如何使用来自 Jenkins 管道的 fabric8 maven 插件将 docker 图像推送到 Google Container Registry:未经授权
How to push a docker image to Google Container Registry using fabric8 maven plugin from Jenkins pipeline: unauthorized
我一直在努力使用 Jenkins 管道上的 fabric8 maven 插件将 docker 图像推送到 Google Container Registry。我检查了 Whosebug 上的每个问题,但 none 解决了我的问题。
这是我的设置:
Kubernetes 集群 运行 在 Google Kubernetes 引擎上。我已经部署了一个带有 Jenkins 服务器的 pod,该服务器使用 Kubernetes CI 插件启动代理,基于这个自定义图像:
FROM openjdk:8
RUN apt-get update && \
apt-get -y install \
apt-transport-https \
ca-certificates \
curl \
software-properties-common
RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
RUN add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable" && \
apt-get update && \
apt-get -y install docker-ce
RUN curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
RUN mkdir -p /usr/local/gcloud \
&& tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz \
&& /usr/local/gcloud/google-cloud-sdk/install.sh
ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
此代理有 Java 8 和 Docker。
我想使用 fabric8 maven 插件来执行 docker 镜像构建并推送到 Google Container Registry。关键是无论我做什么,我总是会遇到这个错误(未经授权):
Unable to push 'eu.gcr.io/myprojectid/gke-springboot-sample'
from registry 'eu.gcr.io' : unauthorized: You don't have the needed
permissions to perform this operation, and you may have invalid
credentials. To authenticate your request, follow the steps in:
https://cloud.google.com/container-registry/docs/advanced-authentication
-> [Help 1]
注意:
我已经创建了一个与我的 GC 项目相关联的服务帐户并授予它以下权限:项目编辑器和存储管理员。
我已经配置了与属于该服务帐户的 key.json 文件相关联的全局 Jenkins 机密(云注册表凭证)
到目前为止,我已经在我的管道中尝试了所有的东西:
1: oauth2accesstoken
stage("Build docker image") {
agent {
label 'jenkins-slave'
}
steps {
container('jenkins-slave'){
script {
sh "./mvnw clean build fabric8:build"
withCredentials([file(credentialsId: 'cloud-registry-credentials', variable: 'crc')]) {
sh "gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://eu.gcr.io"
sh "./mvnw fabric8:push"
}
}
}
}
}
输出:
+ gcloud auth print-access-token
+ docker login -u oauth2accesstoken --password-stdin https://eu.gcr.io
WARNING! Your password will be stored unencrypted in /home/jenkins/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[Pipeline] sh
Running shell script
+ ./mvnw fabric8:push
[INFO] F8> The push refers to a repository [eu.gcr.io/myprojectid/gke-springboot-sample]
#
[ERROR] F8> Unable to push 'eu.gcr.io/projectid/gke-springboot-sample' from registry 'eu.gcr.io' : unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication [unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication ]
2: key.json
stage("Build docker image") {
agent {
label 'jenkins-slave'
}
steps {
container('jenkins-slave'){
script {
sh "./mvnw fabric8:build"
withCredentials([file(credentialsId: 'cloud-registry-credentials', variable: 'crc')]) {
sh "docker login -u _json_key --password-stdin https://eu.gcr.io < ${crc}"
sh "gcloud auth activate-service-account --key-file=${crc}"
sh "./mvnw fabric8:push"
}
}
}
}
}
输出:
+ docker login -u _json_key --password-stdin https://eu.gcr.io
WARNING! Your password will be stored unencrypted in /home/jenkins/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[Pipeline] sh
Running shell script
+ gcloud auth activate-service-account --key-file=****
Activated service account credentials for: [jenkins-cr@myprojectid.iam.gserviceaccount.com]
[Pipeline] sh
Running shell script
+ ./mvnw fabric8:push
[ERROR] F8> Unable to push 'eu.gcr.io/myprojectid/gke-springboot-sample' from registry 'eu.gcr.io' : unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication [unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication ]
您可能正在寻找 Jenkins Google Container Registry Auth Plugin。
另一个可能的原因可能是,用户 jenkins-cr 没有分配所需的角色 storage.admin,在 Cloud IAM 中...这是相关的 documentation。刚刚看到你已经分配了它;也许仔细检查一下。
如果这与 fabric8 插件相关,您也可以获得支持 there。
此外,因此它是一个桶,那个桶的 ACL 最终可能会干扰。
在 maven ./mvnw fabric8:push 命令中添加 -X 标志后,我发现了以下 DEBUG 行:AuthConfig: no credentials found.
我不得不深入研究 AuthConfigFactory class 的源代码,发现问题是它没有找到之前生成的 /home/jenkins/.docker/config.json 文件。
问题是这个容器的主目录是 /root,所以它在 /root/.docker/config.json 中寻找它,但它不在那里。作为解决方法,我添加了 sh "cp /home/jenkins/.docker/config.json /root/.docker/config.json",现在它就像一个魅力:
[DEBUG] F8> AuthConfig: credentials from ~.docker/config.json
[INFO] F8> myprojectid/gke-springboot-sample:0.0.1-SNAPSHOTsnapshot-180813-080943-0179 in 5 seconds
我一直在努力使用 Jenkins 管道上的 fabric8 maven 插件将 docker 图像推送到 Google Container Registry。我检查了 Whosebug 上的每个问题,但 none 解决了我的问题。
这是我的设置:
Kubernetes 集群 运行 在 Google Kubernetes 引擎上。我已经部署了一个带有 Jenkins 服务器的 pod,该服务器使用 Kubernetes CI 插件启动代理,基于这个自定义图像:
FROM openjdk:8
RUN apt-get update && \
apt-get -y install \
apt-transport-https \
ca-certificates \
curl \
software-properties-common
RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
RUN add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable" && \
apt-get update && \
apt-get -y install docker-ce
RUN curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
RUN mkdir -p /usr/local/gcloud \
&& tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz \
&& /usr/local/gcloud/google-cloud-sdk/install.sh
ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
此代理有 Java 8 和 Docker。
我想使用 fabric8 maven 插件来执行 docker 镜像构建并推送到 Google Container Registry。关键是无论我做什么,我总是会遇到这个错误(未经授权):
Unable to push 'eu.gcr.io/myprojectid/gke-springboot-sample' from registry 'eu.gcr.io' : unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication -> [Help 1]
注意:
我已经创建了一个与我的 GC 项目相关联的服务帐户并授予它以下权限:项目编辑器和存储管理员。
我已经配置了与属于该服务帐户的 key.json 文件相关联的全局 Jenkins 机密(云注册表凭证)
到目前为止,我已经在我的管道中尝试了所有的东西:
1: oauth2accesstoken
stage("Build docker image") {
agent {
label 'jenkins-slave'
}
steps {
container('jenkins-slave'){
script {
sh "./mvnw clean build fabric8:build"
withCredentials([file(credentialsId: 'cloud-registry-credentials', variable: 'crc')]) {
sh "gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://eu.gcr.io"
sh "./mvnw fabric8:push"
}
}
}
}
}
输出:
+ gcloud auth print-access-token
+ docker login -u oauth2accesstoken --password-stdin https://eu.gcr.io
WARNING! Your password will be stored unencrypted in /home/jenkins/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[Pipeline] sh
Running shell script
+ ./mvnw fabric8:push
[INFO] F8> The push refers to a repository [eu.gcr.io/myprojectid/gke-springboot-sample]
#
[ERROR] F8> Unable to push 'eu.gcr.io/projectid/gke-springboot-sample' from registry 'eu.gcr.io' : unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication [unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication ]
2: key.json
stage("Build docker image") {
agent {
label 'jenkins-slave'
}
steps {
container('jenkins-slave'){
script {
sh "./mvnw fabric8:build"
withCredentials([file(credentialsId: 'cloud-registry-credentials', variable: 'crc')]) {
sh "docker login -u _json_key --password-stdin https://eu.gcr.io < ${crc}"
sh "gcloud auth activate-service-account --key-file=${crc}"
sh "./mvnw fabric8:push"
}
}
}
}
}
输出:
+ docker login -u _json_key --password-stdin https://eu.gcr.io
WARNING! Your password will be stored unencrypted in /home/jenkins/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[Pipeline] sh
Running shell script
+ gcloud auth activate-service-account --key-file=****
Activated service account credentials for: [jenkins-cr@myprojectid.iam.gserviceaccount.com]
[Pipeline] sh
Running shell script
+ ./mvnw fabric8:push
[ERROR] F8> Unable to push 'eu.gcr.io/myprojectid/gke-springboot-sample' from registry 'eu.gcr.io' : unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication [unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication ]
您可能正在寻找 Jenkins Google Container Registry Auth Plugin。
另一个可能的原因可能是,用户 jenkins-cr 没有分配所需的角色 storage.admin,在 Cloud IAM 中...这是相关的 documentation。刚刚看到你已经分配了它;也许仔细检查一下。
如果这与 fabric8 插件相关,您也可以获得支持 there。
此外,因此它是一个桶,那个桶的 ACL 最终可能会干扰。
在 maven ./mvnw fabric8:push 命令中添加 -X 标志后,我发现了以下 DEBUG 行:AuthConfig: no credentials found.
我不得不深入研究 AuthConfigFactory class 的源代码,发现问题是它没有找到之前生成的 /home/jenkins/.docker/config.json 文件。
问题是这个容器的主目录是 /root,所以它在 /root/.docker/config.json 中寻找它,但它不在那里。作为解决方法,我添加了 sh "cp /home/jenkins/.docker/config.json /root/.docker/config.json",现在它就像一个魅力:
[DEBUG] F8> AuthConfig: credentials from ~.docker/config.json
[INFO] F8> myprojectid/gke-springboot-sample:0.0.1-SNAPSHOTsnapshot-180813-080943-0179 in 5 seconds