Skip to content

Commit c7f25cb

Browse files
mikebrowmikebrow
authored
Merge pull request #1490 from mikebrow/document-gcr-json-key-auth
add a registry auth tutorial
2 parents 83b115a + a7ad3bc commit c7f25cb

1 file changed

Lines changed: 56 additions & 0 deletions

File tree

docs/registry.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,3 +86,59 @@ The registry credential in this config will only be used when auth config is
8686
not specified by Kubernetes via CRI.
8787

8888
After modify this config, you need restart the `containerd` service.
89+
90+
### Configure Registry Credentials Example - GCR with _json_key Authentication
91+
92+
Create a gcp account with gcr, do all the steps to enable receiving a
93+
pushed image for a gcr instance, including the generation and download of a
94+
new _json_key (for a new service account user.) To make sure your
95+
gcr registry is working with _json_key authentication let's login and
96+
push an image to your gcr instance: *This step is not necessary if you have
97+
already pushed an image to your gcr instance.*
98+
99+
```bash
100+
$ docker login -u _json_key -p "$(cat key.json)" gcr.io
101+
$ docker push gcr.io/your-gcr-instance-id/busybox
102+
$ docker logout gcr.io
103+
```
104+
105+
Generate a single line for the _json_key file that you downloaded:
106+
107+
```bash
108+
jq -c . key.json
109+
```
110+
111+
Edit the containerd config (default location is at /etc/containerd/config.toml)
112+
to add your _json_key authentication for gcr.io domain image pull
113+
requests:
114+
115+
```
116+
[plugins."io.containerd.grpc.v1.cri".registry]
117+
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
118+
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
119+
endpoint = ["https://registry-1.docker.io"]
120+
[plugins.cri.registry.mirrors."gcr.io"]
121+
endpoint = ["https://gcr.io"]
122+
[plugins."io.containerd.grpc.v1.cri".registry.configs]
123+
[plugins."io.containerd.grpc.v1.cri".registry.configs."gcr.io".auth]
124+
username = "_json_key"
125+
password = 'paste output from jq'
126+
```
127+
128+
Restart containerd
129+
130+
```bash
131+
$ service containerd restart
132+
```
133+
134+
Pull an image from your gcr instance with crictl:
135+
136+
```bash
137+
$ sudo crictl pull gcr.io/your-gcr-instance-id/busybox
138+
DEBU[0000] get image connection
139+
DEBU[0000] connect using endpoint 'unix:///run/containerd/containerd.sock' with '3s' timeout
140+
DEBU[0000] connected successfully using endpoint: unix:///run/containerd/containerd.sock
141+
DEBU[0000] PullImageRequest: &PullImageRequest{Image:&ImageSpec{Image:gcr.io/your-gcr-instance-id/busybox,},Auth:nil,SandboxConfig:nil,}
142+
DEBU[0001] PullImageResponse: &PullImageResponse{ImageRef:sha256:78096d0a54788961ca68393e5f8038704b97d8af374249dc5c8faec1b8045e42,}
143+
Image is up to date for sha256:78096d0a54788961ca68393e5f8038704b97d8af374249dc5c8faec1b8045e42
144+
```

0 commit comments

Comments
 (0)