K8s pull image from private Docker registry

Overview

This article will show you how various methods utilizing CloudTruth and KubeTruth to create a Kubernetes Secret type: kubernetes.io/dockerconfigjson that allows you to create pods that use this Secret to pull an image from a private docker registry or repository.

Resolution

• Method 1: kubectl apply from a CloudTruth template.

• Method 2: KubeTruth project mapping override with a base64 encoded Docker configfile.

• Method 3: KubeTruth project mapping override with Docker login.

Method 1: kubectl apply from a CloudTruth template

1. run docker login

2. base64 encode your existing dockerfile

   1. base64 /home/$USER/.docker/config.json

3. Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.

4. Create a CloudTruth template regcred and if required customize the yaml to your namespace.

   1. Copy

      apiVersion: v1
      kind: Secret
      metadata:
        name: myregistrykey
      data:
        .dockerconfigjson: {{configjson}}
      type: kubernetes.io/dockerconfigjson

5. Run kubectl apply -f <(cloudtruth --project K8s template get regcred)

6. You can now inspect the secret and use the created secret in pods. kubectl get secret myregistrykey --output=yaml

Method 2: KubeTruth project mapping override with a base64 encoded Docker configfile

1. run docker login

2. base64 encode your existing dockerfile

   1. base64 /home/$USER/.docker/config.json

3. Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.

4. Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s kubernetes.io/dockerconfigjson Secret.

   1. Copy

      kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: {{secrets["configjson"]}}
        scope: override
        project_selector: K8s
        skip: false
        key_selector: config*
      EOF

5. You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth

Method 3: KubeTruth project mapping override with Docker login.

1. Create a dedicated CloudTruth project named dockerconfigure that contains the following docker login keys and values.

   1. Copy

      cloudtruth --project dockerconfigure p ls -v
      +----------+---------------------------------+---------+----------+--------+-------------+
      | Name     | Value                           | Source  | Type     | Secret | Description |
      +----------+---------------------------------+---------+----------+--------+-------------+
      | email    | darryl.diosomito@cloudtruth.com | default | internal | false  |             |
      | password | *****                           | default | internal | true   |             |
      | registry | https://index.docker.io/v2/     | default | internal | false  |             |
      | username | diosodtuono                     | default | internal | false  |             |
      +----------+---------------------------------+---------+----------+--------+-------------+

2. Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s kubernetes.io/dockerconfigjson Secret based on your docker login and registry information in the CloudTruth project.

   1. Copy

      kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: |
                
      {% capture auth -%} 
                {{parameters["username"] }}:{{secrets["password"]}}
                {%- endcapture -%}
                {% assign auth64 = auth | encode64  %}
                {%- capture dockerconfigjson -%} 
                {"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}}
                {%- endcapture -%}
      
                {{ dockerconfigjson | encode64 }}
        scope: override
        project_selector: dockerconfigure
        skip: false
      EOF

   2. You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth