K8s pull image from private Docker registry
Overview
This article will show you how various methods utilizing CloudTruth and KubeTruth to create a Kubernetes Secret type: kubernetes.io/dockerconfigjson that allows you to create pods that use this Secret to pull an image from a private docker registry or repository.
Resolution
Method 1: kubectl apply from a CloudTruth template
run
docker loginbase64 encode your existing dockerfile
base64 /home/$USER/.docker/config.json
Add the config.json base64 encoded string as a CloudTruth parameter
type:secretnamedconfigjsonin a CloudTruth project called K8s.Create a CloudTruth template
regcredand if required customize the yaml to your namespace.apiVersion: v1 kind: Secret metadata: name: myregistrykey data: .dockerconfigjson: {{configjson}} type: kubernetes.io/dockerconfigjson
Run
kubectl apply -f <(cloudtruth --project K8s template get regcred)You can now inspect the secret and use the created secret in pods.
kubectl get secret myregistrykey --output=yaml
Method 2: KubeTruth project mapping override with a base64 encoded Docker configfile
run
docker loginbase64 encode your existing dockerfile
base64 /home/$USER/.docker/config.json
Add the config.json base64 encoded string as a CloudTruth parameter
type:secretnamedconfigjsonin a CloudTruth project calledK8s.Create a KubeTruth override in the namespace where KubeTruth is operating that will automatically create the K8s
kubernetes.io/dockerconfigjsonSecret.kubectl apply -n demokubetruth -f - <<EOF apiVersion: kubetruth.cloudtruth.com/v1 kind: ProjectMapping metadata: name: docker-configure spec: resource_templates: docker: | apiVersion: v1 kind: Secret metadata: name: docker-reg-cred type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: {{secrets["configjson"]}} scope: override project_selector: K8s skip: false key_selector: config* EOF
You can now inspect the secret and use the created secret in pods.
kubectl get secret docker-reg-cred --output=yaml -n demokubetruth
Method 3: KubeTruth project mapping override with Docker login.
Create a dedicated CloudTruth project named
dockerconfigurethat contains the following docker login keys and values.cloudtruth --project dockerconfigure p ls -v +----------+---------------------------------+---------+----------+--------+-------------+ | Name | Value | Source | Type | Secret | Description | +----------+---------------------------------+---------+----------+--------+-------------+ | email | [email protected] | default | internal | false | | | password | ***** | default | internal | true | | | registry | https://index.docker.io/v2/ | default | internal | false | | | username | diosodtuono | default | internal | false | | +----------+---------------------------------+---------+----------+--------+-------------+
Create the KubeTruth override below in the namespace where KubeTruth is operating. This will automatically base64 encode and create the K8s
kubernetes.io/dockerconfigjsonSecret based on your docker login and registry information in the CloudTruth project.kubectl apply -n demokubetruth -f - <<EOF apiVersion: kubetruth.cloudtruth.com/v1 kind: ProjectMapping metadata: name: docker-configure spec: resource_templates: docker: | apiVersion: v1 kind: Secret metadata: name: docker-reg-cred type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: | {% capture auth -%} {{parameters["username"] }}:{{secrets["password"]}} {%- endcapture -%} {% assign auth64 = auth | encode64 %} {%- capture dockerconfigjson -%} {"auths":{"{{ parameters["registry"] }}":{"username":"{{ parameters["username"] }}","password":"{{secrets["password"]}}","email":"{{ parameters["email"] }}","auth":"{{auth64}}"}}} {%- endcapture -%} {{ dockerconfigjson | encode64 }} scope: override project_selector: dockerconfigure skip: false EOFYou can now inspect the secret and use the created secret in pods.
kubectl get secret docker-reg-cred --output=yaml -n demokubetruth
Last updated
Was this helpful?