In the previous step the image for ngnix was pulled from a public repository. For many customers they want to only deploy images from internal (controlled) private registries. In this session, we will download the nginx image and upload it to ACR
Note: ACR names are globally scoped so you can check the name of a registry before trying to create it
RESOURCE_GROUP=my-k8s-cluster-$USER
ACR_NAME=myacr${USER}${RANDOM}
echo ACR_NAME = $ACR_NAME
az acr check-name --name $ACR_NAMEResults:
{
"message": null,
"nameAvailable": true,
"reason": null
}The minimal parameters to create a ACR are a name, resource group and location. With these parameters a storage account will be created and administrator access will not be created.
Note: the command will return the resource id for the registry. That id will need to be used in subsequent steps if you want to create service principals that are scoped to this registry instance.
az acr create --name $ACR_NAME --resource-group $RESOURCE_GROUP --location eastus --sku Standard
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)Create a two service principals, one with read only and one with read/write access.
Note:
- Ensure that the password length is 8 or more characters
- The command will return an application id for each service principal. You'll need that id in subsequent steps.
- You should consider using the --scope property to qualify the use of the service principal a resource group or registry
Create a reader Service Principal
READER_SP_NAME=my-acr-reader-$USER
READER_SP_PASSWD=$(az ad sp create-for-rbac --name $READER_SP_NAME --scopes $ACR_REGISTRY_ID --role reader --query password --output tsv)
echo Reader password = $READER_SP_PASSWD
READER_SP_APP_ID=$(az ad sp show --id http://$READER_SP_NAME --query appId --output tsv)Create a contributor Service Principal
CONTRIBUTOR_SP_NAME=my-acr-contributor-$USER
CONTRIBUTOR_SP_PASSWD=$(az ad sp create-for-rbac --name $CONTRIBUTOR_SP_NAME --scopes $ACR_REGISTRY_ID --role contributor --query password --output tsv)
echo Contributor password = $CONTRIBUTOR_SP_PASSWD
CONTRIBUTOR_SP_APP_ID=$(az ad sp show --id http://$CONTRIBUTOR_SP_NAME --query appId --output tsv)List the local docker images. You should see the images built in the initial steps when deploying the application locally.
docker pull nginx:latest
docker images nginx:latestTag the images for to associate them with you private ACR instance.
docker tag nginx:latest $ACR_NAME.azurecr.io/workshop/my-nginx:latestUsing the Contributor Service Principal, log into the ACR. The login command for a remote registry has the form:
docker login -u $CONTRIBUTOR_SP_APP_ID -p $CONTRIBUTOR_SP_PASSWD $ACR_NAME.azurecr.ioResults:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeededdocker push $ACR_NAME.azurecr.io/workshop/my-nginxdocker pull $ACR_NAME.azurecr.io/workshop/my-nginxAt this point the images are in ACR, but the cluster will need credentials to be able to pull and deploy the images
kubectl create secret docker-registry acr-reader --docker-server $ACR_NAME.azurecr.io --docker-username $READER_SP_APP_ID --docker-password $READER_SP_PASSWD --docker-email [email protected]Results:
secret "acr-reader" createdhelm install --set image.repository=$ACR_NAME.azurecr.io/workshop/my-nginx,image.tag=latest,image.imagePullSecrets=acr-reader ./yaml/acr-testHELM_RELEASE=$(helm ls -qdr | head -1)
helm status
kubectl get allaz acr delete -n $ACR_NAME
az ad sp delete --id=$READER_SP_APP_ID
az ad sp delete --id=$CONTRIBUTOR_SP_APP_ID
kubectl delete secret acr-reader
helm delete $HELM_RELEASE