如何解决Jib-Google容器注册表:无法通过错误“无法解析json密钥”向注册表进行身份验证
我想将图片推送到Google的容器注册表中。
我正在使用的命令是(通过Gitlab Ci执行,变量正在工作,需要对其进行一个阶段的测试):
- mvn compile jib:build -Djib.to.image=$registry
-Djib.to.auth.username=_json_key -Djib.to.auth.password=$googleServiceAccount
服务帐户的权限为“存储对象管理”。
错误:(顺便说一句:Spring Boot应用程序正在运行-在舞台上进行测试)
Containerizing application to eu.gcr.io/(project-id),eu.gcr.io/(project-id):version...
[WARNING] Base image 'gcr.io/distroless/java:11' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for eu.gcr.io/(project-id)
[INFO] Getting manifest for base image gcr.io/distroless/java:11...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Using base image with digest: sha256:7fc091e8686df11f7bf0b7f67fd7da9862b2b9a3e49978d1184f0ff62cb673cc
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 17.432 s
[INFO] Finished at: 2020-09-08T17:20:30Z
[INFO] ------------------------------------------------------------------------
Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.5.2:build (default-cli) on project projektarbeit: Build image failed,perhaps you should make sure your credentials for 'eu.gcr.io/(project-id)' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for eu.gcr.io/(project-id): 400 Bad Request
[ERROR] {"errors":[{"code":"UNKNOWN","message":"Unable to parse json key."}]}
作为密码,我尝试除了json文件之外还直接解析以'MIIEv ...'开头的密钥。 (没有\ n和--- BEGIN / END ----)
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQI
我真的希望有人可以帮助我解决这个问题。
解决方法
$googleServiceAccount
的值应为JSON密钥文件的内容(即,不是文件路径),例如
{
"type": "service_account","project_id": "...","private_key_id": "...","private_key": "-----BEGIN PRIVATE KEY-----\nMII...","client_email": "....iam.gserviceaccount.com","client_id": "...","auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://oauth2.googleapis.com/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/....iam.gserviceaccount.com"
}
当然,如果在命令行上运行,则应正确引用/转义内容。
例如,与正式documented一样,如果您使用docker login
在本地登录,则应该是
docker login -u _json_key -p "$(cat keyfile.json)" https://[HOSTNAME]
Google容器注册表(GCR)服务器抱怨(400错误请求,表示您发送了无效/意外请求),因为它无法将$googleServiceAccount
的内容解析为JSON。
因此,我很确定您没有提供密钥文件的全部JSON内容,或者缺少或损坏了导致其无效的JSON结构的内容。仔细检查密钥文件和变量内容。
一个常见的错误是$googleServiceAccount
是密钥文件路径。在这种情况下,这可能会起作用:
mvn compile jib:build \
-Djib.to.image=$registry \
-Djib.to.auth.username=_json_key \
-Djib.to.auth.password="$( cat $googleServiceAccount )"
请注意"$( cat ... )"
,以获取文件中正确转义/引用的JSON内容。
我通过构建包括以下内容的自己的docker镜像解决了这个问题
- 行家
- JDK
- Google SDK。
The command:
- gcloud auth activate-service-account (service-account) --key-file=$googleServiceAccount
- gcloud auth configure-docker
- mvn compile jib:build -Djib.to.image=$registry
令牌是文件而不是密钥
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。