ImagePullSecrets are authorization tokens, or secrets, that store Docker credentials used to access a private registry. The following describe how to create and implement imagePullSecrets
for pulling private container images with service account auth (service account must have required permissions to pull images from registry).
Although the below example uses Google Artifact Registry, this can be applied to any private container registry.
Service Account
AWS, GCP, Azure, etc… utilize service accounts for controlling user access. Within the service account, there will be an option to create an access key. Create the key.json
file and download to a server or local machine. Example file from GCP:
{
"type": "service_account",
"project_id": "<your-project-id>",
"private_key_id": "fhrk45h89egh945h89hehg948",
"private_key": "-----BEGIN PRIVATE KEY-----\hfdiegic34587697dfmty796^&*^TYIG*&R*&^UTOIY9hreytn9vgmefhiv9eorityrshf8yiftgreh7tiuygvhiuxdkflyg598yyu58rytgf8eryihgknruotrty8erityhgjtoirkjghmrkfdmgkstj3oit4ru89y*^%&^*%OIUTFBDV^&UY$RTYI\n-----END PRIVATE KEY-----\n",
"client_email": "<your-service-account>@<your-project-id>.iam.gserviceaccount.com",
"client_id": "348579836789347805460459",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-servie-account.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}
Create Secret
Utilize kubectl
to create the secret. This uses the key.json
file created in the previous step from the service account. This example creates a secret in the lilt namespace using the service account email:
NOTE: Google Artifact Registry is REPOSITORY specific, not just region. Secrets are also namespace specific, must create a new secret for each additional namespace.
kubectl -n lilt create secret docker-registry <your-secret-name> \
--docker-server="https:us-docker.pkg.dev/<your-repository>" \
--docker-username=_json_key \
--docker-password="$(cat key.json)" \
--docker-email="<your-service-account>@<your-project-id>.iam.gserviceaccount.com"
Optional: If need to use the same secret in other namespaces, copy with the following command:
kubectl get secret <your-secret-name> --namespace=lilt -oyaml | grep -v '^\s*namespace:\s' | kubectl apply --namespace=<other-name-space> -f -
Verify secrets:
Helm Chart, Manifest
Utilize the imagePullSecret
in a helm chart values.yaml
or manifest file:
global:
imagePullSecrets:
- <your-secret-name>