service account image pull secret garden.io #🌱

service account image pull secret

quick-answer-45507

02/13/2023, 1:49 PM

Am i missing something dumb? i cannot seem to find a way using local-kube to configure this for image pulling...

Copy code

pullSecrets:
  nexus:
    registry: nexus-docker-out.build-tools.domain-production.com
    serviceAccounts:
      - default

quick-answer-45507

02/13/2023, 2:08 PM

that's how i was doing it via devkit, https://www.devspace.sh/docs/configuration/pullSecrets/?x0=2 but previousl ourconfig was pulling it from docker config

bright-policeman-43626

02/13/2023, 2:52 PM

Hey @quick-answer-45507 are you using GCR or docker hub? and I understand you are using local-kubernetes provider right? It's going to be the same as if you where using a normal kubernetes cluster. 1. You basically need a secret that contains the docker hub/registry configuration (something like https://github.com/garden-io/garden/tree/main/examples/gke#step-4---get-a-json-key-and-create-an-imagepullsecret) 2. Then you can reference that secret in your local-kube provider configuration using this syntax:

Copy code

imagePullSecrets:
      - # The name of the Kubernetes secret.
        name: the-secret-you-created-above

        # The namespace where the secret is stored. If necessary, the secret may be copied to the appropriate
        # namespace before use.
        namespace: something

Please give that one a try and, feel free to come back if this doesn't work, and please attach any errors you encounter along the way!

bright-policeman-43626

02/13/2023, 2:54 PM

This is the object I was referencing in the local-kubernetes provider and all the fields that you can add: https://docs.garden.io/reference/providers/local-kubernetes#providers-.imagepullsecrets

quick-answer-45507

02/13/2023, 2:56 PM

so this is the cancer that was existing... i did not write this so please dont burn me at the stake.

quick-answer-45507

02/13/2023, 2:56 PM

Copy code

copyreg:
    desc: Copy the local docker registry config to the minikube node
    command:
      - |
          if [ ! -f ~/.docker/config.json ]; then
            echo "No Docker config file found. Run \"captain login-local\"."
            exit 0
          else
            # Take the user's Docker config as is...
            dockerJSONB64=$(base64 -i ~/.docker/config.json | tr -d '[:space:]')

            # But if keychain is used, it doesn't contain the auth we need, so rebuild the Docker config
            if grep osxkeychain ~/.docker/config.json; then
              servers=$(cat ~/.docker/config.json | jq -r '.auths | keys | join("\n")')

              echo 'Captain needs to access the macOS keychain in order to copy Docker credentials into Kubernetes.'
              echo 'Enter your system password if prompted, and select "Always Allow" to avoid further prompts.'

              dockerJSON='{"auths":{'
              firstAuth='indeed'
              while read -r server
              do
                user=$(security find-internet-password -s "$server" | grep '"acct"' | gsed -n "s/^.*\"acct\".*=\"\(.*\)\".*$/\1/p")
                pass=$(security find-internet-password -s "$server" -w)
                authStr=$(echo "$user:$pass" | tr -d '[:space:]' | base64)
                if [ -z "$firstAuth" ]; then
                  dockerJSON="${dockerJSON},"
                fi
                dockerJSON="${dockerJSON}\"${server}\":{\"auth\":\"$authStr\"}"
                firstAuth=''
              done <<< "$servers"
              dockerJSON="$dockerJSON}}"

              dockerJSONB64=$(echo "$dockerJSON" | base64 | tr -d '[:space:]')
            fi

            sed "s/DOCKER_CONFIG_JSON/$dockerJSONB64/g" {{.Dir}}/kube/registry-secret.yaml \
              | kubectl apply -f -

            kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gitlab"}]}'
          fi

bright-policeman-43626

02/13/2023, 3:02 PM

So what I can see from that is that you guys are creating the secret dynamically bringing it from the people's computer. I'm guessing you guys already have your registry setup in your local-computers so you guys are extracting the config from it. 1.You could continue doing that or instead create the secret once (make this a prerequisite to use your private images).

Copy code

kubectl --namespace default create secret docker-registry gitlab \
  --docker-server=address-of-the-registry \
  --docker-username=$REGISTRY_USERNAME \
  --docker-password="$REGOSTRY_PASSWORD"

2. And then reference it in your https://docs.garden.io/reference/providers/local-kubernetes#providers-.imagepullsecrets object.

bright-policeman-43626

02/13/2023, 3:04 PM

Could you extend a little bit; are you trying to run this on-cloud or in a CI? Or it's purely for local-development?

quick-answer-45507

02/14/2023, 12:00 AM

Purely local

bright-policeman-43626

02/14/2023, 2:38 AM

Does creating the secret like I showed you there and adding the secret reference to the imagePullSecrets doesn’t work?

quick-answer-45507

02/14/2023, 6:58 PM

yeah i actually ended up using passman to pull em from the keychain, thanks!

bright-policeman-43626

02/14/2023, 7:43 PM

fantastic! ❤️ could you please mark as resolved! @quaint-dress-831 ❤️

20 Views

Previous Next