K8s pull image from private Docker registry

Overview

This article will show you how various methods utilizing CloudTruth and KubeTruth to create a Kubernetes Secret type: kubernetes.io/dockerconfigjson that allows you to create pods that use this Secret to pull an image from a private docker registry or repository.

Resolution

Method 1: kubectl apply from a CloudTruth template.
Method 2: KubeTruth project mapping override with a base64 encoded Docker configfile.
Method 3: KubeTruth project mapping override with Docker login.

Method 1: kubectl apply from a CloudTruth template

run docker login
base64 encode your existing dockerfile
1. base64 /home/$USER/.docker/config.json
Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.

Create a CloudTruth template regcred and if required customize the yaml to your namespace.

apiVersion: v1
kind: Secret
metadata:
  name: myregistrykey
data:
  .dockerconfigjson: {{configjson}}
type: kubernetes.io/dockerconfigjson

Run kubectl apply -f <(cloudtruth --project K8s template get regcred)
You can now inspect the secret and use the created secret in pods. kubectl get secret myregistrykey --output=yaml

Method 2: KubeTruth project mapping override with a base64 encoded Docker configfile

run docker login
base64 encode your existing dockerfile
1. base64 /home/$USER/.docker/config.json
Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.

Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s kubernetes.io/dockerconfigjson Secret.

kubectl apply -n demokubetruth -f - <<EOF
apiVersion: kubetruth.cloudtruth.com/v1
kind: ProjectMapping
metadata:
  name: docker-configure
spec:
  resource_templates:
    docker: |
      apiVersion: v1
      kind: Secret
      metadata:
        name: docker-reg-cred
      type: kubernetes.io/dockerconfigjson
      data:
        .dockerconfigjson: {{secrets["configjson"]}}
  scope: override
  project_selector: K8s
  skip: false
  key_selector: config*
EOF

You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth

Create a dedicated CloudTruth project named dockerconfigure that contains the following docker login keys and values.

cloudtruth --project dockerconfigure p ls -v
+----------+---------------------------------+---------+----------+--------+-------------+
| Name     | Value                           | Source  | Type     | Secret | Description |
+----------+---------------------------------+---------+----------+--------+-------------+
| email    | [email protected] | default | internal | false  |             |
| password | *****                           | default | internal | true   |             |
| registry | https://index.docker.io/v2/     | default | internal | false  |             |
| username | diosodtuono                     | default | internal | false  |             |
+----------+---------------------------------+---------+----------+--------+-------------+

Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s kubernetes.io/dockerconfigjson Secret based on your docker login and registry information in the CloudTruth project.

kubectl apply -n demokubetruth -f - <<EOF
apiVersion: kubetruth.cloudtruth.com/v1
kind: ProjectMapping
metadata:
  name: docker-configure
spec:
  resource_templates:
    docker: |
      apiVersion: v1
      kind: Secret
      metadata:
        name: docker-reg-cred
      type: kubernetes.io/dockerconfigjson
      data:
        .dockerconfigjson: |
          
{% capture auth -%} 
          {{parameters["username"] }}:{{secrets["password"]}}
          {%- endcapture -%}
          {% assign auth64 = auth | encode64  %}
          {%- capture dockerconfigjson -%} 
          {"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}}
          {%- endcapture -%}

          {{ dockerconfigjson | encode64 }}
  scope: override
  project_selector: dockerconfigure
  skip: false
EOF

You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth

PreviousAdvanced AWS IAM policy permissions NextS3 Region Selection

Last updated 3 years ago

Was this helpful?

Overview

Resolution

Method 1: kubectl apply from a CloudTruth template

Method 2: KubeTruth project mapping override with a base64 encoded Docker configfile

Method 3: KubeTruth project mapping override with Docker login.