Task:
Deploy new application from a secured container image repository.
Steps:
1-2: Set-up container repository secret authentication.
3-4: Configure image streams by tag.
5-6: Deploy applications (containers).
1. Create the pull secret.
- If one already exists in .dockercfg or .config.json, then perform:
a. If using an existing .dockercfg file already containing the credential:
$ oc create secret generic <pull_secret_name> --from-file=.dockercfg=<path/to/.dockercfg> --type=kubernetes.io/dockercfg
or
b. If using $HOME/.docker/config.json file already containing the credential:
$ oc create secret generic <pull_secret_name> --from-file=.dockerconfigjson=<path/to/.docker/config.json> --type=kubernetes.io/dockerconfigjson
- If no credential already exists:
a. Create with the oc create secret:
$ oc create secret docker-registry <pull_secret_name> \
--docker-server=<registry_server> \
--docker-username=<user_id> \
--docker-password=<password> \
--docker-email=<email> \
--<private-registry-name>
<success returns: secret/private-registry-name>
2. Add the secret to the project pod's service account:
Notes:
- Ensure the name of the service account matches the name of the service account the pod uses.
- The command oc policy add-role is used for a project, the oc policy add-cluster-role assigns the role cluster-wide across all projects.
$ oc secrets link <service_account> <pull_secret_name> --for=pull
c. For pulling and pushing build images, link the secret so mountable inside the pod:
$ oc secrets link builder <pull_secret_name>
3. Import tag and image metadata from the image repository:
Method A: Using oc import-image --from:
- syntax: $ oc import-image <image_stream_name>[:<tag>] --from=<private-registry-name> --confirm
<success returns: The import completed successfully.
Note:
- Instead of adding a tag, e.g. :latest, you can add the flag --all to import all tags for the image.
Method B: Using a spec.dockerImageRepository YAML file:
$ vi ./dockerimagerepo.yaml
apiVersion: "v1"
kind: "ImageStream"
metadata:
name: "<image_stream_name>"
spec:
dockerImageRepository: "<repo_domain_name>/<namespace_or_user_id>/<image_name>"
<esc>:wq (to save)
$ oc create -f ./dockerimagerepo.yaml
Method C: Using openshift.io/image.insecureRepository YAML file for self-certified or plain HTTP registries:
Notes & Requirements:
- Using image.insecureRepository: "true" is considered "dangerous", if only a few images, make exception via istag, instead.
- This import only handles the tag(s) and image metadata
- To use with docker pull:
- - Configure each node's docker w/ --insecure-registry flag if using insecureRepository: "true"; otherwise,
- - Configure each istag specification referencePolicy.type: Local
Example with insecure registry/repo:
$ vi ./dockerimagerepoinsecure.yaml
kind: ImageStream
apiVersion: v1
metadata:
name: <image_name>
annotations:
openshift.io/image.insecureRepository: "true"
spec:
dockerImageRepository: <internalrepo.mindwatering.com>:<custom_port_number>/<image_name>
<esc>:wq (to save)
$ oc create -f ./dockerimagerepoinsecure.yaml
Example with istag
$ vi ./dockerinsecuretag.yaml
kind: ImageStream
apiVersion: v1
metadata:
name: <image_name>
tags:
- from:
kind: DockerImage
name: <internalrepo.mindwatering.com>:<custom_port_number>/<image_name>
name: <image_tag>
importPolicy:
insecure: true
referencePolicy:
type: Local
$ oc create -f ./dockerinsecuretag.yaml
4. Import the tags from the new source repository:
$ oc tag <source_project>/<image_stream_name>:<tag> <new_image_stream>:<new_tag>
5. Deploy (rollout) a new deployment based on the new image stream:
- Confirm the imagestream:
$ oc get imagestream <image_stream_name> --namespace <project_name>
<view output and tags>
- Create new-app deployment:
$ oc new-app --image-stream <image_stream_name> -n <project_name>
We can also create via the Web Console:
- OpenShift Web Console --> login --> Projects --> select <project_name> --> Deployments --> New Deployment
- Deploy image from an image stream tag: checked (enabled)
- Under Image Stream (heading), select <image_stream_name>
- Under Tag (heading), select <image_version>
Note:
- In some cases (e.g. python), we may not want latest, but instead want a specific tagged version.
- Syntax:
$ oc new-app --image-stream <image_stream_name>:<version_num_and_platform> --namespace <project_name>
6. Verify the deployment created:
$ oc get deployments -n <project_name>
<view pods, confirm ready and available>
---
OC New App Options:
| Option | Description |
| --image-stream -i | The image stream to be used to deploy a container image |
| --strategy | Manually specifies the containerization strategy, such as docker, or source |
| --code | The URL to a Git repository to be used as input for an S2I build |
| --image | The URL to a container image to be deployed |
| --dry-run | Set to true to show the result of the operation without performing it |
| --context-dir | The path to a directory inside of the git repository to be treated as the application root |
Pod spec.imagePullSecrets Property to Consume Secret:
apiVersion: v1
kind: Pod
metadata:
name: example-pod
spec:
containers:
- name:
image:
imagePullSecrets:
- name:
Deployment spec.imagePullSecrets Property to Consume Secret:
apiVersion: apps/v1
kind: Deployment
metadata:
name:
spec:
replicas: 2
selector:
matchLabels:
app:
template:
metadata:
labels:
app:
spec:
containers:
- name:
image:
imagePullSecrets:
- name:
Linking Registry Credential to Service Account:
- To abstract the deployment pods w/o using imagePullSecrets, use ServiceAccount with a namespace
- ServiceAccount can only be applied to pods during creating stage
- name ServiceAccount default to apply to all pods created in a specific namespace
- Link with:
$ oc secrets link --for=pull <service-account-name> <secret-name> -n=<namespace>
Creates:
apiVersion: v1
kind: ServiceAccount
metadata:
name:
namespace:
imagePullSecrets:
- name:
previous page
|