# Docker镜像仓库Secret

{% hint style="info" %}

* <mark style="color:blue;">**当部署一个应用时，如果使用的是公开的镜像，就可以不用添加认证信息，直接拉取镜像到宿主机。**</mark>
* 但是<mark style="color:orange;">**当在拉取私有镜像库中的镜像时，可能需要认证后才可以拉取，**</mark><mark style="color:blue;">**此时可以使用imagePullSecret字段将包含Docker镜像注册表密码的Secret传递给Kubelet，然后即可拉取私有镜像。**</mark>
  {% endhint %}

首先创建一个包含镜像仓库账户信息的Secret，创建的Secret类型为<mark style="color:blue;">**docker-registry**</mark>：

```bash
DOCKER_REGISTRY_SERVER=registry.cn-hangzhou.aliyuncs.com
DOCKER_USER=zhang993632987
DOCKER_PASSWORD=zhang19931028
DOCKER_EMAIL=
kubectl create secret docker-registry my-docker-secret \
  --docker-email=$DOCKER_EMAIL \
  --docker-username=$DOCKER_USER \
  --docker-password=$DOCKER_PASSWORD \
  --docker-server=$DOCKER_REGISTRY_SERVER
```

* **docker-registry**：指定的Secret类型。
* **myregistrykey**：Secret的名称。
* **DOCKER\_REGISTRY\_SERVER**：镜像仓库地址。
* **DOCKER\_USER**：镜像仓库用户名，需要有拉取镜像的权限。
* **DOCKER\_PASSWORD**：镜像仓库密码。
* **DOCKER\_EMAIL**：邮箱信息，可以为空。

<mark style="color:blue;">**如果需要访问多个Registry，则可以为每个镜像仓库创建一个Secret，在Pods拉取镜像时，Kubelet会合并imagePullSecrets到.docker/config.json**</mark>，注意Secret和ConfigMap一样需要和Pod在同一个命名空间中。

创建Secret后，可以使用<mark style="color:blue;">**imagePullSecrets**</mark>字段引用该Secret：

<details>

<summary>hello.yaml</summary>

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: hello
  labels:
    app: helloworld
spec:
  imagePullSecrets:
  - name: my-docker-secret
  containers:
  - name: redis
    image: redis:7.0.12
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"
    ports:
      - containerPort: 6379
  - name: web
    image: registry.cn-hangzhou.aliyuncs.com/bohan838/web-redis:1.0
    env:
      - name: spring.redis.host
        value: localhost
    resources:
      limits:
        memory: "250Mi"
        cpu: "500m"
    ports:
      - containerPort: 8890
    livenessProbe:
      tcpSocket:
        port: 8890
      initialDelaySeconds: 30
      timeoutSeconds: 1
  restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  selector:
    app: helloworld
  ports:
  - port: 8890
    targetPort: 8890
    nodePort: 30001
  type: NodePort
```

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bohans.gitbook.io/devops/kubernetes/ji-chu-zhi-shi/kubernetes-pei-zhi-guan-li/secret/chang-yong-de-secret-lei-xing/docker-jing-xiang-cang-ku-secret.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.