All Products
Search
Document Center

Configure password-free settings to pull images from Container Registry Enterprise Edition instances

Last Updated: Apr 01, 2021

When you pull images from Container Registry instances, you can configure password-free settings to simplify configurations and accelerate image pulling. This topic describes how to configure password-free settings to pull images from Container Registry Enterprise Edition instances.

Prerequisites

Before you start, make sure that the following requirements are met:

Background information

Container Registry provides Container Registry Enterprise Edition instances and default instances. Container Registry Enterprise Edition is an enterprise-level platform designed to manage the lifecycle of cloud native application artifacts, which include container images, Helm charts, and Open Container Initiative (OCI) artifacts. Container Registry Enterprise Edition can seamlessly connect to Container Service for Kubernetes (ACK) and is suitable for large-scale business deployment, simplifying the application delivery for enterprises. For more information, see What is Container Registry Enterprise Edition?

The following situations exist when you use Container Registry images:

  • If a Container Registry image belongs to the same account as your elastic container instance, you can pull this image without a password.

  • If an image is a Docker image instead of a Container Registry image, you cannot pull the image without a password. When you call an API operation to create an elastic container instance, you can use the ImageRegistryCredential parameter to pass in the password.

Configure the password-free settings for a Container Registry Enterprise Edition instance

In the Container Registry Enterprise Edition console, find the instance to be configured and configure the following network access control:

  • Access over the Internet

    After you enable Internet access, you can access images from the Container Registry Enterprise Edition instance across regions by using fully qualified domain names. For more information, see Configure access over the Internet.

    ACR2
  • Access over VPCs

    You must grant the corresponding permissions before you can access the instance by using VPCs. For more information, see Configure access over VPCs.

    ACR1

After you configure the instance, you can record information such as the instance ID, name, and domain name for subsequent use.

Pull images from Container Registry Enterprise Edition instances without passwords (Kubernetes)

You can add annotations to specify a Container Registry instance from which you want to pull images.

Note

You can specify only one Container Registry instance when you use the Kubernetes method. If you have multiple Container Registry instances that contain different images, we recommend that you put the images into a single Container Registry instance. If you want to configure multiple Container Registry instances, we recommend that you use the API-operation method.

Example:

  1. Prepare the YAML file.

    The following code provides an example of test_cri.yaml:

    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
        k8s.aliyun.com/acr-instance-id: cri-j36zhodptmyq****      # Specify the ID of the Container Registry Enterprise Edition instance.
      name: cri-test
    spec:
      containers:
      - image: test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0   # Pull images over the Internet.
        imagePullPolicy: Always
        name: nginx
      restartPolicy: Never
  2. Create a pod.

    kubectl apply -f test_cri.yaml

Pull images from Container Registry Enterprise Edition instances without passwords (API operation)

When you call the CreateContainerGroup operation to create an elastic container instance, you can use the AcrRegistryInfo-related parameters to configure the password-free settings. The following table describes the parameters. For more information, see CreateContainerGroup.

Parameter

Type

Required

Example

Description

AcrRegistryInfo.N.RegionId

String

No

cn-beijing

The region ID of the Container Registry Enterprise Edition instance.

AcrRegistryInfo.N.InstanceId

String

No

cri-nwj395hgf6f3****

The ID of the Container Registry Enterprise Edition instance.

AcrRegistryInfo.N.Domain.N

RepeatList

No

test****-registry.cn-beijing.cr.aliyuncs.com

Domain name N of the Container Registry Enterprise Edition instance. The default value is all domain names of the instance. Separate multiple domain names with commas (,). You can also specify a specific domain name.

AcrRegistryInfo.N.InstanceName

String

No

test****

The name of the Container Registry Enterprise Edition instance.

You can set the AcrRegistryInfo-related parameters in the following ways:

  • Example 1: Specify the region ID, ID, name, and domain names of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.RegionId':'cn-beijing',
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********',
    'AcrRegistryInfo.1.Domain.1': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com',
    'AcrRegistryInfo.1.Domain.2': 'test****-registry.cn-beijing.cr.aliyuncs.com'
  • Example 2: Specify the ID and name of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********',
    'AcrRegistryInfo.1.InstanceName': 'test****'
  • Example 3: Specify only the ID of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********'

You can also use SDKs to set the AcrRegistryInfo-related parameters. The SDK for Python is used in the following example:

#!/usr/bin/env python
#coding=utf-8

from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkeci.request.v20180808.CreateContainerGroupRequest import CreateContainerGroupRequest

client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-beijing')

request = CreateContainerGroupRequest()
request.set_accept_format('json')

request.set_SecurityGroupId("sg-2zeh4cev9y7ulbr*****")
request.set_VSwitchId("vsw-2zejlv7xjnw61w6z*****")
request.set_ContainerGroupName("test-cri")
request.set_Containers([
  {
    "Image": "test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0",
    "Name": "nginx"
  },
  {
    "Image": "test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0",
    "Name": "nginx2"
  }
])
request.set_AcrRegistryInfos([
  {
    "RegionId": "cn-beijing",
    "InstanceId": "cri-nwj395hgf6f*****",
    "Domains": [
      "test****-registry-vpc.cn-beijing.cr.aliyuncs.com",
      "test****-registry.cn-beijing.cr.aliyuncs.com"
    ]
  }
])

response = client.do_action_with_exception(request)
# python2:  print(response) 
print(str(response, encoding='utf-8'))