Hello, I continuous my research, I'm wondering whether I should play with ServiceAccount or edit "default" ServiceAccount for all namespaces ( https://docs.openshift.com/container-platform/3.5/dev_guide/service_accounts.html ).
We start with Openshift. I have doubts about the procedure to share the secret for all namespaces. I don't know what to do. For information, the deployment of the nodejs application is just an example. Thanks, Best regards. > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 2 Oct 2017 15:46:57 +0200 > From: Inter Load <[email protected]> > To: [email protected] > Subject: Private registry authentication - share a secret > automatically across all projects. > Message-ID: > <CAE61VYXxoj_rVXW2eyfCQ98pM7U4jVtF=vx_ > [email protected]> > Content-Type: text/plain; charset="utf-8" > > Hello, > > We have a functional OCP plaform v3.5. > We need to change the "Redhat" registry (registry.access.redhat.com) with > a > personal external registry. > > My external registry use "htpasswd" authentication : > *docker run -d \* > * -p 5000:5000 \* > * --restart=always \* > * --name registry \* > * -v `pwd`/auth:/auth \* > * -e "REGISTRY_AUTH=htpasswd" \* > * -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \* > * -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \* > * -v `pwd`/certs:/certs \* > * -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \* > * -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \* > * -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 <http://0.0.0.0:5000> \* > * -e REGISTRY_HTTP_HOST=myregistry.example.com:5000 > <http://myregistry.example.com:5000> \* > * -e REGISTRY_HTTP_SECRET=XXXX \* > * -v /registry/:/var/lib/registry \* > * registry:2* > > On each node i run docker login and then copy $HOME/.docker/config.json to > /var/lib/origin (https://github.com/openshift/origin/issues/13918). It's > OK. > > But, i have a last problem during the build. An authentication problem. > > If i tried to deploy a new nodejs application (with git repository), I have > the following error : > > *```error: build error: unable to get > myregistry.example.com:5000/rhscl/nodejs-4-rhel7@sha256: > 29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621``` > <http://myregistry.example.com:5000/rhscl/nodejs-4-rhel7@sha256: > 29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621```>* > > Logs of the registry : > *```time="2017-10-02T07:36:26Z" level=error msg="error authenticating user > \"\": authentication failure" go.version=go1.7.6 > http.request.host="myregistry.example.com:5000 > <http://myregistry.example.com:5000>" http.request.id > <http://http.request.id>=2bcfd069-ef71-469b-9b6b-399b350643b2 > http.request.method=GET http.request.remoteaddr="XX.XX.XXX.XX:xxxxx" > http.request.uri="/v2/rhscl/nodejs-4-rhel7/manifests/sha256: > 29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621" > http.request.useragent="docker/1.12.6 go/go1.8.3 > kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 > UpstreamClient(Go-http-client/1.1)" instance.id > <http://instance.id>=581890a7-dcdc-4ef5-8540-c7d084b12ce6 vars.name > <http://vars.name>="rhscl/nodejs-4-rhel7" > vars.reference="sha256:29b1732f719f4d577827662a8faeea > 211908657de345ddef4534e3a1eabe1621" > version=v2.6.2* > *time="2017-10-02T07:36:26Z" level=warning msg="error authorizing context: > basic authentication challenge for realm \"Registry Realm\": authentication > failure" go.version=go1.7.6 http.request.host="myregistry.example.com:5000 > <http://myregistry.example.com:5000>" http.request.id > <http://http.request.id>=2bcfd069-ef71-469b-9b6b-399b350643b2 > http.request.method=GET http.request.remoteaddr="XX.XX.XXX.XX:xxxxx" > http.request.uri="/v2/rhscl/nodejs-4-rhel7/manifests/sha256: > 29b1732f719f4d577827662a8faeea211908657de345ddef4534e3a1eabe1621" > http.request.useragent="docker/1.12.6 go/go1.8.3 > kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 > UpstreamClient(Go-http-client/1.1)" instance.id > <http://instance.id>=581890a7-dcdc-4ef5-8540-c7d084b12ce6 vars.name > <http://vars.name>="rhscl/nodejs-4-rhel7" > vars.reference="sha256:29b1732f719f4d577827662a8faeea > 211908657de345ddef4534e3a1eabe1621" > version=v2.6.2```* > > The only solution that i found is a create a secret in the project and add > this secret for "Pull Secret" option of the project : > *```# oc secrets new-dockercfg external-registry \* > *> --docker-server=myregistry.example.com:5000 > <http://myregistry.example.com:5000> --docker-username=AAAAA \* > *> --docker-password=BBBB [email protected] <[email protected]>* > > *# oc secrets link default external-registry --for=pull```* > > Have you any idea to share this "external-registry" secret for all project > ? And use this default secret to pull image for all build ? > > I don't think I'm the only one to user a external registry. My registry use > "htpasswd" authentication. Is the appropriate solution for OCP ? Or another > idea ? > > Thanks, > Best regards, > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.openshift.redhat.com/openshift-archives/ > users/attachments/20171002/a6acaea3/attachment.html> > > ------------------------------ > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > End of users Digest, Vol 63, Issue 1 > ************************************ >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
