Alauda DevOps Connectors Docs
  • 简体中文

    • OCI ConnectorClass

    OCI ConnectorClass 是用于定义 OCI Connector 的连接器类。它允许用户在集群内轻松访问 OCI Registry(OCI 镜像仓库)。

    目录

    访问要求

    要访问的 OCI Registry 必须满足以下条件:

    1. 接口实现要求:

    2. 认证方式要求:

    快速开始

    apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: dockerhub
spec:
  connectorClassName: oci
  address: https://index.docker.io
  auth:
    name: tokenAuth
    params:
    - name: repository
      value: library/ubuntu
    secretRef:
      name: dockerhub
---
apiVersion: v1
stringData:
  password: your-token
  username: your-username
kind: Secret
metadata:
  name: dockerhub
type: cpaas.io/distribution-registry-token

    Connector 参数约束

    spec.connectorClassName

    必须使用常量值 oci

    spec.address

    指定 OCI Registry 的访问地址,例如:http://harbor.example.com

    spec.auth.name

    OCI Connector 支持的认证类型:

    • tokenAuth:基于 Token 的认证(可选)

    示例:

    apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: connector-oci
spec:
  connectorClassName: oci
  address: http://<registry.url>
  # . . .
  auth:
    name: tokenAuth
    secretRef:
      name: oci-secret
---
apiVersion: v1
data:
  password: YWRtaW4=
  username: YWRtaW4=
kind: Secret
metadata:
  name: oci-secret
type: cpaas.io/distribution-registry-token

    如果目标 OCI Registry 不需要认证,则可以省略认证信息。配置示例如下:

    apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: connector-oci
spec:
  connectorClassName: oci
  address: http://<registry.url>
  auth:
    name: tokenAuth

    spec.auth.params[]

    健康检查配置:

    repository:指定用于健康检查的镜像仓库,例如:library/ubuntu

    apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: connector-oci
spec:
  connectorClassName: oci
  address: http://<registry.url>
  auth:
    name: tokenAuth
    params:
    - name: repository
      value: library/ubuntu
    secretRef:
      name: oci-secret
---
apiVersion: v1
data:
  password: YWRtaW4=
  username: YWRtaW4=
kind: Secret
metadata:
  name: oci-secret
type: cpaas.io/distribution-registry-token

    功能说明

    健康检查

    创建 Connector 后,系统将执行以下操作:

    1. 使用 spec.auth.params[name=repository] 指定的镜像仓库进行健康检查。
    2. 将检查结果存储在 status.conditions[type=AuthReady] 字段中。

    配置信息

    OCI ConnectorClass 提供以下配置:

    • docker-config:Docker 配置信息。
      • 提供 config.json 配置文件。
      • 包含访问代理所需的认证信息。

    示例:

    // config.json

{
  "auths": {
      "<proxy address of the connector>": {
          "auth": "<authentication information required to access the connector>"
      }
  }
}
    • dockerd:Docker Daemon 的配置信息。会提供一个 daemon.json 配置文件,默认情况下,Docker daemon 配置会将当前连接器设置为 insecure-registries

    示例:

    {
  "insecure-registries": [
    "<proxy address of the connector>"
  ]
}
    • buildkitd:BuildKit Daemon 的配置信息。会提供一个 buildkitd.toml 配置文件,默认情况下,BuildKit daemon 配置会将当前连接器设置为 insecure-registries

    示例:

    insecure-entitlements = [ "network.host", "security.insecure" ]
[registry."<proxy address of the connector>"]
  http = true

    您可以通过 connectors-csi 将该配置信息挂载到 Pod 中,实现无密钥(Secretless)镜像推送或拉取。

    代理信息

    创建 Connector 后,系统将:

    1. 自动创建用于代理的 Service。
    2. status.proxy.httpAddress 字段记录代理地址。

    您可以使用该代理地址进行镜像的推送和拉取操作。

    示例:

    apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: harbor
  namespace: default
spec:
  address: https://build.example.com
  auth:
    name: tokenAuth
    secretRef:
      name: harbor
  connectorClassName: oci
status:
  conditions:
  # . . .
  proxy:
    httpAddress:
      url: http://c-harbor.default.svc.cluster.local

    更多