Password - Free Image Pulling

Overview

By installing the password-free pulling plug-in, cube-credential-helper, the CCSE cluster can pull private images from both the Enterprise and Personal editions of the Cloud Container Repository without requiring passwords. This simplifies the process of publishing workloads.

Install

Click Cluster in the left navigation pane

In the Cluster Management page, click the name of an existing cluster to access the Cluster Information page

In the left navigation pane, click Plug-in - Plug-in Market. Find the cube-credential-helper plug-in on the page and install it:

Usage Steps

Before You Begin

• A Cloud Container Repository instance has been created.

Configuration Parameters

The namespaces and serviceAccounts parameters are used to specify the namespace and serviceAccount where the plug-in takes effect.

#### Enable the password-free pulling plug-in for specified namespaces in the cluster
 
 
#### The default value is "default". When set as "*", it indicates that password-free pulling is expected to be enabled for all Namespaces. If you need to configure multiple Namespaces, separate them with a half-width comma (,).
 
 
namespaces: "default"
 
 
 
#### Enable the password-free pulling plug-in for specified ServiceAccount in the cluster
 
 
#### The default value is "default". When set as "*", it supports all ServiceAccount within the specified namespace. If you need to configure multiple ServiceAccounts, separate them with a half-width comma (,).
 
 
serviceAccounts: "default"

The credentials parameter specifies the image pull credentials. Please note, you need to fill in the actual Intranet address, username, and password of the CRS instance. Otherwise, the password-free pulling plug-in will not take effect.

#### Image pull credentials, supporting multiple configurations. Replace the Intranet address of the CRS instance, username, and password in the following example with actual values.
 
 
credentials:
 
  - registry: " registry-vpc-crs-huadong1.ctyun.cn" # Intranet address of the CRS instance
 
    username: "username" # Username of the CRS instance
 
    password: "password" # Password of the CRS instance

Verification of Password-Free Pulling

In the CCSE console, create a new workload using the namespace and serviceAccount specified by the plug-in (when not explicitly specified, the workload defaults to using the default serviceAccount).

When pulling private images from the image service instance specified by the plug-in, you can successfully pull the image and run it without needing image pulling credentials.

Note that when creating a new workload, you should not specify image pulling credentials, as this will override the configuration of the plug-in and may cause the image pulling to fail.

Modify Configuration

After the plug-in installation, if you need to modify the plug-in configuration, you can find the cube-credential-helper configuration item under the kube-system namespace in the Configuration Management - Configuration Items page:

Then modify the variable in appConfig. yaml:

After modifications are made, it takes approximately one minute for the changes to take effect. Ensure that the format of the configuration is correct; otherwise, the configuration will not take effect.