K8s pull image from private Docker registry

Overview

This article will show you how various methods utilizing CloudTruth and KubeTruth to create a Kubernetes Secret type: kubernetes.io/dockerconfigjson that allows you to create pods that use this Secret to pull an image from a private docker registry or repository.

Resolution

Method 1: kubectl apply from a CloudTruth template

  1. run docker login

  2. base64 encode your existing dockerfile

    1. base64 /home/$USER/.docker/config.json

  3. Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.

  4. Create a CloudTruth template regcred and if required customize the yaml to your namespace.

    1. apiVersion: v1
      kind: Secret
      metadata:
        name: myregistrykey
      data:
        .dockerconfigjson: {{configjson}}
      type: kubernetes.io/dockerconfigjson
  5. Run kubectl apply -f <(cloudtruth --project K8s template get regcred)

  6. You can now inspect the secret and use the created secret in pods. kubectl get secret myregistrykey --output=yaml

Method 2: KubeTruth project mapping override with a base64 encoded Docker configfile

  1. run docker login

  2. base64 encode your existing dockerfile

    1. base64 /home/$USER/.docker/config.json

  3. Add the config.json base64 encoded string as a CloudTruth parameter type:secret named configjson in a CloudTruth project called K8s.

  4. Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s kubernetes.io/dockerconfigjson Secret.

    1. kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: {{secrets["configjson"]}}
        scope: override
        project_selector: K8s
        skip: false
        key_selector: config*
      EOF
  5. You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth

Method 3: KubeTruth project mapping override with Docker login.

  1. Create a dedicated CloudTruth project named dockerconfigure that contains the following docker login keys and values.

    1. cloudtruth --project dockerconfigure p ls -v
      +----------+---------------------------------+---------+----------+--------+-------------+
      | Name     | Value                           | Source  | Type     | Secret | Description |
      +----------+---------------------------------+---------+----------+--------+-------------+
      | email    | darryl.diosomito@cloudtruth.com | default | internal | false  |             |
      | password | *****                           | default | internal | true   |             |
      | registry | https://index.docker.io/v2/     | default | internal | false  |             |
      | username | diosodtuono                     | default | internal | false  |             |
      +----------+---------------------------------+---------+----------+--------+-------------+
  2. Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s kubernetes.io/dockerconfigjson Secret based on your docker login and registry information in the CloudTruth project.

    1. kubectl apply -n demokubetruth -f - <<EOF
      apiVersion: kubetruth.cloudtruth.com/v1
      kind: ProjectMapping
      metadata:
        name: docker-configure
      spec:
        resource_templates:
          docker: |
            apiVersion: v1
            kind: Secret
            metadata:
              name: docker-reg-cred
            type: kubernetes.io/dockerconfigjson
            data:
              .dockerconfigjson: |
                
      {% capture auth -%} 
                {{parameters["username"] }}:{{secrets["password"]}}
                {%- endcapture -%}
                {% assign auth64 = auth | encode64  %}
                {%- capture dockerconfigjson -%} 
                {"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}}
                {%- endcapture -%}
      
                {{ dockerconfigjson | encode64 }}
        scope: override
        project_selector: dockerconfigure
        skip: false
      EOF
    2. You can now inspect the secret and use the created secret in pods. kubectl get secret docker-reg-cred --output=yaml -n demokubetruth

Last updated

Copyright© 2023 CloudTruth