Generating credentials for Kubernetes cluster image pulls
TypeScriptTo facilitate image pulls from a container registry by Kubernetes cluster nodes, you typically need to create a secret that holds the credentials for the container registry. This secret is then used to authenticate with the registry when Kubernetes nodes pull images for deploying Pods.
In Pulumi, you can create a Kubernetes
Secret
manifest for this purpose. TheSecret
will hold the necessary credentials, such as a Docker configuration file with your registry's access token or username and password, encoded in base64.Let's go through the process of generating a Kubernetes Secret Pulumi program that could be used to pull images from a Docker registry.
-
Define the Docker Registry Credentials: You should have a Docker configuration file (either
$HOME/.docker/config.json
or a file that you've created manually) that contains the necessary credentials. This file generally is created automatically when you usedocker login
command to authenticate to a registry. -
Create a Base64-encoded Version of Docker Config: Kubernetes expects the
.dockerconfigjson
field of the Secret to be base64-encoded. You can use a tool likebase64
on Unix-like systems to create an encoded string from your Docker config:base64 -w 0 ~/.docker/config.json
-
Write a Pulumi Program: You'll use Pulumi's Kubernetes provider to create a Secret resource containing this base64-encoded Docker config.
-
Use the Secret in a PodSpec: When you define a
Pod
or any resource that creates a Pod (like aDeployment
,StatefulSet
, etc.), you'd reference the secret in theimagePullSecrets
section of thespec
.
Here's a Pulumi TypeScript program that creates a Kubernetes
Secret
for Docker registry credentials:import * as pulumi from "@pulumi/pulumi"; import * as kubernetes from "@pulumi/kubernetes"; // The encoded Docker configuration file contents, you need to replace it with your own base64 encoded docker config const dockerConfigJson = pulumi.secret("ewogICAgImF1dGhzIjogewogICAgICAgIC..." /* base64 encoded `~/.docker/config.json` contents truncated for brevity */); // Create a Kubernetes Secret with the Docker registry credentials const registrySecret = new kubernetes.core.v1.Secret("registrySecret", { metadata: { name: "registry-credentials", }, type: "kubernetes.io/dockerconfigjson", data: { ".dockerconfigjson": dockerConfigJson, }, }); // Export the name of the secret export const secretName = registrySecret.metadata.name; // In your Kubernetes deployment/spec, you will refer to this using `imagePullSecrets`: /* const deployment = new kubernetes.apps.v1.Deployment("app-deploy", { spec: { template: { spec: { containers: [{ name: "app-container", image: "my-private-registry/my-app-image:v1.0.0", }], imagePullSecrets: [{ name: secretName, // to utilize the created Docker credentials secret }], }, }, }, }); */ // Note: Ensure your Pulumi project is correctly configured to connect to the desired Kubernetes cluster.
Explanation of the Program
- Imports: The program begins by importing the required Pulumi libraries for the Kubernetes provider.
- Docker Config: Replace the placeholder string
dockerConfigJson
with your own base64 encoded Docker configuration file contents. - Secret Creation: Next, it creates a Kubernetes
Secret
manifest where the secret data is populated with the Docker config. - Export: The program then exports the name of the secret for potential use in other Pulumi stacks or referencing within the same stack.
- Usage: The commented-out section illustrates how you use the secret in a Kubernetes deployment, specifically within the
imagePullSecrets
field, which instructs Kubernetes to use these credentials when pulling images for your Pods.
Important Considerations
- The
.docker/config.json
should be treated as sensitive data as it contains credentials. Avoid hardcoding it in the script or committing it to version control. Instead, use Pulumi'spulumi.secret
to keep it encrypted in the state. - Run
pulumi up
to deploy the resources to your Kubernetes cluster. Ensure you have the necessary access permissions and that your context is correctly set to point to your Kubernetes cluster. - You have to ensure your Pulumi program is running in an environment with the appropriate configuration and context to access your Kubernetes cluster.
-