[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Private registry authentication - share a secret automatically across all projects.



Hello,

I continuous my research, I'm wondering whether I should play with ServiceAccount or edit "default" ServiceAccount for all namespaces (https://docs.openshift.com/container-platform/3.5/dev_guide/service_accounts.html).

We start with Openshift. I have doubts about the procedure to share the secret for all namespaces. I don't know what to do.

For information, the deployment of the nodejs application is just an example.

Thanks,
Best regards.




----------------------------------------------------------------------

Message: 1
Date: Mon, 2 Oct 2017 15:46:57 +0200
From: Inter Load <interload13 gmail com>
To: users lists openshift redhat com
Subject: Private registry authentication - share a secret
        automatically across    all projects.
Message-ID:
        <CAE61VYXxoj_rVXW2eyfCQ98pM7U4jVtF=vx_Kv7LqE9mLp8Jng mail gmail com>
Content-Type: text/plain; charset="utf-8"

Hello,

We have a functional OCP plaform v3.5.
We need to change the "Redhat" registry (registry.access.redhat.com) with a
personal external registry.

My external registry use "htpasswd" authentication :
*docker run -d \*
*  -p 5000:5000 \*
*  --restart=always \*
*  --name registry \*
*  -v `pwd`/auth:/auth \*
*  -e "REGISTRY_AUTH=htpasswd" \*
*  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \*
*  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \*
*  -v `pwd`/certs:/certs \*
*  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \*
*  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \*
*  -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 <http://0.0.0.0:5000> \*
*  -e REGISTRY_HTTP_HOST=myregistry.example.com:5000
<http://myregistry.example.com:5000> \*
*  -e REGISTRY_HTTP_SECRET=XXXX \*
*  -v /registry/:/var/lib/registry \*
*  registry:2*

On each node i run docker login and then copy $HOME/.docker/config.json to
/var/lib/origin (https://github.com/openshift/origin/issues/13918). It's OK.

But, i have a last problem during the build. An authentication problem.

If i tried to deploy a new nodejs application (with git repository), I have
the following error :

*```error: build error: unable to get
myregistry.example.com:5000/rhscl/nodejs-4-rhel7 sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621```
<http://myregistry.example.com:5000/rhscl/nodejs-4-rhel7@sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621```>*

Logs of the registry :
*```time="2017-10-02T07:36:26Z" level=error msg="error authenticating user
\"\": authentication failure" go.version=go1.7.6
http.request.host="myregistry.example.com:5000
<http://myregistry.example.com:5000>" http.request.id
<http://http.request.id>=2bcfd069-ef71-469b-9b6b-399b350643b2
http.request.method=GET http.request.remoteaddr="XX.XX.XXX.XX:xxxxx"
http.request.uri="/v2/rhscl/nodejs-4-rhel7/manifests/sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621"
http.request.useragent="docker/1.12.6 go/go1.8.3
kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64
UpstreamClient(Go-http-client/1.1)" instance.id
<http://instance.id>=581890a7-dcdc-4ef5-8540-c7d084b12ce6 vars.name
<http://vars.name>="rhscl/nodejs-4-rhel7"
vars.reference="sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621"
version=v2.6.2*
*time="2017-10-02T07:36:26Z" level=warning msg="error authorizing context:
basic authentication challenge for realm \"Registry Realm\": authentication
failure" go.version=go1.7.6 http.request.host="myregistry.example.com:5000
<http://myregistry.example.com:5000>" http.request.id
<http://http.request.id>=2bcfd069-ef71-469b-9b6b-399b350643b2
http.request.method=GET http.request.remoteaddr="XX.XX.XXX.XX:xxxxx"
http.request.uri="/v2/rhscl/nodejs-4-rhel7/manifests/sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621"
http.request.useragent="docker/1.12.6 go/go1.8.3
kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64
UpstreamClient(Go-http-client/1.1)" instance.id
<http://instance.id>=581890a7-dcdc-4ef5-8540-c7d084b12ce6 vars.name
<http://vars.name>="rhscl/nodejs-4-rhel7"
vars.reference="sha256:29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621"
version=v2.6.2```*

The only solution that i found is a create a secret in the project and add
this secret for "Pull Secret" option of the project :
*```# oc secrets new-dockercfg external-registry \*
*>     --docker-server=myregistry.example.com:5000
<http://myregistry.example.com:5000> --docker-username=AAAAA \*
*>     --docker-password=BBBB --docker-email=CCCC ee com <CCCC ee com>*

*# oc secrets link default external-registry --for="">
Have you any idea to share this "external-registry" secret for all project
? And use this default secret to pull image for all build ?

I don't think I'm the only one to user a external registry. My registry use
"htpasswd" authentication. Is the appropriate solution for OCP ? Or another
idea ?

Thanks,
Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openshift.redhat.com/openshift-archives/users/attachments/20171002/a6acaea3/attachment.html>

------------------------------

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


End of users Digest, Vol 63, Issue 1
************************************


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]