Explanation
Pulling Images from Registry during Deployment
During the deployment of an application to a Kubernetes cluster, you'll typically want one or more images to be pulled from a Docker registry. In the application's manifest file you specify the images to pull, the registry to pull them from, and the credentials to use when pulling the images. The manifest file is commonly also referred to as a pod spec, or as a deployment.yaml file (although other filenames are allowed).
If you want the application to pull images that reside in Oracle Cloud Infrastructure Registry, you have to perform two steps:
- You have to use kubectl to create a Docker registry secret. The secret containsthe Oracle Cloud Infrastructure credentials to use when pulling the image. When creating secrets, Oracle strongly recommends you use the latest version of kubectl To create a Docker registry secret:
1- If you haven't already done so, follow the steps to set up the cluster's kubeconfig configuration file and (if necessary) set the KUBECONFIG environment variable to point to the file. Note that you must set up your own kubeconfig file. You cannot access a cluster using a kubeconfig file that a different userset up.
2- In a terminal window, enter:
$ kubectl create secret docker-registry <secret-name> --docker-server=<region-key>.ocir.io
--docker-username='<tenancy-namespace>/<oci-username>' --docker-password='<oci-auth-token>'
--docker-email='<email-address>'
where:
<secret-name> is a name of your choice, that you will use in the manifest file to refer to the secret . For example, ocirsecret
<region-key> is the key for the Oracle Cloud Infrastructure Registry region you're using. For example, iad.
See Availability by Region.
ocir.io is the Oracle Cloud Infrastructure Registry name.
<tenancy-namespace> is the auto-generated Object Storage namespace string of the tenancy containing the repository from which the application is to pull the image (as shown on the Tenancy Information page). For example, the namespace of the acme-dev tenancy might be ansh81vru1zp. Note that for some older tenancies, thenamespace string might be the same as the tenancy name in all lower-case letters (for example, acme-dev).
<oci-username> is the username to use when pulling the image. The username must have access to the tenancy specified by <tenancy-name>. For example, [email protected] . If your tenancy is federated with Oracle Identity Cloud Service, use the format oracleidentitycloudservice/<username>
<oci-auth-token> is the auth token of the user specified by <oci-username>. For example, k]j64r{1sJSSF-;)K8
<email-address> is an email address. An email address is required, but it doesn't matter what you specify. For example, [email protected]
- You have to specify the image to pull from Oracle Cloud Infrastructure Registry, including the repository location and the Dockerregistry secret to use, in the application's manifest file.
References:
https://docs.cloud.oracle.com/en-us/iaas/Content/Registry/Tasks/registrypullingimagesfromocir.htm