kubectl从gitlab提取图像未经授权: HTTP Basic:访问被拒绝

Question

我正在尝试配置gitlab ci，以便将应用程序部署到google计算引擎。我成功地将映像推送到gitlab存储库，但是在应用kubernetes部署配置之后，我看到kubectl中的以下错误描述荚：

Failed to pull image "registry.gitlab.com/proj/subproj/api:v1": rpc error: code = 2 
desc = Error response from daemon: {"message":"Get https://registry.gitlab.com/v2/proj/subproj/api/manifests/v1: unauthorized: HTTP Basic: Access denied"}

这是我的部署gitlab-ci的工作：

docker:
  stage: docker_images
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - docker build -t registry.gitlab.com/proj/subproj/api:v1 -f Dockerfile .
    - docker push registry.gitlab.com/proj/subproj/api:v1
  only:
    - master
  dependencies:
  - build_java

k8s-deploy:
  image: google/cloud-sdk
  stage: deploy
  script:
    - echo "$GOOGLE_KEY" > key.json # Google Cloud service account key
    - gcloud auth activate-service-account --key-file key.json
    - gcloud config set compute/zone us-central1-c
    - gcloud config set project proj
    - gcloud config set container/use_client_certificate True
    - gcloud container clusters get-credentials proj-cluster
    - kubectl delete secret registry.gitlab.com  --ignore-not-found
    - kubectl create secret docker-registry registry.gitlab.com --docker-server=https://registry.gitlab.com/v1/ --docker-username="$CI_REGISTRY_USER" --docker-password="$CI_REGISTRY_PASSWORD" --docker-email=some@gmail.com
    - kubectl apply -f  cloud-kubernetes.yml

下面是云-kubernetes.yml：

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
  name: proj
  labels:
    app: proj
spec:
  type: LoadBalancer 
  ports:
  - port: 8082
    name: proj
    targetPort: 8082
    nodePort: 32756
  selector:
    app: proj
---    
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: projdeployment
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: proj
    spec:
      containers:
      - name: projcontainer
        image: registry.gitlab.com/proj/subproj/api:v1
        imagePullPolicy: Always
        env:
          - name: SPRING_PROFILES_ACTIVE
            value: "cloud"
        ports:
        - containerPort: 8082
      imagePullSecrets:
        - name: registry.gitlab.com

我跟踪了这篇文章

Answer 1

解决办法是，图像可以被推送到google容器注册中心，然后在没有安全性的情况下从gcr中提取出来。我们可以使用json令牌文件将图像推送到gcr，而不需要gcloud cli。因此，.gitlab-ci.yaml看起来可能是：

docker:
  stage: docker_images
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - docker build -t registry.gitlab.com/proj/subproj/api:v1 -f Dockerfile .
    - docker push registry.gitlab.com/proj/subproj/api:v1
    - docker tag registry.gitlab.com/proj/subproj/api:v1 gcr.io/proj/api:v1
    - docker login -u _json_key -p "$GOOGLE_KEY" https://gcr.io
    - docker push gcr.io/proj/api:v1
  only:
    - master
  dependencies:
  - build_java

k8s-deploy:
  image: google/cloud-sdk
  stage: deploy
  script:
    - echo "$GOOGLE_KEY" > key.json # Google Cloud service account key
    - gcloud auth activate-service-account --key-file key.json
    - gcloud config set compute/zone us-central1-c
    - gcloud config set project proj
    - gcloud config set container/use_client_certificate True
    - gcloud container clusters get-credentials proj-cluster
    - kubectl apply -f cloud-kubernetes.yml

云-kubernet.yaml应该是：

gcr.io/proj/api:v1

Answer 2

您必须使用--docker-server=CI_REGISTRY。就像你起诉docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY一样。

还请注意，您的停靠库机密必须在与Deployment/ReplicaSet/DaemonSet/StatefullSet/Job.相同的命名空间中。