add docker login using service account tokens #2014
Conversation
cc @v1k0d3n |
cc @brianwcook |
i fully support this awesome PR! :) |
@@ -128,6 +131,16 @@ Restart the origin service to update the running configuration. | |||
$ sudo docker restart origin | |||
---- | |||
|
ahardin-rh
Jul 1, 2016
Contributor
Please add an anchor right before the heading to ensure that the link above works properly:
[[using-service-account-tokens-for-authentication]]
== Using Service Account Tokens for Authentication
Please add an anchor right before the heading to ensure that the link above works properly:
[[using-service-account-tokens-for-authentication]]
== Using Service Account Tokens for Authentication
|
||
Typically long-lived, token-based authentication is desired. As an alternative | ||
to using user session tokens that expire, users may use | ||
link:../../admin_guide/service_accounts.html[service account tokens] to |
ahardin-rh
Jul 1, 2016
Contributor
We now use xrefs instead of links. This should now be:
xref:../../admin_guide/service_accounts.adoc[service account tokens]
We now use xrefs instead of links. This should now be:
xref:../../admin_guide/service_accounts.adoc[service account tokens]
link:../../admin_guide/service_accounts.html[service account tokens] to | ||
authenticate with docker. This is particularly useful when integrating automation. | ||
See | ||
link:../developers.html#using-service-account-tokens-for-docker-login[quickstart developer guide] |
ahardin-rh
Jul 1, 2016
Contributor
same here:
xref:../developers.adoc#using-service-account-tokens-for-docker-login[quickstart developer guide]
s/see/see the
same here:
xref:../developers.adoc#using-service-account-tokens-for-docker-login[quickstart developer guide]
s/see/see the
|
||
=== Using Service Account Tokens for Docker Login | ||
|
||
For long-lived, token-based authentication users may create |
ahardin-rh
Jul 1, 2016
Contributor
comma after authentication
comma after authentication
=== Using Service Account Tokens for Docker Login | ||
|
||
For long-lived, token-based authentication users may create | ||
link:../admin_guide/service_accounts.html[service account tokens] to |
ahardin-rh
Jul 1, 2016
Contributor
xref:../admin_guide/service_accounts.adoc#admin-guide-service-accounts[service account tokens]
xref:../admin_guide/service_accounts.adoc#admin-guide-service-accounts[service account tokens]
|
||
For long-lived, token-based authentication users may create | ||
link:../admin_guide/service_accounts.html[service account tokens] to | ||
authenticate with docker. This is particularly useful when integrating automation. |
ahardin-rh
Jul 1, 2016
Contributor
s/docker/Docker
s/docker/Docker
link:../admin_guide/service_accounts.html[service account tokens] to | ||
authenticate with docker. This is particularly useful when integrating automation. | ||
Service accounts must be configured using the CLI. See | ||
link:../cli_reference/get_started_cli.html[getting started with the CLI]. |
ahardin-rh
Jul 1, 2016
Contributor
xref:../cli_reference/get_started_cli.adoc#cli-reference-get-started-cli[getting started with the CLI]
xref:../cli_reference/get_started_cli.adoc#cli-reference-get-started-cli[getting started with the CLI]
Service accounts must be configured using the CLI. See | ||
link:../cli_reference/get_started_cli.html[getting started with the CLI]. | ||
|
||
. Create a service account in the current project named **push**. |
ahardin-rh
Jul 1, 2016
Contributor
We can keep push in single asterisks vs double. Same for the roles and project names discussed below.
We can keep push in single asterisks vs double. Same for the roles and project names discussed below.
$ oc create serviceaccount push | ||
---- | ||
|
||
. Add the registry role to the service account. In this example we grant the |
ahardin-rh
Jul 1, 2016
Contributor
comma after example
comma after example
namespace: 8 bytes | ||
---- | ||
|
||
. Copy the token value and use as the value to the **--password** argument in the `docker login` |
ahardin-rh
Jul 1, 2016
Contributor
single asterisks vs. double asterisks around the argument name
single asterisks vs. double asterisks around the argument name
---- | ||
|
||
. Copy the token value and use as the value to the **--password** argument in the `docker login` | ||
command. Notice the values for the username and email arguments are not used so |
ahardin-rh
Jul 1, 2016
Contributor
s/Notice/Notice that
comma after used
s/Notice/Notice that
comma after used
---- | ||
|
||
Service accounts may be deleted, which disables further authentication attempts. | ||
For example, as soon as the service account is deleted `docker push` will no longer |
ahardin-rh
Jul 1, 2016
Contributor
comma after deleted
comma after deleted
@ahardin-rh updated, rebased, commits squashed. Thanks! |
[rev_history] |
This addresses a common question since
docker login -p $(oc whoami -t) -u unused -e unused REGISTRY:5000
expires every 24 hours by default. I suspect we should incorporate some of this as a separate PR for users who do not want or cannot use openshift to perform docker build.