsto see if it printed information
[centos@k8s-master trackingapi]$ kubectl logs ubuntu-demo
ubuntu-demoWe can see, the name of the host's output.