CloudTruth Documentation
Sign InAPIIntegrationsGitHubVisit our website
  • Overview
  • Getting Started
  • Architecture
    • 🔒Security Overview
  • Copilot
  • 🏢Org management
    • Account Setup
    • Access Control
      • 🔑API Tokens
      • 🌐Protecting Projects and Environments
      • 👥Users
    • Audit Log
  • 🛠️Config Management
    • Projects
    • Parameters
      • Sharing Config Data
      • Parameter Management
        • Internal Values
          • Dynamic Values
        • External Values
          • Terraform Remote State Files
        • Parameter Override
        • Environment Value Override
      • Parameter and Parameter Value Inheritance
      • Value Comparison
      • Value History
      • Value Validation
      • Value Expiration
    • Environments and Tags
    • Templates
      • 📒Sample Templates
    • Actions
      • Import Actions
      • Push Actions
    • CLI & API
      • CloudTruth CLI
      • Rest API
    • Integrations
      • Argo CD
      • Atlassian Compass
      • AWS
        • AWS Connection
        • AWS Role
          • CloudFormation
          • Terrraform
          • AWS Console
        • Parameter Store (SSM)
        • S3
        • Secrets Manager
      • Azure Key Vault
      • Bitbucket Pipelines
      • Docker
      • Docker Compose
      • GitHub
      • GitHub Actions
      • GitLab
      • Harness
      • Jenkins
      • Kubernetes
      • Pulumi
      • Terraform
      • Terragrunt
      • Explorer
      • Circle CI
    • Events, Notifications, Webhooks
    • Types
  • 🔎REPORTING
    • Compare
    • History
    • Expirations
  • 🚀PRODUCT
    • What is CloudTruth?
    • Interactive Demo
    • Kubernetes
    • Terraform
    • CI/CD Pipeline Configuration
    • Cloud CMDB
    • Secrets Management
    • GitOps
    • Our Manifesto
    • Open Source
    • FAQs
    • Our Mission
  • 📚Reference
    • 🎓Quick Start Videos
      • What is CloudTruth?
      • CloudTruth in Action
      • Environments and Projects
      • Secrets, Parameters, ENV variables
      • Audit Logs, RBAC, SSO
      • Containers - Kubernetes, Docker
      • Infrastructure as Code (IaC) - Terraform, Cloudformation, CDK, Azure Bicep, Pulumi
      • CICD Pipelines - GitHub Actions, ArgoCD, Jenkins, CircleCI, Harness, GitLab Pipelines
      • AWS Videos - Secret Manager, Parameter Store, S3, IAM
      • Azure Videos - Azure DevOps, Azure Bicep, PowerShell
    • Knowledge Base
      • Best Practices
        • Versioned Releases
      • CLI
        • History comparison of deleted parameters with null values
      • Integrations
        • Advanced AWS IAM policy permissions
        • K8s pull image from private Docker registry
        • S3 Region Selection
      • Templates
        • Templates render quotations in key values as quot
    • Roadmap and New Features
    • JMESPath Reference
    • REST API
Powered by GitBook

Copyright© 2023 CloudTruth

On this page
  • Overview
  • Resolution

Was this helpful?

  1. Reference
  2. Knowledge Base
  3. Integrations

K8s pull image from private Docker registry

PreviousAdvanced AWS IAM policy permissionsNextS3 Region Selection

Last updated 3 years ago

Was this helpful?

Overview

This article will show you how various methods utilizing CloudTruth and to create a Kubernetes Secret that allows you to create pods that use this Secret to or repository.

Resolution

  • Method 1:

  • Method 2:

  • Method 3:

Method 1: kubectl apply from a CloudTruth template

  1. run docker login

  2. base64 encode your

    1. base64 /home/$USER/.docker/config.json

  3. Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.

  4. Create a CloudTruth template regcred and if required the yaml to your namespace.

    1. apiVersion: v1
      kind: Secret
      metadata:
        name: myregistrykey
      data:
        .dockerconfigjson: {{configjson}}
      type: kubernetes.io/dockerconfigjson
  5. Run kubectl apply -f <(cloudtruth --project K8s template get regcred)

  6. You can now and . kubectl get secret myregistrykey --output=yaml

  1. run docker login

    1. base64 /home/$USER/.docker/config.json

  2. Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.

  3. Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s kubernetes.io/dockerconfigjson Secret.

    1. kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: {{secrets["configjson"]}}
        scope: override
        project_selector: K8s
        skip: false
        key_selector: config*
      EOF
  1. Create a dedicated CloudTruth project named dockerconfigure that contains the following docker login keys and values.

    1. cloudtruth --project dockerconfigure p ls -v
      +----------+---------------------------------+---------+----------+--------+-------------+
      | Name     | Value                           | Source  | Type     | Secret | Description |
      +----------+---------------------------------+---------+----------+--------+-------------+
      | email    | darryl.diosomito@cloudtruth.com | default | internal | false  |             |
      | password | *****                           | default | internal | true   |             |
      | registry | https://index.docker.io/v2/     | default | internal | false  |             |
      | username | diosodtuono                     | default | internal | false  |             |
      +----------+---------------------------------+---------+----------+--------+-------------+
  2. Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s kubernetes.io/dockerconfigjson Secret based on your docker login and registry information in the CloudTruth project.

    1. kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: |
                
      {% capture auth -%} 
                {{parameters["username"] }}:{{secrets["password"]}}
                {%- endcapture -%}
                {% assign auth64 = auth | encode64  %}
                {%- capture dockerconfigjson -%} 
                {"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}}
                {%- endcapture -%}
      
                {{ dockerconfigjson | encode64 }}
        scope: override
        project_selector: dockerconfigure
        skip: false
      EOF

Method 2: project mapping override with a base64 encoded Docker configfile

base64 encode your

You can now and . kubectl get secret docker-reg-cred --output=yaml -n demokubetruth

Method 3: project mapping override with Docker login.

You can now and . kubectl get secret docker-reg-cred --output=yaml -n demokubetruth

📚
existing dockerfile
inspect the secret
use the created secret in pods
inspect the secret
use the created secret in pods
type: kubernetes.io/dockerconfigjson
pull an image from a private docker registry
existing dockerfile
customize
inspect the secret
use the created secret in pods
kubectl apply from a CloudTruth template.
KubeTruth project mapping override with a base64 encoded Docker configfile.
KubeTruth project mapping override with Docker login.
KubeTruth
KubeTruth
KubeTruth