Links

K8s pull image from private Docker registry

Overview

This article will show you how various methods utilizing CloudTruth and KubeTruth to create a Kubernetes Secret type: kubernetes.io/dockerconfigjson that allows you to create pods that use this Secret to pull an image from a private docker registry or repository.

Resolution

Method 1: kubectl apply from a CloudTruth template

  1. 1.
    run docker login
  2. 2.
    base64 encode your existing dockerfile
    1. 1.
      base64 /home/$USER/.docker/config.json
  3. 3.
    Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.
  4. 4.
    Create a CloudTruth template regcred and if required customize the yaml to your namespace.
    1. 1.
      apiVersion: v1
      kind: Secret
      metadata:
      name: myregistrykey
      data:
      .dockerconfigjson: {{configjson}}
      type: kubernetes.io/dockerconfigjson
  5. 5.
    Run kubectl apply -f <(cloudtruth --project K8s template get regcred)
  6. 6.
    You can now inspect the secret and use the created secret in pods. kubectl get secret myregistrykey --output=yaml

Method 2: KubeTruth project mapping override with a base64 encoded Docker configfile

  1. 1.
    run docker login
  2. 2.
    base64 encode your existing dockerfile
    1. 1.
      base64 /home/$USER/.docker/config.json
  3. 3.
    Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.
  4. 4.
    Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s kubernetes.io/dockerconfigjson Secret.
    1. 1.
      kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
      name: docker-configure
      spec:
      resource_templates:
      docker: |
      apiVersion: v1
      kind: Secret
      metadata:
      name: docker-reg-cred
      type: kubernetes.io/dockerconfigjson
      data:
      .dockerconfigjson: {{secrets["configjson"]}}
      scope: override
      project_selector: K8s
      skip: false
      key_selector: config*
      EOF
  5. 5.
    You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth

Method 3: KubeTruth project mapping override with Docker login.

  1. 1.
    Create a dedicated CloudTruth project named dockerconfigure that contains the following docker login keys and values.
    1. 1.
      cloudtruth --project dockerconfigure p ls -v
      +----------+---------------------------------+---------+----------+--------+-------------+
      | Name | Value | Source | Type | Secret | Description |
      +----------+---------------------------------+---------+----------+--------+-------------+
      | email | darryl.diosom[email protected] | default | internal | false | |
      | password | ***** | default | internal | true | |
      | registry | https://index.docker.io/v2/ | default | internal | false | |
      | username | diosodtuono | default | internal | false | |
      +----------+---------------------------------+---------+----------+--------+-------------+
  2. 2.
    Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s kubernetes.io/dockerconfigjson Secret based on your docker login and registry information in the CloudTruth project.
    1. 1.
      kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
      name: docker-configure
      spec:
      resource_templates:
      docker: |
      apiVersion: v1
      kind: Secret
      metadata:
      name: docker-reg-cred
      type: kubernetes.io/dockerconfigjson
      data:
      .dockerconfigjson: |
      {% capture auth -%}
      {{parameters["username"] }}:{{secrets["password"]}}
      {%- endcapture -%}
      {% assign auth64 = auth | encode64 %}
      {%- capture dockerconfigjson -%}
      {"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}}
      {%- endcapture -%}
      {{ dockerconfigjson | encode64 }}
      scope: override
      project_selector: dockerconfigure
      skip: false
      EOF
    2. 2.
      You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth
Copyright© 2023 CloudTruth