When using a Google cloud private registry (gcr.io) from project A in another project B in Google Cloud with Kubernetes, the access key is regenerated every X minutes. This results in a working pull secret to use the private registry in project B for about 15 minutes and then the key is rehashed, which invalidates my set private key, and the private registry is then not accessible anymore.
Process used to set the private key:
echo $(cat /root/.dockercfg) | base64 -w 0Then the key is set in the secret.yaml file to be transported and used on other systems with kubernetes. This all works fine for X minutes.
Secret.yaml:
apiVersion: v1
kind: Secret
metadata:
name: dockerpullsecret
data:
.dockercfg: {the base64 key}
type: kubernetes.io/dockercfg
My current solution: The only way to compensate for this (rather annoying) behaviour I can think of is to setup a shell script generating the key file and loading it into the related kubernetes environments every time the key is changed. This is a rather brute force approach.
Does anybody have a better (more elegant) solution then just scripting this?
What you want to be doing is using a Service Account JSON file for authentication, instead of the oauth2token. oauth2tokens are meant to be used where you have the gcloud binary available.