K8s pull image from private Docker registry

Overview

This article will show you how various methods utilizing CloudTruth and KubeTruth to create a Kubernetes Secret type: kubernetes.io/dockerconfigjson that allows you to create pods that use this Secret to pull an image from a private docker registry or repository.

Resolution

Method 1: kubectl apply from a CloudTruth template

  1. 1.
    run docker login
  2. 2.
    base64 encode your existing dockerfile
    1. 1.
      base64 /home/$USER/.docker/config.json
  3. 3.
    Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.
  4. 4.
    Create a CloudTruth template regcred and if required customize the yaml to your namespace.
    1. 1.
      1
      apiVersion: v1
      2
      kind: Secret
      3
      metadata:
      4
      name: myregistrykey
      5
      data:
      6
      .dockerconfigjson: {{configjson}}
      7
      type: kubernetes.io/dockerconfigjson
      Copied!
  5. 5.
    Run kubectl apply -f <(cloudtruth --project K8s template get regcred)
  6. 6.
    You can now inspect the secret and use the created secret in pods. kubectl get secret myregistrykey --output=yaml

Method 2: KubeTruth project mapping override with a base64 encoded Docker configfile

  1. 1.
    run docker login
  2. 2.
    base64 encode your existing dockerfile
    1. 1.
      base64 /home/$USER/.docker/config.json
  3. 3.
    Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.
  4. 4.
    Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s kubernetes.io/dockerconfigjson Secret.
    1. 1.
      1
      kubectl apply -n demokubetruth -f - <<EOF
      2
      apiVersion: kubetruth.cloudtruth.com/v1
      3
      kind: ProjectMapping
      4
      metadata:
      5
      name: docker-configure
      6
      spec:
      7
      resource_templates:
      8
      docker: |
      9
      apiVersion: v1
      10
      kind: Secret
      11
      metadata:
      12
      name: docker-reg-cred
      13
      type: kubernetes.io/dockerconfigjson
      14
      data:
      15
      .dockerconfigjson: {{secrets["configjson"]}}
      16
      scope: override
      17
      project_selector: K8s
      18
      skip: false
      19
      key_selector: config*
      20
      EOF
      Copied!
  5. 5.
    You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth

Method 3: KubeTruth project mapping override with Docker login.

  1. 1.
    Create a dedicated CloudTruth project named dockerconfigure that contains the following docker login keys and values.
    1. 1.
      1
      cloudtruth --project dockerconfigure p ls -v
      2
      +----------+---------------------------------+---------+----------+--------+-------------+
      3
      | Name | Value | Source | Type | Secret | Description |
      4
      +----------+---------------------------------+---------+----------+--------+-------------+
      5
      | email | [email protected] | default | internal | false | |
      6
      | password | ***** | default | internal | true | |
      7
      | registry | https://index.docker.io/v2/ | default | internal | false | |
      8
      | username | diosodtuono | default | internal | false | |
      9
      +----------+---------------------------------+---------+----------+--------+-------------+
      Copied!
  2. 2.
    Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s kubernetes.io/dockerconfigjson Secret based on your docker login and registry information in the CloudTruth project.
    1. 1.
      1
      kubectl apply -n demokubetruth -f - <<EOF
      2
      apiVersion: kubetruth.cloudtruth.com/v1
      3
      kind: ProjectMapping
      4
      metadata:
      5
      name: docker-configure
      6
      spec:
      7
      resource_templates:
      8
      docker: |
      9
      apiVersion: v1
      10
      kind: Secret
      11
      metadata:
      12
      name: docker-reg-cred
      13
      type: kubernetes.io/dockerconfigjson
      14
      data:
      15
      .dockerconfigjson: |
      16
      17
      {% capture auth -%}
      18
      {{parameters["username"] }}:{{secrets["password"]}}
      19
      {%- endcapture -%}
      20
      {% assign auth64 = auth | encode64 %}
      21
      {%- capture dockerconfigjson -%}
      22
      {"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}}
      23
      {%- endcapture -%}
      24
      25
      {{ dockerconfigjson | encode64 }}
      26
      scope: override
      27
      project_selector: dockerconfigure
      28
      skip: false
      29
      EOF
      Copied!
    2. 2.
      You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth
Copy link