Skip to content

Pulling Images from a Private Registry#

In order to pull container images from a private registry, the container runtime needs credentials. Simply put, we need to do the following:

  1. Define a Kubernetes secret that contains the auth credential
  2. Update our Pod/Deployment specs to reference the Kubernetes secret

Let's get to it!

Defining the Registry Secret#

While you could simply define the Kuberentes secret, we strongly recommend you not to do that as your secret would be sitting in your manifest repo unencrypted. See kubernetes best practices for secrets. Therefore, we support two methods to populate the Kubernetes secrets:

  • Sync from Vault - if your team is using Vault for secrets management, you can use Vault as the source of truth

  • Using Sealed Secrets - we can create a manifest with encrypted secret details, which is decrypted and converted into a Kubernetes secret

When do you want to use which approach? Basically, if you're using Vault to store your secrets, sync from Vault. Otherwise, use the Sealed Secrets approach.

Sync from Vault#

Follow the directions from Sync Secrets from Vault.

Using Sealed Secrets#

Follow the directions from the Image Registry section of Creating Sealed Secrets.

Updating the Pod/Deployment Spec#

Once the secrets are defined, all we have to do is update our pod specification to reference the secret name. All you have to define is the imagePullSecrets field.

Note

If using the Helm chart to sync secrets from Vault, the default secret name is named registry-auth. You can override it by specifying the secret.name field in the HelmRelease values

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  imagePullSecrets:
    - name: registry-auth
  containers:
    - name: app
      image: code.vt.edu:5005/sample/image

Once you commit this change to your manifest repo, you should now see your image get pulled and start running! That's all there is to it!