Documentation for version v0.35.0 is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.
Authentication
Via Docker config ¶
Even though kbld
commands use registry APIs directly, by default it uses credentials stored in ~/.docker/config.json
which are typically generated via docker login
command.
Example generated ~/.docker/config.json
:
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "dXNlcjpwYXNzd29yZA=="
},
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.6 (darwin)"
}
}
where dXNlcjpwYXNzd29yZA==
is base64("username:password")
.
Via Environment Variables ¶
As of v0.23.0+, kbld can also use following environment variables:
KBLD_REGISTRY_HOSTNAME
to specify registry hostname (e.g. gcr.io, docker.io)KBLD_REGISTRY_USERNAME
to specify registry usernameKBLD_REGISTRY_PASSWORD
to specify registry password
Since you may need to provide multiple registry credentials, above environment variables multiple times with a suffix like so KBLD_REGISTRY_HOSTNAME_0
(suffix can be 1+ alphanumeric characters). Use same suffix for hostname, username and password.
Currently credentials provided via environment variables do not apply when building images with Docker. Continue using docker login
to authenticate Docker daemon.
gcr.io ¶
- Create service account with “Storage Admin” for push access
- Download JSON service account key and place it somewhere on filesystem (e.g.
/tmp/key
) - Run
cat /tmp/key | docker login -u _json_key --password-stdin https://gcr.io
to authenticate
AWS ECR ¶
- Create ECR repository
- Create IAM user with ECR policy that allows to read/write
- Run
aws configure
and specify access key ID, secret access key and region- To install on Ubuntu, run
apt-get install pip3
andpip3 install awscli
- To install on Ubuntu, run
- Run
eval $(aws ecr get-login --no-include-email)
to authenticate
Example ECR policy from https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}
]
}
Harbor ¶
You may have to provide --registry-ca-cert-path
flag with a path to a CA certificate file for Harbor Registry API.
(Help improve our docs: edit this page on GitHub)