[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Private registry authentication - share a secret automatically across all projects.



Hello,

We have a functional OCP plaform v3.5.
We need to change the "Redhat" registry (registry.access.redhat.com) with a personal external registry.

My external registry use "htpasswd" authentication :
docker run -d \
  -p 5000:5000 \
  --restart=always \
  --name registry \
  -v `pwd`/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
  -e REGISTRY_HTTP_HOST=myregistry.example.com:5000 \
  -e REGISTRY_HTTP_SECRET=XXXX \
  -v /registry/:/var/lib/registry \
  registry:2
  
On each node i run docker login and then copy $HOME/.docker/config.json to /var/lib/origin (https://github.com/openshift/origin/issues/13918). It's OK.

But, i have a last problem during the build. An authentication problem.

If i tried to deploy a new nodejs application (with git repository), I have the following error :

```error: build error: unable to get myregistry.example.com:5000/rhscl/nodejs-4-rhel7 sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621```

Logs of the registry :
```time="2017-10-02T07:36:26Z" level=error msg="error authenticating user \"\": authentication failure" go.version=go1.7.6 http.request.host="myregistry.example.com:5000" http.request.id=2bcfd069-ef71-469b-9b6b-399b350643b2 http.request.method=GET http.request.remoteaddr="XX.XX.XXX.XX:xxxxx" http.request.uri="/v2/rhscl/nodejs-4-rhel7/manifests/sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621" http.request.useragent="docker/1.12.6 go/go1.8.3 kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)" instance.id=581890a7-dcdc-4ef5-8540-c7d084b12ce6 vars.name="rhscl/nodejs-4-rhel7" vars.reference="sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621" version=v2.6.2
time="2017-10-02T07:36:26Z" level=warning msg="error authorizing context: basic authentication challenge for realm \"Registry Realm\": authentication failure" go.version=go1.7.6 http.request.host="myregistry.example.com:5000" http.request.id=2bcfd069-ef71-469b-9b6b-399b350643b2 http.request.method=GET http.request.remoteaddr="XX.XX.XXX.XX:xxxxx" http.request.uri="/v2/rhscl/nodejs-4-rhel7/manifests/sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621" http.request.useragent="docker/1.12.6 go/go1.8.3 kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)" instance.id=581890a7-dcdc-4ef5-8540-c7d084b12ce6 vars.name="rhscl/nodejs-4-rhel7" vars.reference="sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621" version=v2.6.2```

The only solution that i found is a create a secret in the project and add this secret for "Pull Secret" option of the project :
```# oc secrets new-dockercfg external-registry \
>     --docker-server=myregistry.example.com:5000 --docker-username=AAAAA \
>     --docker-password=BBBB --docker-email=CCCC ee com

# oc secrets link default external-registry --for="">

Have you any idea to share this "external-registry" secret for all project ? And use this default secret to pull image for all build ?

I don't think I'm the only one to user a external registry. My registry use "htpasswd" authentication. Is the appropriate solution for OCP ? Or another idea ?

Thanks,
Best regards,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]