Pet*_*ter 10 google-artifact-registry
我们有一个用于 Python 包的 Google Artifact 注册表。身份验证的工作原理如下。在当地效果很好。
但是,当我想要构建需要从我们的私有注册表安装包的 Docker 映像时,如何将凭据传递给 Docker 构建?
我想在使用用户帐户或服务帐户构建时保持 Dockerfile 相同。
这可行,但我不确定这是最佳实践:
FROM python:3.9
RUN pip install keyring keyrings.google-artifactregistry-auth
COPY requirements.txt .
RUN --mount=type=secret,id=creds,target=/root/.config/gcloud/application_default_credentials.json \
pip install -r requirements.txt
然后构建:
docker build --secret="id=creds,src=$HOME/.config/gcloud/application_default_credentials.json" .
Lon*_*Dev 11
Using keyring is great when working locally, but in my opinion it's not the best solution for a Dockerfile. This is because your only options are to mount volumes at build time (which I feel is messy) or to copy your credentials into the Dockerfile (which I feel is insecure).
Instead, I got this working by doing the following in Dockerfile:
FROM python:3.10
ARG AUTHED_ARTIFACT_REG_URL
COPY ./requirements.txt /requirements.txt
RUN pip install --extra-index-url ${AUTHED_ARTIFACT_REG_URL} -r /requirements.txt
Then, to build your Dockerfile you can run:
FROM python:3.10
ARG AUTHED_ARTIFACT_REG_URL
COPY ./requirements.txt /requirements.txt
RUN pip install --extra-index-url ${AUTHED_ARTIFACT_REG_URL} -r /requirements.txt
Although it doesn't seem to be in the official docs for Artifact Registry, this works as an alternative to using keychain. Note that the token generated by gcloud auth print-access-token is valid for 1 hour.
| 归档时间: |
|
| 查看次数: |
3058 次 |
| 最近记录: |