Kubernetes and private registries and names: your registry credentials everywhere

Its 2018 so you have at least a few private container registries lurking about. And you are using Kubernetes to orchestrate your Highly Available Home Assistant (which you never make an acronym of since people would laugh at you) as well as other experiments.

You’ve read the book on namespaces and are all in on the strategy. But you are getting tired of having to create/push your credentials. Well, read on!

First, lets assume I have run ‘docker login’ once in my life. This creates ~/.docker/config.json with a base64 encoded user:token. Please use a token not your password for this (so you can revoke it).

Now, assume you want to periodically run something like this:

kubectl run dc --overrides='{ "apiVersion": "v1", "spec": { "imagePullSecrets": [{"name": "regcreds"}] } }' --rm --attach --restart=Never -i -t --image=cr.agilicus.com/corp-tools/docker-compose

If that seems like gibberish to you, never ask if you should do something, just try!.
What it means is:

  1. kubectl run dc — run a new container called ‘dc’
  2. –overrides= … — on the command line add some yaml to override some stuff, particularly, the imagePullSecrets, set them to ‘regcreds’
  3. –rm — clean up when done, its like turning the lights off when leaving a room
  4. –attach — you want a tty to snoop around in, right, so lets attach this shell
  5. -i -t — you want to be interactive and have a tty
  6. –restart=Never — this is a one-of experiment
  7. registry/image — the thing you want to play w/

Phew, tough reading there.

OK, but registry/image is private, lets introduce a little bit of bash to the problem (bash makes it good usually):

#!/bin/bash

AUTH=$(jq -r '.auths["cr.agilicus.com"].auth' < ~/.docker/config.json | base64 -d)
IFS=:
set -- $AUTH

kubectl get ns --no-headers -o=custom-columns=NAME:.metadata.name |grep -v ^kube- | while read ns
do
  echo "ns: $ns"
  kubectl create secret -n "$ns" docker-registry regcred --docker-server=cr.agilicus.com --docker-username="$1" --docker-password="$2" --docker-email=$(whoami)@agilicus.com 2> >(grep -v 'secrets "regcred" already exists')
done

OK, what does this magic do? Well, it first fetches the tocken from the docker/config.json and decodes it to user:token format. [Replace the registry w/ your name]. Then it splits it (IFS=: set –) so that $1=user, $2=token.

Then, for all non-system namespaces, it creates a secret called ‘regcred’ that you can use with your imagePullSecrets like from above.

 


Posted

in

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *