Alauda DevOps Connectors Docs
简体中文

OCI ConnectorClass

OCI ConnectorClass 是用于定义 OCI Connector 的连接器类。它允许用户在集群内轻松访问 OCI Registry(OCI 镜像仓库)。

目录

访问要求

被访问的 OCI Registry 必须满足以下条件:

  1. 接口实现要求:

  2. 认证方式要求:

快速开始

apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: dockerhub
spec:
  connectorClassName: oci
  address: https://index.docker.io
  auth:
    name: tokenAuth
    params:
    - name: repository
      value: library/ubuntu
    secretRef:
      name: dockerhub
---
apiVersion: v1
stringData:
  password: your-token
  username: your-username
kind: Secret
metadata:
  name: dockerhub
type: cpaas.io/distribution-registry-token

连接器参数约束

spec.connectorClassName

必须使用常量值 oci

spec.address

指定 OCI Registry 的访问地址,例如:http://harbor.example.com

spec.auth.name

OCI Connector 支持的认证类型:

  • tokenAuth:基于 Token 的认证(可选)

示例:

apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: connector-oci
spec:
  connectorClassName: oci
  address: http://<registry.url>
  # . . .
  auth:
    name: tokenAuth
    secretRef:
      name: oci-secret
---
apiVersion: v1
data:
  password: YWRtaW4=
  username: YWRtaW4=
kind: Secret
metadata:
  name: oci-secret
type: cpaas.io/distribution-registry-token

如果目标 OCI Registry 不需要认证,则可以省略认证信息。配置示例如下:

apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: connector-oci
spec:
  connectorClassName: oci
  address: http://<registry.url>
  auth:
    name: tokenAuth

spec.auth.params[]

健康检查配置:

  • repository:指定用于健康检查的镜像仓库。
    • 示例:library/ubuntu
apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: connector-oci
spec:
  connectorClassName: oci
  address: http://<registry.url>
  auth:
    name: tokenAuth
    params:
    - name: repository
      value: library/ubuntu
    secretRef:
      name: oci-secret
---
apiVersion: v1
data:
  password: YWRtaW4=
  username: YWRtaW4=
kind: Secret
metadata:
  name: oci-secret
type: cpaas.io/distribution-registry-token

功能说明

健康检查

创建 Connector 后,系统将执行以下操作:

  1. 使用 spec.auth.params[name=repository] 指定的镜像仓库进行健康检查。
  2. 将检查结果存储在 status.conditions[type=AuthReady] 字段中。

配置信息

OCI ConnectorClass 提供以下配置:

  • docker-config:Docker 配置信息。
    • 提供 config.json 配置文件。
    • 包含访问代理所需的认证信息。

示例:

// config.json

{
  "auths": {
      "<proxy address of the connector>": {
          "auth": "<authentication information required to access the connector>"
      }
  }
}
  • dockerd:Docker Daemon 的配置信息。将提供 daemon.json 配置文件,默认情况下 Docker daemon 配置会将当前连接器设置为 insecure-registries

示例:

{
  "insecure-registries": [
    "<proxy address of the connector>"
  ]
}
  • buildkitd:BuildKit Daemon 的配置信息。将提供 buildkitd.toml 配置文件,默认情况下 BuildKit daemon 配置会将当前连接器设置为 insecure-registries

示例:

insecure-entitlements = [ "network.host", "security.insecure" ]
[registry."<proxy address of the connector>"]
  http = true

您可以通过 connectors-csi 将此配置信息挂载到 Pod 中,实现无密(Secretless)镜像推送或拉取。

代理信息

创建 Connector 后,系统将:

  1. 自动创建用于代理的 Service。
  2. status.proxy.httpAddress 字段记录代理地址。

您可以使用该代理地址进行镜像推送和拉取操作。

示例:

apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: harbor
  namespace: default
spec:
  address: https://build.example.com
  auth:
    name: tokenAuth
    secretRef:
      name: harbor
  connectorClassName: oci
status:
  conditions:
  # . . .
  proxy:
    httpAddress:
      url: http://c-harbor.default.svc.cluster.local

更多