Skip to content

Pulling Images from a Private Registry#

In order to pull container images from a private registry, the container runtime needs credentials. Simply put, we need to do the following:

  1. Define a Kubernetes secret that contains the auth credential
  2. Update our Pod/Deployment specs to reference the Kubernetes secret

Let's get to it!

Defining the Registry Secret#

While you could simply define the Kuberentes secret, we strongly recommend you not to do that as your secret would be sitting in your manifest repo unencrypted. See kubernetes best practices for secrets. Therefore, we support two methods to populate the Kubernetes secrets:

  • Sync from Vault - if your team is using Vault for secrets management, you can use Vault as the source of truth
  • Using Sealed Secrets - we can create a manifest with encrypted secret details, which is decrypted and converted into a Kubernetes secret

When do you want to use which approach? Basically, if you're using Vault to store your secrets, sync from Vault. Otherwise, use the Sealed Secrets approach.

Sync from Vault#

Follow the directions from Sync Secrets from Vault.

Using Sealed Secrets#

The Platform Dashboard provides a tool to create "Sealed Secrets". These secrets are encrypted using a public key and can only be decrypted using a private key held within the cluster. This provides the ability to commit "secrets" in a git repo without doing so unsafely.

To create a Sealed Secret to be used to pull credentials, you can:

  1. Open the Platform Dashboard and navigate to the namespace the secret will live in. This is important as the secret can only be decrypted in the namespace it was encrypted for.

  2. Click on the Sealed Secrets Tool in the top navigation menu.

  3. Specify a Secret Name.

  4. In Secret Type, change the option to Image Registry.

  5. For the Registry URL, enter the domain name of the registry (e.g., code.vt.edu:5005)

  6. Enter the Username and Password. For GitLab, this can be a project Access Token or Deploy Key.

    Sample Sealed Secrets screenshot

  7. Click Generate Manifest and add the manifest to your manifest repo. Once synced, the SealedSecret will be decrypted and stored as a normal Kubernetes secret.

Updating the Pod/Deployment Spec#

Once the secrets are defined, all we have to do is update our pod specification to reference the secret name. All you have to define is the imagePullSecrets field.

Note

If using the Helm chart to sync secrets from Vault, the default secret name is named registry-auth. You can override it by specifying the secret.name field in the HelmRelease values

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  imagePullSecrets:
    - name: registry-auth
  containers:
    - name: app
      image: code.vt.edu:5005/sample/image

Once you commit this change to your manifest repo, you should now see your image get pulled and start running! That's all there is to it!