All Products
Search
Document Center

Elastic Container Instance:Pull images from a Container Registry Enterprise Edition instance without using a secret

Last Updated:Jan 17, 2023

For a Container Registry Personal Edition instance or a Container Registry Enterprise Edition instance that uses a standard domain name, by default an elastic container instance that is in the same Alibaba Cloud account as the Container Registry instance can pull images from the Container Registry instance without using a secret. For a Container Registry Enterprise Edition instance that uses a custom domain name, to use the secret-free image pulling feature, you must specify the Container Registry instance to configure secret-free access to the Container Registry instance. This topic describes how to pull images from a Container Registry Enterprise Edition instance that uses a custom domain name without using a secret.

Prerequisites

The following requirements are met:

Background information

Container Registry provides Container Registry Personal Edition instances and Container Registry Enterprise Edition instances. Container Registry Enterprise Edition is an enterprise-grade platform used to manage the lifecycle of cloud native application artifacts. These artifacts include container images, Helm charts, and Open Container Initiative (OCI) artifacts. Container Registry Enterprise Edition can be seamlessly integrated with Container Service for Kubernetes (ACK) in large-scale business deployment scenarios to simplify application delivery for enterprises. For more information, see What is Container Registry?

Container Registry images can be or cannot be pulled without using a secret based on the following situations:

  • For images in a Container Registry Personal Edition instance that belongs to the same account as the elastic container instance, you can pull the images without using a secret.

  • For images in a Container Registry Enterprise Edition instance that uses a standard domain name in the ****-registry.[Region].cr.aliyuncs.com format and is in the same account as the elastic container instance, you can pull the images without using a secret.

  • For images in a Container Registry Enterprise Edition instance that uses a custom domain name and is in the same account as the elastic container instance, by default you cannot pull the images without using a secret. To use the secret-free image pulling feature, you must specify the Container Registry instance to configure secret-free access to the Container Registry instance.

  • For images in a Container Registry Enterprise Edition instance that is not in the same account as the elastic container instance, you cannot pull the images without using a secret. You must use an authentication key of an image repository to pull the images.

Note

You cannot pull images such as Docker images that are not Container Registry images without using a secret.

This topic describes how to configure secret-free access to Container Registry Enterprise Edition instances that use custom domain names.

Configure secret-free access to a Container Registry Enterprise Edition instance

By default, a newly created Container Registry Enterprise Edition instance is disconnected from all networks. You must configure access control lists (ACLs) to allow access to the Container Registry Enterprise Edition instance over the Internet or virtual private clouds (VPCs).

  • Over the Internet

    After you enable Internet access, you can access images in the Container Registry Enterprise Edition instance across regions by using public endpoints. For more information, see Configure access over the Internet.

    ACR2
  • Over a VPC

    To access a Container Enterprise Edition instance over a VPC, you must grant relevant permissions to the elastic container instance. For more information, see Configure access over VPCs.

    ACR1

After an ACL is configured, if the Container Registry Enterprise Edition instance uses a standard domain name, you can pull images from the instance without the need to perform other configurations. If the Container Registry instance uses a custom domain name, to use the secret-free image pulling feature, you must specify the Container Registry instance to configure secret-free access to the Container Registry instance.

Specify a Container Registry instance to configure secret-free access to the Container Registry instance

For a Container Registry Enterprise Edition instance that uses custom domain names, if you want to use the secret-free image pulling feature, you must specify the Container Registry instance to configure secret-free access to the Container Registry instance.

Call an API operation

When you call the CreateContainerGroup API operation to create an elastic container instance, you can use AcrRegistryInfo-related parameters to specify Container Registry Enterprise Edition instances. The following table describes these parameters. For more information, see CreateContainerGroup.

Note

When you use AcrRegistryInfo-related parameters, you must specify the AcrRegistryInfo.N.InstanceId parameter.

Parameter

Type

Example

Description

AcrRegistryInfo.N.RegionId

String

cn-beijing

The region ID of Container Registry Enterprise Edition instance N.

AcrRegistryInfo.N.InstanceId

String

cri-nwj395hgf6f3****

The ID of Container Registry Enterprise Edition instance N.

AcrRegistryInfo.N.Domain.N

RepeatList

test****-registry.example.com

Endpoint N of Container Registry Enterprise Edition instance N.

AcrRegistryInfo.N.InstanceName

String

test****

The name of Container Registry Enterprise Edition instance N.

You can call an API operation to pass in AcrRegistryInfo-related parameters when you create an elastic container instance:

  • Example 1: Specify the region ID, ID, and endpoint of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.example.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry.example.com/eci_test/busybox:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********',
    'AcrRegistryInfo.1.Domain.1': 'test****-registry.example.com',
  • Example 2: Specify only the ID of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.example.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    #AcrRegistryInfo
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********'

You can also use SDKs to specify AcrRegistryInfo-related parameters. The following sample code provides an example on how to use SDK for Python to specify AcrRegistryInfo-related parameters.

#!/usr/bin/env python
#coding=utf-8

from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkeci.request.v20180808.CreateContainerGroupRequest import CreateContainerGroupRequest

client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-beijing')

request = CreateContainerGroupRequest()
request.set_accept_format('json')

request.set_SecurityGroupId("sg-2zeh4cev9y7ulbr*****")
request.set_VSwitchId("vsw-2zejlv7xjnw61w6z*****")
request.set_ContainerGroupName("test-cri")
request.set_Containers([
  {
    "Image": "test****-registry.example.com/eci_test/nginx:1.0",
    "Name": "nginx"
  },
  {
    "Image": "test****-registry.example.com/eci_test/nginx:1.2",
    "Name": "nginx2"
  }
])
request.set_AcrRegistryInfos([
  {
    "RegionId": "cn-beijing",
    "InstanceId": "cri-nwj395hgf6f*****",
    "Domains": [
      "test****-registry.example.com"
    ]
  }
])

response = client.do_action_with_exception(request)
# python2:  print(response) 
print(str(response, encoding='utf-8'))

Use the console

When you create an elastic container instance on the buy page, you can select an image for each container in the Container configurations section. On the Container Registry Enterprise Edition image tab, you can specify an image in the Container Registry Enterprise Edition instance.

ACR