K8s pull image from private Docker registry
This article will show you how various methods utilizing CloudTruth and KubeTruth to create a Kubernetes Secret
type: kubernetes.io/dockerconfigjson
that allows you to create pods that use this Secret to pull an image from a private docker registry or repository.- 1.run
docker login
- 2.
- 1.
base64 /home/$USER/.docker/config.json
- 3.Add the config.json base64 encoded string as a CloudTruth parameter
type:secret
namedconfigjson
in a CloudTruth project called K8s. - 4.
- 1.apiVersion: v1kind: Secretmetadata:name: myregistrykeydata:.dockerconfigjson: {{configjson}}type: kubernetes.io/dockerconfigjson
- 5.Run
kubectl apply -f <(cloudtruth --project K8s template get regcred)
- 6.You can now inspect the secret and use the created secret in pods.
kubectl get secret myregistrykey --output=yaml
- 1.run
docker login
- 2.
- 1.
base64 /home/$USER/.docker/config.json
- 3.Add the config.json base64 encoded string as a CloudTruth parameter
type:secret
namedconfigjson
in a CloudTruth project calledK8s
. - 4.Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s
kubernetes.io/dockerconfigjson
Secret.- 1.kubectl apply -n demokubetruth -f - <<EOFapiVersion: kubetruth.cloudtruth.com/v1kind: ProjectMappingmetadata:name: docker-configurespec:resource_templates:docker: |apiVersion: v1kind: Secretmetadata:name: docker-reg-credtype: kubernetes.io/dockerconfigjsondata:.dockerconfigjson: {{secrets["configjson"]}}scope: overrideproject_selector: K8sskip: falsekey_selector: config*EOF
- 5.You can now inspect the secret and use the created secret in pods.
kubectl get secret docker-reg-cred --output=yaml -n demokubetruth
- 1.Create a dedicated CloudTruth project named
dockerconfigure
that contains the following docker login keys and values.- 1.cloudtruth --project dockerconfigure p ls -v+----------+---------------------------------+---------+----------+--------+-------------+| Name | Value | Source | Type | Secret | Description |+----------+---------------------------------+---------+----------+--------+-------------+| email | darryl.diosom[email protected] | default | internal | false | || password | ***** | default | internal | true | || registry | https://index.docker.io/v2/ | default | internal | false | || username | diosodtuono | default | internal | false | |+----------+---------------------------------+---------+----------+--------+-------------+
- 2.Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s
kubernetes.io/dockerconfigjson
Secret based on your docker login and registry information in the CloudTruth project.- 1.kubectl apply -n demokubetruth -f - <<EOFapiVersion: kubetruth.cloudtruth.com/v1kind: ProjectMappingmetadata:name: docker-configurespec:resource_templates:docker: |apiVersion: v1kind: Secretmetadata:name: docker-reg-credtype: kubernetes.io/dockerconfigjsondata:.dockerconfigjson: |{% capture auth -%}{{parameters["username"] }}:{{secrets["password"]}}{%- endcapture -%}{% assign auth64 = auth | encode64 %}{%- capture dockerconfigjson -%}{"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}}{%- endcapture -%}{{ dockerconfigjson | encode64 }}scope: overrideproject_selector: dockerconfigureskip: falseEOF
- 2.You can now inspect the secret and use the created secret in pods.
kubectl get secret docker-reg-cred --output=yaml -n demokubetruth
Last modified 1yr ago