快速开始
本文档将帮助您快速了解如何创建一个 NPM connector,以连接到 NPM registry 并安全地执行下载/发布操作,而无需直接处理凭据。
我们将创建一个 NPM connector,并使用它执行 npm install 和 npm publish,无需在客户端直接处理凭据。
预计阅读时间
15 分钟
前提条件
- 已安装 Connectors 系统(Operator、ConnectorsCore 和 ConnectorsNPM 组件)的 Kubernetes 集群。有关安装这些组件的详细信息,请参阅安装指南。
- NPM registry 地址和凭据
- 基本的 Kubernetes 和 NPM 知识
- NPM registry 应支持发布和下载包。
流程概览
操作步骤
第 1 步:创建 Namespace
为本次演示创建专用的命名空间:
kubectl create ns connectors-npm-demo
第 2 步:创建 NPM Registry 凭据和 Connector
创建包含 NPM registry 凭据的 Secret 和 NPM connector 资源。您的 NPM registry 应为一个仓库。
有关创建和配置 connector 的详细信息,请参阅Connectors 快速开始指南。
cat <<EOF | kubectl apply -n connectors-npm-demo -f -
kind: Secret
apiVersion: v1
metadata:
name: npm-registry-secret
type: kubernetes.io/basic-auth
stringData:
username: your-registry-username # 替换为您的 NPM registry 用户名
password: your-registry-password # 替换为您的 NPM registry 密码
---
apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
name: npm-connector
spec:
connectorClassName: npm
address: https://nexus.example.com/repository/npm # 替换为您的 NPM 仓库地址,我们将向该仓库部署包。
auth:
name: basicAuth
secretRef:
name: npm-registry-secret
EOF
确认 connector 状态为 "Ready":
kubectl get connector npm-connector -n connectors-npm-demo
输出应显示:
NAME CLASS ADDRESS READY REASON AGE
npm-connector npm https://nexus.example.com/repository/npm True 10s
第 3 步:创建执行 npm install 的 Job
创建一个使用 connector 执行 NPM 操作的 Job:
cat <<'EOF' | kubectl apply -n connectors-npm-demo -f -
apiVersion: batch/v1
kind: Job
metadata:
name: npm-install
spec:
backoffLimit: 0
template:
spec:
restartPolicy: Never
containers:
- name: npm-demo
image: node:latest
imagePullPolicy: IfNotPresent
command:
- "sh"
- "-c"
- |
set -ex
git clone --depth 1 https://github.com/kycheng/demo-npm-publish-slack-notifier.git npmdemo
cd npmdemo
npm install --verbose
volumeMounts:
- name: npmrc
mountPath: /root/.npmrc
subPath: .npmrc
volumes:
- name: npmrc
csi:
readOnly: true
driver: connectors-csi
volumeAttributes:
connector.name: "npm-connector"
configuration.names: "npmrc"
EOF
输出应显示:
+ npm install --verbose
npm verbose cli /usr/local/bin/node /usr/local/bin/npm
npm info using npm@11.6.2
npm info using node@v22.21.0
npm verbose title npm install
...
npm http fetch GET 200 https://nexus.example.com/repository/npm/@slack/webhook/-/webhook-5.0.3.tgz 14142ms (cache miss)
npm http fetch GET 200 https://nexus.example.com/repository/npm/@types/node/-/node-14.14.2.tgz 14682ms (cache miss)
npm info run dtrace-provider@0.8.8 install node_modules/dtrace-provider node-gyp rebuild || node suppress-error.js
npm info run dtrace-provider@0.8.8 install { code: 0, signal: null }
added 87 packages in 1m
npm verbose cwd /npmdemo/standalone/npmdemo
npm verbose os Linux 3.10.0-1160.el7.x86_64
npm verbose node v22.21.0
npm verbose npm v11.6.2
npm verbose exit 0
npm info ok
关键设置:
volumes[].volumeAttributes
connector.name:您的 npm connector 名称configuration.names:设置为 "npmrc",引用 npm connectorClass 中定义的特定配置模板。该模板用于生成带有适当认证设置的 "npmrc" 文件。
第 4 步:创建执行 npm publish 的 NPM Job
创建一个使用 connector 执行 NPM 操作的 Job:
cat <<'EOF' | kubectl apply -n connectors-npm-demo -f -
apiVersion: batch/v1
kind: Job
metadata:
name: npm-publish
spec:
backoffLimit: 0
template:
spec:
restartPolicy: Never
containers:
- name: npm-publish
image: node:latest
imagePullPolicy: IfNotPresent
command:
- "sh"
- "-c"
- |
set -ex
git clone --depth 1 https://github.com/kycheng/demo-npm-publish-slack-notifier.git npmdemo
cd npmdemo
npm publish --verbose
volumeMounts:
- name: npmrc
mountPath: /root/.npmrc
subPath: .npmrc
volumes:
- name: npmrc
csi:
readOnly: true
driver: connectors-csi
volumeAttributes:
connector.name: "npm-connector"
configuration.names: "npmrc"
EOF
输出应显示:
+ npm publish --verbose
npm verbose cli /usr/local/bin/node /usr/local/bin/npm
npm info using npm@10.9.4
npm info using node@v22.21.0
npm verbose title npm publish
...
npm notice
npm notice Publishing to https://nexus.example.com/repository/npm with tag latest and default access
npm http fetch PUT 200 https://nexus.example.com/repository/npm/npm-slack-notifier 659ms
+ npm-slack-notifier@0.1.0
npm verbose cwd /npmdemo
npm verbose os Linux 3.10.0-1160.el7.x86_64
npm verbose node v22.21.0
npm verbose npm v10.9.4
npm verbose exit 0
npm info ok
底层原理
NPM connector 的工作原理:
- 创建一个代理服务,位于您的 NPM 客户端和目标 NPM registry 之间
- 当请求通过代理时注入认证信息
- 提供
.npmrc 文件,供客户端通过代理执行 NPM 操作
为了演示此机制,我们来查看生成的 .npmrc 文件:
cat <<EOF | kubectl apply -n connectors-npm-demo -f -
apiVersion: v1
kind: Pod
metadata:
name: inspect-npm-deploy
spec:
restartPolicy: Never
containers:
- name: npm-demo
image: node:lts-bookworm # 替换为包含 node 的镜像
command: ["sleep", "3600"]
volumeMounts:
- name: npmrc
mountPath: /root/.npmrc
subPath: .npmrc
- name: yarnrc
mountPath: /root/.yarnrc.yml
subPath: .yarnrc.yml
- name: yarnrc
mountPath: /root/ca.cert
subPath: ca.cert
volumes:
- name: npmrc
csi:
readOnly: true
driver: connectors-csi
volumeAttributes:
connector.name: "npm-connector"
configuration.names: "npmrc"
- name: yarnrc
csi:
readOnly: true
driver: connectors-csi
volumeAttributes:
connector.name: "npm-connector"
configuration.names: "yarnrc"
EOF
查看 /root/.npmrc 和 /root/.yarnrc.yml 中生成的文件:
$ kubectl exec -it inspect-npm-deploy -n connectors-npm-demo -- ls -l /root/.npmrc
-r--r--r-- 1 root root 1276 Oct 6 04:07 /root/.npmrc
-r--r--r-- 1 root root 1276 Oct 6 04:07 /root/.yarnrc.yml
-r--r--r-- 1 root root 1276 Oct 6 04:07 /root/ca.cert
查看生成的 .npmrc 和 .yarnrc.yml 文件内容:
$ kubectl exec -it inspect-npm-deploy -n connectors-npm-demo -- cat /root/.npmrc
# NPM Registry Configuration
registry=https://nexus.example.com/repository/npm
# Configure authentication for private registry access
//nexus.example.com/repository/npm/:_auth=fAd326jYkI123456789xxx
# Set the connector proxy URL for npm registry access
https-proxy=http://connectors-npm-demo%2Fnpm-connector:fAd326jYkI123456789xxx@c-npm-connector.connectors-npm-demo.svc.cluster.local/
proxy=http://connectors-npm-demo%2Fnpm-connector:fAd326jYkI123456789xxx@c-npm-connector.connectors-npm-demo.svc.cluster.local/
# Disable strict SSL verification for internal registries
strict-ssl=false
# Disable npm audit to avoid security warnings during CI/CD
audit=false
# Disable funding messages to reduce output noise
fund=false
$ kubectl exec -it inspect-npm-deploy -n connectors-npm-demo -- cat /root/.yarnrc.yml
# Set the NPM registry server URL for package resolution
npmRegistryServer: "https://nexus.example.com/repository/npm"
# Authentication token for registry access
# This token is automatically generated by the connector
npmAuthIdent: "fAd326jYkI123456789xxx"
# Set the connector proxy URL for npm registry access
httpsProxy: http://connectors-npm-demo%2Fnpm-connector:fAd326jYkI123456789xxx@c-npm-connector.connectors-npm-demo.svc.cluster.local/
httpProxy: http://connectors-npm-demo%2Fnpm-connector:fAd326jYkI123456789xxx@c-npm-connector.connectors-npm-demo.svc.cluster.local/
# Always authenticate to the registry
# This is required for the connector to work correctly, if the npmAlwaysAuth is not set to true, the metadata request will not be authenticated.
npmAlwaysAuth: true
unsafeHttpWhitelist:
- nexus.example.com
# Disable strict SSL verification for internal registries
enableStrictSsl: false
# Set the registry URL for package publishing
# Ensures packages are published to the correct registry
npmPublishRegistry: "https://nexus.example.com/repository/npm"
认证流程
inspect-npm-deploy Pod 中不包含任何原始集群令牌。当 npm 向 npm registry 发起 HTTPS 请求时,代理服务器会拦截这些请求,从 npm-connector 注入认证凭据,并将已认证的请求转发到后端 npm registry 服务器。
设置 Volume
.npmrc 和 .yarnrc 文件通过 Connectors CSI Driver 挂载到 Pod 中。
volumes:
- name: npmrc
csi:
readOnly: true
driver: connectors-csi
volumeAttributes:
connector.name: "npm-connector"
configuration.names: "npmrc"
- name: yarnrc
csi:
readOnly: true
driver: connectors-csi
volumeAttributes:
connector.name: "npm-connector"
configuration.names: "yarnrc"
在上述示例中,.npmrc 和 .yarnrc 文件通过 Connectors CSI Driver 挂载到 Pod 中。
.npmrc 和 .yarnrc 文件使用 connector 代理作为 NPM registry,当 NPM/Yarn 客户端请求该地址时,代理会将请求转发到后端 npm registry,并在请求通过代理时注入认证信息。
有关 volumes 参数的详细信息,请参阅 NPM Connector 概念文档中的使用 Connectors CSI Driver 挂载 .npmrc 和 .yarnrc 文件。
延伸阅读
成功使用 npm connector 执行 npm install 和 npm publish 操作后,您可以:
参考资料
