# K8s pull image from private Docker registry

### Overview

This article will show you how various methods utilizing CloudTruth and [KubeTruth ](https://docs.cloudtruth.com/configuration-management/integrations/kubernetes#kubetruth)to create a Kubernetes Secret [`type: kubernetes.io/dockerconfigjson`](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) that allows you to create pods that use this Secret to [pull an image from a private docker registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials) or repository.

### Resolution

* Method 1: [kubectl apply from a CloudTruth template.](#method-1-kubectl-apply-from-a-cloudtruth-template)
* Method 2: [KubeTruth project mapping override with a base64 encoded Docker configfile.](#method-2-kubetruth-project-mapping-override-with-a-base64-encoded-docker-configfile)
* Method 3: [KubeTruth project mapping override with Docker login.](#method-3-kubetruth-project-mapping-override-with-docker-login)

#### Method 1: kubectl apply from a CloudTruth template

1. run `docker login`
2. base64 encode your [existing dockerfile](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)
   1. `base64 /home/$USER/.docker/config.json`
3. Add the config.json base64 encoded string as a CloudTruth parameter `type:secret` named `configjson` in a CloudTruth project called K8s.
4. Create a CloudTruth template `regcred` and if required [customize ](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)the yaml to your namespace.
   1. ```
      apiVersion: v1
      kind: Secret
      metadata:
        name: myregistrykey
      data:
        .dockerconfigjson: {{configjson}}
      type: kubernetes.io/dockerconfigjson
      ```
5. Run `kubectl apply -f <(cloudtruth --project K8s template get regcred)`
6. You can now [inspect the secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred) and [use the created secret in pods](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret). `kubectl get secret myregistrykey --output=yaml`

#### Method 2: [KubeTruth](https://docs.cloudtruth.com/configuration-management/integrations/kubernetes#kubetruth) project mapping override with a base64 encoded Docker configfile

1. run `docker login`
2. base64 encode your [existing dockerfile](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)
   1. `base64 /home/$USER/.docker/config.json`
3. Add the config.json base64 encoded string as a CloudTruth parameter `type:secret` named `configjson` in a CloudTruth project called `K8s`.
4. Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s `kubernetes.io/dockerconfigjson` Secret.
   1. ```
      kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: {{secrets["configjson"]}}
        scope: override
        project_selector: K8s
        skip: false
        key_selector: config*
      EOF
      ```
5. You can now [inspect the secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred) and [use the created secret in pods](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret). `kubectl get secret docker-reg-cred --output=yaml -n demokubetruth`

#### **Method 3:** [**KubeTruth**](https://docs.cloudtruth.com/configuration-management/integrations/kubernetes#kubetruth) **project mapping override with Docker login.**

1. Create a dedicated CloudTruth project named `dockerconfigure` that contains the following docker login keys and values.
   1. ```
      cloudtruth --project dockerconfigure p ls -v
      +----------+---------------------------------+---------+----------+--------+-------------+
      | Name     | Value                           | Source  | Type     | Secret | Description |
      +----------+---------------------------------+---------+----------+--------+-------------+
      | email    | darryl.diosomito@cloudtruth.com | default | internal | false  |             |
      | password | *****                           | default | internal | true   |             |
      | registry | https://index.docker.io/v2/     | default | internal | false  |             |
      | username | diosodtuono                     | default | internal | false  |             |
      +----------+---------------------------------+---------+----------+--------+-------------+
      ```
2. Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s `kubernetes.io/dockerconfigjson` Secret based on your docker login and registry information in the CloudTruth project.
   1. ```
      kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: |
                
      {% capture auth -%} 
                {{parameters["username"] }}:{{secrets["password"]}}
                {%- endcapture -%}
                {% assign auth64 = auth | encode64  %}
                {%- capture dockerconfigjson -%} 
                {"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}}
                {%- endcapture -%}

                {{ dockerconfigjson | encode64 }}
        scope: override
        project_selector: dockerconfigure
        skip: false
      EOF
      ```
   2. You can now [inspect the secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred) and [use the created secret in pods](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret). `kubectl get secret docker-reg-cred --output=yaml -n demokubetruth`