Reputation: 1
Using Tokens from an Azure Container Registry as pull-secrets in Redhat Openshift
I don't seem to be able to generate a usable secret with Tokens in ACR. The method outlined here: https://learn.microsoft.com/en-us/azure/openshift/howto-use-acr-with-aro only mentions the Access keys which doesn't allow me to scope permissions to just pull like the tokens allow.
when using this method to generate a secret with the token anyways I get unable to retrieve auth token: invalid username/password: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information with an ImagePullBackoff.
looking at the microsoft article for access control for ACR, I see it mentions an authorized Identity. Do I need to set up some sort of service principal in order for tokens to work? https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli
Pull image
The ability to docker pull a non-quarantined image, or pull another supported artifact such as a Helm chart, from a registry. Requires authentication with the registry using the authorized identity.
Does anyone know of any resources that outline this process?
tried with:
simplified
echo '{"auths":{"registryname.azurecr.io":{"auth":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="}}}'' | base64
copied to
apiVersion: v1
data:
.dockerconfigjson: xxxxxxxxxxxxxxxxxx
kind: Secret
metadata:
name: scoped-acr-secret
type: kubernetes.io/dockerconfigjson
I thought maybe it needed more details so I tried:
oc create secret docker-registry \
--docker-server=registryname.azurecr.io \
--docker-username=<registryname> \
--docker-password=******** \
--docker-email=unused \
scoped-acr-secret
to no avail.
Upvotes: 0
Views: 215
Answers (1)
Reputation: 3721
To use ACR tokens as pull secrets in OpenShift, the process is slightly different compared to using access keys or service principals.
You need to create a scope map that defines the permissions let's say pull only
az acr scope-map create --registry <ACR NAME> --name <SCOPE NAME> --repository <REPO NAME> content/read
Now, create a token that uses the scope map created above
az acr token create --name <TOKEN NAME> --registry <ACR NAME> --scope-map <SCOPE NAME>
Retrieve the username and password associated with the token
az acr token credential generate --name <TOKEN_NAME> --registry <ACR_NAME>
Done. Successfully created the token and generated credentials. Now use this token as a pull secret in OpenShift, you'll need to use the username (which is pull-only-token) and one of the password values (let's use password1) to create the pull secret. You can follow the rest from the document you shared
oc create secret docker-registry scoped-acr-secret \
--docker-server=arkoregistry.azurecr.io \
--docker-username=pull-only-token \
--docker-password="fUdzMu9x2GDK/DhZAIKNsazZmi5x9uO7JLrIktADJB+ACRBiaXnW" \
[email protected]
Link the Secret to the Default Service Account
oc secrets link default scoped-acr-secret --for=pull
Upvotes: 0
Related Questions
- "unauthorized: authentication required" when trying to docker push onto Azure container registry
- how to use access token generated from rest api for ACR login?
- How to authenticate with Azure ACR from Azure container app service
- Error: ErrorImagePull. Not able to pull images from private Docker registry using Kubernetes
- How to pull image from existing azure container registry?
- how to authenticate azure container registry https://registry.azurecr.io/v2/
- How to pull a docker image from Azure Registry in a Azure Ubuntu virtual machine
- How to authenticate with azure container registry using cert-based service principal
- AD Service Principal for Azure Container Registry from Azure Batch container configuration?