# K8s pull image from private Docker registry

### Overview

This article will show you how various methods utilizing CloudTruth and [KubeTruth ](/configuration-management/integrations/kubernetes.md#kubetruth)to create a Kubernetes Secret [`type: kubernetes.io/dockerconfigjson`](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) that allows you to create pods that use this Secret to [pull an image from a private docker registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials) or repository.

### Resolution

* Method 1: [kubectl apply from a CloudTruth template.](#method-1-kubectl-apply-from-a-cloudtruth-template)
* Method 2: [KubeTruth project mapping override with a base64 encoded Docker configfile.](#method-2-kubetruth-project-mapping-override-with-a-base64-encoded-docker-configfile)
* Method 3: [KubeTruth project mapping override with Docker login.](#method-3-kubetruth-project-mapping-override-with-docker-login)

#### Method 1: kubectl apply from a CloudTruth template

1. run `docker login`
2. base64 encode your [existing dockerfile](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)
   1. `base64 /home/$USER/.docker/config.json`
3. Add the config.json base64 encoded string as a CloudTruth parameter `type:secret` named `configjson` in a CloudTruth project called K8s.
4. Create a CloudTruth template `regcred` and if required [customize ](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)the yaml to your namespace.
   1. ```
      apiVersion: v1
      kind: Secret
      metadata:
        name: myregistrykey
      data:
        .dockerconfigjson: {{configjson}}
      type: kubernetes.io/dockerconfigjson
      ```
5. Run `kubectl apply -f <(cloudtruth --project K8s template get regcred)`
6. You can now [inspect the secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred) and [use the created secret in pods](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret). `kubectl get secret myregistrykey --output=yaml`

#### Method 2: [KubeTruth](/configuration-management/integrations/kubernetes.md#kubetruth) project mapping override with a base64 encoded Docker configfile

1. run `docker login`
2. base64 encode your [existing dockerfile](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)
   1. `base64 /home/$USER/.docker/config.json`
3. Add the config.json base64 encoded string as a CloudTruth parameter `type:secret` named `configjson` in a CloudTruth project called `K8s`.
4. Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s `kubernetes.io/dockerconfigjson` Secret.
   1. ```
      kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: {{secrets["configjson"]}}
        scope: override
        project_selector: K8s
        skip: false
        key_selector: config*
      EOF
      ```
5. You can now [inspect the secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred) and [use the created secret in pods](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret). `kubectl get secret docker-reg-cred --output=yaml -n demokubetruth`

#### **Method 3:** [**KubeTruth**](/configuration-management/integrations/kubernetes.md#kubetruth) **project mapping override with Docker login.**

1. Create a dedicated CloudTruth project named `dockerconfigure` that contains the following docker login keys and values.
   1. ```
      cloudtruth --project dockerconfigure p ls -v
      +----------+---------------------------------+---------+----------+--------+-------------+
      | Name     | Value                           | Source  | Type     | Secret | Description |
      +----------+---------------------------------+---------+----------+--------+-------------+
      | email    | darryl.diosomito@cloudtruth.com | default | internal | false  |             |
      | password | *****                           | default | internal | true   |             |
      | registry | https://index.docker.io/v2/     | default | internal | false  |             |
      | username | diosodtuono                     | default | internal | false  |             |
      +----------+---------------------------------+---------+----------+--------+-------------+
      ```
2. Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s `kubernetes.io/dockerconfigjson` Secret based on your docker login and registry information in the CloudTruth project.
   1. ```
      kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: |
                
      {% capture auth -%} 
                {{parameters["username"] }}:{{secrets["password"]}}
                {%- endcapture -%}
                {% assign auth64 = auth | encode64  %}
                {%- capture dockerconfigjson -%} 
                {"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}}
                {%- endcapture -%}

                {{ dockerconfigjson | encode64 }}
        scope: override
        project_selector: dockerconfigure
        skip: false
      EOF
      ```
   2. You can now [inspect the secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred) and [use the created secret in pods](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret). `kubectl get secret docker-reg-cred --output=yaml -n demokubetruth`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudtruth.com/reference/knowledge-base/integrations/k8s-pull-image-from-private-docker-registry.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.