I've been trying to deploy containers with fleet on a CoreOS cluster. However, some of the docker images are privately stored on quay.io requiring a login.
Now I could add a docker login as a precondition to every relevant unit file, but that doesn't seem right. I'm sure there must be a way to store the respective registry credentials somewhere docker can find it when trying to download the image.
Any ideas?
The best way to do this is with a Quay "robot account", which is a separate set of credentials than your regular account. This is helpful for two reasons:
they can be revoked if needed
can be limited to a subset of your repositories
When you make a new robot account, if you click "view credentials", you will get the credentials pre-formatted for common use-cases, such as Docker and Kubernetes.
In this case, you want "Docker Configuration", which is placed at ~/.docker/config.json on the server(s). Docker will automatically use this to authenticate with Quay.io.
Related
Aim is to have a default workspace created for each new user.
User will visit the link https://che-eclipse-che.192.168.0.1.nip.io/#https://github.com/test/eclipse-che
It has the devfile to create the workspace.
First user registration will happen via keycloak and then the workspace will be created. This means a new kubernetes namespace will also be created for the user.
The problem is that I need to use an image from a private docker registry but I'm unable to specify the authentication credentials in the devfile. Is there any way to achieve this?
Can not use kubernetes secret because secrets are confined to a namespace.
Withing Che, you can't configure your credentials to be used for every user.
Each is supposed to configure their credentials, if they need access private docker repos. Check https://www.eclipse.org/che/docs/che-7/end-user-guide/using-private-container-registries/
What I can propose to look into:
configure nodes to pull private image https://kubernetes.io/docs/concepts/containers/images/#configuring-nodes-to-authenticate-to-a-private-registry;
push your images to cluster internal docker registry;
Maybe a simple-to-answer Question: How can I set up a private docker reposiory and limit the Access to only a subset of the Images there that one can pull ? E.g. I have Image1 and Image2 pushed, but want to allow one Image2 being pullable by account USER1 ?
This tends to get into the commercial offerings of docker (DTR). The spec itself for the registry includes all of the capabilities for auth, and you can configure a simple htpasswd based login on the standalone registry. However for the next step up, you get into a token server which docker doesn't have an open source implementation of themselves. You could work around this limitation by deploying multiple registry servers, each with a different set of users in a htpasswd file.
There are various third party implementations of the docker registry that may include these features. In the open source space, there's a project called cesanta/docker_auth that works with docker's stand alone registry and does exactly what you're looking for. The next step up is the harbor project that should be all most organizations need from a registry, but may be more complicated and have more overhead for a small project.
We're hoping to use a google project to share docker images containing microservices across projects.
I was thinking I could do it using the kubernetes run command and pull an image from a project other than the current one:
kubectl run gdrive-service --image=us.gcr.io/foo/gdrive-service
My user credentials have access to both projects. However, it seems like the run command can only pull mages from the current project.
Is there an approach for doing this? It seems like an obvious use case.
There are a few options here.
Use _json_key auth described here with Kubernetes pull secrets.
This describes how to add robots across projects as well, still without needing pull secrets.
In my answer here I describe a way to do this by granting the GKE service account user Storage Object Viewer permission under the project that contains the registry.
I just read the entire docs on securing a private Docker Registry. In addition to this, there seems to be a "Docker Trusted Registry", which is described as:
Docker Trusted Registry (DTR) lets you run and manage your own Docker image storage service, securely on your own infrastructure behind your company firewall.
Furthermore, the doc goes on to list a DTRs features:
An image registry to store, manage, and collaborate on Docker images
Pluggable storage drivers
Configuration options to let you run DTR in your particular enterprise environment.
Easy, transparent upgrades
Logging, usage and system health metrics
But doesn't the "normal" Docker Registry give me these as well?!?
Are these two things really the same, or is DTR some sort of commercialized offering of a Docker Registry? Or something else? I'm so confused!
New features in Docker Trusted Registry are:
Control access and permissions by user or organisation
Web UI to search and browse repos, manage users and setting
Integrate to CI and CD systems to automate workflows
LDAP/AD integration
Flexible storage
support User audit logs
Soft Delete image tags
Garbage collection
DTR is the paid support service for the registry - see https://hub.docker.com/enterprise/
Basically, they help you setup and will give you support down the road. It might have some niceties, otherwise you are left to your own to figure out how to run the registry.
I am not new to lxc or docker. But I do not have much knowledge on the image registry.
So I decided to get started and followed up tutorials and installation instructions.
And things are working fine in terms of pushing and pulling from my custom registry.
My questions:
The registry does not seem to come with a login/access management system.
1st - What are the overall steps to follow to implement a login (and possibly access) management to a custom registry?
2nd - If this mechanism is implemented, is there a way to use docker login to use that mechanism instead of https://hub.docker.com 's?
To 2nd: By using docker login /yourregistry, you can use the login mechanism of docker to login to a specific registry. The credentials are saved as well,
dockerhub is just the default. Unfortunately I don't know how to set up an own registry, personal I'm just using it in my company to pull from our artifactory.