Pod拉取私有项目镜像案例之secret
私有镜像 需要配置 secret才可以拉取成功的。
1.响应式创建harbor的认证信息
kubectl create secret docker-registry baimei-harbor --docker-username=admin --docker-password=1 --docker-email=admin@baimei.com --docker-server=harbor.baimei.com
2.声明式创建harbor的认证信息
方法一:
可以根据 响应式生成的yaml 文件,来修改
kubectl get secrets baimei-harbor -o yaml > 02-secret-harbor.yaml
cat 02-secret-harbor.yaml # 保留以下字段即可
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iub2xkYm95ZWR1LmNvbSI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiIxIiwiZW1haWwiOiJhZG1pbkBvbGRib3llZHUuY29tIiwiYXV0aCI6IllXUnRhVzQ2TVE9PSJ9fX0=
kind: Secret
metadata:
name: baimei-harbor
namespace: default
type: kubernetes.io/dockerconfigjson
方法二: (反推法)
1.先对数据解析解码,得到原始数据。
echo eyJhdXRocyI6eyJoYXJib3Iub2xkYm95ZWR1LmNvbSI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiIxIiwiZW1haWwiOiJhZG1pbkBvbGRib3llZHUuY29tIiwiYXV0aCI6IllXUnRhVzQ2TVE9PSJ9fX0= | base64 -d | more
得到的数据如下,发现还有一层数据为解码
2.对上一步的auth字段进行解码
echo YWRtaW46MQ== | base64 -d | more
3.得出最终的数据为:
{"auths":{"harbor.baimei.com":{"username":"admin","password":"1","email":"admin@baimei.com","auth":"admin:1"}}}
综上所述,我们就可以根据上面的步骤倒着来就可以手写资源清单啦,具体如下:
1.编写json格式字符串,以baimei用户为例。
{"auths":{"harbor.baimei.com":{"username":"baimei","password":"Linux@2023","email":"baimei@baimei.com","auth":"baimei:Linux@2023"}}}
2.对auth字段进行编码
echo -n baimei:Linux@2023 | base64
得到数据如下:
{"auths":{"harbor.baimei.com":{"username":"baimei","password":"Linux@2023","email":"baimei@baimei.com","auth":"amFzb255aW46TGludXhAMjAyMw=="}}}
3.对整体字符串再次进行编码(注意,echo后面的数据最好加上单引号,否则可能后续操作会失败!)
echo -n '{"auths":{"harbor.baimei.com":{"username":"baimei","password":"Linux@2023","email":"baimei@baimei.com","auth":"amFzb255aW46TGludXhAMjAyMw=="}}}' | base64
4.编写配置文件的资源清单
cat 03-secrets-baimei.yaml
apiVersion: v1
kind: Secret
metadata:
name: baimei-harbor-baimei
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iub2xkYm95ZWR1LmNvbSI6eyJ1c2VybmFtZSI6Imphc29ueWluIiwicGFzc3dvcmQiOiJMaW51eEAyMDIzIiwiZW1haWwiOiJqYXNvbnlpbkBvbGRib3llZHUuY29tIiwiYXV0aCI6ImFtRnpiMjU1YVc0NlRHbHVkWGhBTWpBeU13PT0ifX19
5.验证测试
(注意,请确保你创建的用户必须在harbor中对相应的项目有访问权限!)
cat 32-pods-harbor-secrets.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux86-secrets-harbor-001
spec:
# 指定harbor的secret认证信息,可以指定多个。
imagePullSecrets:
# - name: baimei-harbor
- name: baimei-harbor-baimei
containers:
- name: web
image: harbor.baimei.com/baimei-apps/apps:v1
# 指定镜像的拉取策略,若不指定,当tag为latest时,默认是Always,当tag非latest时,则默认策略为IfNotPresent
imagePullPolicy: Always
# imagePullPolicy: IfNotPresent
kubectl apply -f 32-pods-harbor-secrets.yaml
能够拉取 到镜像,说明成功了。