Authentication

Create an access token or service account and start using the Application Collection

Most of the operations available in the Application Collection require authentication, such as: installing a Helm chart, running a container image or consuming the REST API. In this page, you will learn how to generate an access token and configure the most common tools to use the collection.

Creating an access token

Before reading this block, make sure you have an account with access to Application Collection.

An access token lets you authenticate to Application Collection through different non-graphical clients.

  1. Open the web application in your browser of choice and sign in
  2. In the upper-right corner you will see your profile picture. Click on it
  3. In the pop-up, click Settings and later, click Access tokens
  4. Insert a meaningful description for the new token in the input below Create token
  5. Click Create. This will show a green box, with the token contents on it

Token example

Creating a service account

Before reading this block, make sure you have an account with access to Application Collection.

With a service account, you can authenticate to Application Collection on behalf of an organization. This is different from access tokens, which are used to authenticate on behalf of yourself. Service accounts are useful for machine-to-machine communications, like CI pipelines, or service integrations that are company-wide.

To create a Service Account for a given Organization, you must be admin of that org.

  1. Open the webapp in your browser of choice and sign in
  2. In the upper-right corner you will see your profile picture. Click it
  3. In the pop-up, click Settings and later, click Service accounts
  4. Insert a meaningful description for the account in the input below Create service account, and select the target Organization
  5. Click Create. This will show a green box, with the service account contents on it

Service account example

Using CLI tools

At this point, you already created either an access token (AT) or a service account (SA), but you are not sure about how to use it. Below we will show you how to quickly use it with docker, podman, helm, kubectl and curl.

Every time an access token or service account is created, copy-pastable helper commands are shown for configuring the token inmediately.

Docker

To set up Docker, you will need to open a terminal and run:

docker login dp.apps.rancher.io/containers -u <your-suse-username-or-sa-username> -p <acces-token-or-sa-token>

After that, you can check the configuration by pulling an image. This is an example of the output you should get upon a successful pull:

$ docker pull dp.apps.rancher.io/containers/openjdk:17.0.10
17.0.10: Pulling from containers/openjdk
26cbacfd9b54: Pull complete 
d3e7d6906a04: Pull complete 
Digest: sha256:0f14a2a18e441da428b63e3854fe29fa6f9f20af5b99ba9780adb36bee65f5e4
Status: Downloaded newer image for dp.apps.rancher.io/containers/openjdk:17.0.10
dp.apps.rancher.io/containers/openjdk:17.0.10

Podman

You can also configure Podman to pull images from Application Collection. Execute the following command:

podman login dp.apps.rancher.io/containers -u <your-suse-username-or-sa-username> -p <acces-token-or-sa-token>

You can verify that the configuration is correct by pulling an image, for example:

$ podman pull dp.apps.rancher.io/containers/ruby:3.3.0
Trying to pull dp.apps.rancher.io/containers/ruby:3.3.0...
Getting image source signatures
Copying blob sha256:6911d8a6e0d680cdfa227956a00667fe6cd1e2c111fa3c588d1cccc0b621bfe2
Copying blob sha256:4191f2fe96e960b152f79a6b0dcb40ad599b834e72b79edc61e6a627fec776c7
Copying config sha256:c7b272c4b0b6d09b43a32cf3215d0c86c5f148c00d6d049755f292e1c018cfa6
Writing manifest to image destination
c7b272c4b0b6d09b43a32cf3215d0c86c5f148c00d6d049755f292e1c018cfa6

Helm

Configuring Helm to use Application Collection is a matter of running a single command:

helm registry login dp.apps.rancher.io/charts -u <your-suse-username-or-sa-username> -p <acces-token-or-sa-token>

You can check that it worked by pulling one of the Collection’s charts:

$ helm pull oci://dp.apps.rancher.io/charts/apache-apisix --version 2.4.0    
Pulled: dp.apps.rancher.io/charts/apache-apisix:2.4.0
Digest: sha256:533b7684559691782b42ee81bfde1a19ddfe81eb7cce108b01435ce7d25a7027

NOTE: If you want to install charts on a Kubernetes cluster, continue to the next section.

Kubernetes

To deploy images from Application Collection to k8s workloads, you will need to configure a Kubernetes pull secret:

kubectl create secret docker-registry application-collection --docker-server=dp.apps.rancher.io --docker-username=<your-suse-username-or-sa-username> --docker-password=<acces-token-or-sa-token>

After that, you should be able to run any workload using our images:

$ kubectl run nginx --image dp.apps.rancher.io/containers/nginx:1.24.0 --overrides='{"spec": {"imagePullSecrets":[{"name": "application-collection"}]}}'
$ kubectl get pod nginx
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          10s

There are other ways of passing the imagePullSecret that may fit your needs better. For that, you can check this article.

cURL

If you get to this point, you may want to start using the REST API.

This is an example of making a request with cURL, that uses basic authentication with the newly created token:

curl -u <your-suse-username-or-sa-username>:<acces-token-or-sa-token> https://api.apps.rancher.io/v1/applications

If you’re going to use the API intensively, we suggest using other tools such as Postman or the embedded Swagger UI. In any case, you will need to pick basic authentication, using your email as username and token as password.

Last modified September 12, 2024