我想将我的镜像推送到google的容器注册表。
我使用的命令是(通过 Gitlab Ci 执行,变量正在工作,提前一级测试):
- mvn compile jib:build -Djib.to.image=$registry
-Djib.to.auth.username=_json_key -Djib.to.auth.password=$googleServiceAccount
服务帐户的权限是“存储对象管理”。
错误:(顺便说一句:Spring Boot 应用程序正在运行 - 在前面的阶段进行测试)
Containerizing application to eu.gcr.io/(project-id), eu.gcr.io/(project-id):version...
[WARNING] Base image 'gcr.io/distroless/java:11' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for eu.gcr.io/(project-id)
[INFO] Getting manifest for base image gcr.io/distroless/java:11...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Using base image with digest: sha256:7fc091e8686df11f7bf0b7f67fd7da9862b2b9a3e49978d1184f0ff62cb673cc
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 17.432 s
[INFO] Finished at: 2020-09-08T17:20:30Z
[INFO] ------------------------------------------------------------------------
Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.5.2:build (default-cli) on project projektarbeit: Build image failed, perhaps you should make sure your credentials for 'eu.gcr.io/(project-id)' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for eu.gcr.io/(project-id): 400 Bad Request
[ERROR] {"errors":[{"code":"UNKNOWN","message":"Unable to parse json key."}]}
作为密码,除了 json 文件之外,我还尝试直接解析以“MIIEv...”开头的 key 。 (没有\n 和 ---BEGIN/END----)
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQI
我真的希望有人能帮助我解决这个问题。
最佳答案
$googleServiceAccount 的值应该是 JSON key 文件的内容(即不是文件路径),例如
{
"type": "service_account",
"project_id": "...",
"private_key_id": "...",
"private_key": "-----BEGIN PRIVATE KEY-----\nMII...",
"client_email": "....iam.gserviceaccount.com",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/....iam.gserviceaccount.com"
}
当然,如果在命令行上运行,则应正确引用/转义内容。
官方documented ,例如,如果您使用 docker login 在本地登录,则为
docker login -u _json_key -p "$(cat keyfile.json)" https://[HOSTNAME]
Google 容器注册表 (GCR) 服务器正在提示(400 错误请求,意味着您发送了无效/意外的请求),因为它无法将 $googleServiceAccount 的内容解析为 JSON。
因此,我非常确定您没有提供 key 文件的完整 JSON 内容,或者某些内容丢失或损坏,导致其成为无效的 JSON 结构。仔细检查 key 文件和变量内容。
一个常见的错误是 $googleServiceAccount 是关键文件路径。在这种情况下,这可能有效:
mvn compile jib:build \
-Djib.to.image=$registry \
-Djib.to.auth.username=_json_key \
-Djib.to.auth.password="$( cat $googleServiceAccount )"
注意 "$( cat ... )" 以获取文件的正确转义/引用的 JSON 内容。
关于google-cloud-platform - Jib - Google 容器注册表 : can't authenticate to the registry with error "Unable to parse json key",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63799168/