K
Q

Create kubernetes docker-registry secret from yaml file?

4/3/2018

I can run this command to create a docker registry secret for a kubernetes cluster:

kubectl create secret docker-registry regsecret \
--docker-server=docker.example.com \
--docker-username=kube \
--docker-password=PW_STRING \
--docker-email=my@email.com \
--namespace mynamespace

I would like to create the same secret from a YAML file. Does anyone know how this can be set in a YAML file?

I need this as a YAML file so that it can be used as a Helm template, which allows for a Helm install command such as this (simplified) one:

helm install ... --set docker.user=peter,docker.pw=foobar,docker.email=...
-- Rotareti
docker
docker-registry
kubernetes
kubernetes-secrets

Similar Questions

access k8s apis from outside
Corrupted file in ETCD causes kubernetes not to start
spec: selector "exists" does not find pod
Using Kubernetes as docker containers orchestration in PCF

5 Answers

4/3/2018

You can write that yaml by yourself, but it will be faster to create it in 2 steps using kubectl:

  1. Generate a 'yaml' file. You can use the same command but in dry-run mode and output mode yaml.

    Here is an example of a command that will save a secret into a 'docker-secret.yaml' file for kubectl version < 1.18 (check the version by kubectl version --short|grep Client):

    kubectl create secret docker-registry --dry-run=true $secret_name \
--docker-server=<DOCKER_REGISTRY_SERVER> \
--docker-username=<DOCKER_USER> \
--docker-password=<DOCKER_PASSWORD> \
--docker-email=<DOCKER_EMAIL> -o yaml > docker-secret.yaml

    For kubectl version >= 1.18:

    kubectl create secret docker-registry --dry-run=client $secret_name \
--docker-server=<DOCKER_REGISTRY_SERVER> \
--docker-username=<DOCKER_USER> \
--docker-password=<DOCKER_PASSWORD> \
--docker-email=<DOCKER_EMAIL> -o yaml > docker-secret.yaml

  2. You can apply the file like any other Kubernetes 'yaml':

    kubectl apply -f docker-secret.yaml

UPD, as a question has been updated.

If you are using Helm, here is an official documentation about how to create an ImagePullSecret.

From a doc:

  1. First, assume that the credentials are defined in the values.yaml file like so:

    imageCredentials:
  registry: quay.io
  username: someone
  password: sillyness

  2. We then define our helper template as follows:

    {{- define "imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.imageCredentials.registry (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }}
{{- end }}

  3. Finally, we use the helper template in a larger template to create the Secret manifest:

    apiVersion: v1
kind: Secret
metadata:
  name: myregistrykey
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: {{ template "imagePullSecret" . }}
-- Anton Kostenko
Source: StackOverflow
1/18/2019

You can kubectl apply the output of an imperative command in one line:

kubectl create secret docker-registry --dry-run=true $secret_name \
  --docker-server=<DOCKER_REGISTRY_SERVER> \
  --docker-username=<DOCKER_USER> \
  --docker-password=<DOCKER_PASSWORD> \
  --docker-email=<DOCKER_EMAIL> -o yaml | kubectl apply -f -
-- Sébastien Dan
Source: StackOverflow
11/23/2019
cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: Secret
metadata:
  name: regcred
data:
  .dockerconfigjson: $(echo "{\"auths\": {\"https://index.docker.io/v1/\": {\"auth\": \"$(echo "janedoe:xxxxxxxxxxx" | base64)\"}}}" | base64)
type: kubernetes.io/dockerconfigjson
EOF
-- Dudo
Source: StackOverflow
9/19/2018
apiVersion: v1
kind: Secret
metadata:
  name: <NAME>
  namespace: <NAMESPACE>
data:
  .dockercfg: eyJldXJvcGEubGFSfsdfsdfSFSDFsdfsdfSFSDFSDfjM2x1SDFSDFSDFSDFSDFSDFSFSDFSDFSDFSDFG9mZmVyLm5pY2tsYXNzb25AbGVuc3dheWdyb3VwLmNvbSIsImF1dGgiOiJWRTlMUlU0Nk1EZDBNM0JxTXpWak0yeDFNakEwZEdkbGRHVndjVzQ1YUdZPSJ9fQ==
type: kubernetes.io/dockercfg

This works in k8s 1.11.2. I haven't tested it on anything below 1.9. as they changed the type.

-- Coffe
Source: StackOverflow
6/28/2019

In case someone also just wants to have a mapping of kubectl command to yaml file:

kubectl create secret docker-registry --dry-run=true dockerhostsecretname \
  --docker-server=localhost \
  --docker-username=root \
  --docker-password=toor \
  --docker-email=root@toor.nl -o yaml

gives me

apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJsb2NhbGhvc3QiOnsidXNlcm5hbWUiOiJyb290IiwicGFzc3dvcmQiOiJ0b29yIiwiZW1haWwiOiJyb290QHRvb3IubmwiLCJhdXRoIjoiY205dmREcDBiMjl5In19fQ==
kind: Secret
metadata:
  creationTimestamp: null
  name: dockerhostsecretname
type: kubernetes.io/dockerconfigjson

The base64 string for the password:

eyJhdXRocyI6eyJsb2NhbGhvc3QiOnsidXNlcm5hbWUiOiJyb290IiwicGFzc3dvcmQiOiJ0b29yIiwiZW1haWwiOiJyb290QHRvb3IubmwiLCJhdXRoIjoiY205dmREcDBiMjl5In19fQ

decodes as:

{"auths":{"localhost":{"username":"root","password":"toor","email":"root@toor.nl","auth":"cm9vdDp0b29y"}}}
-- frbl
Source: StackOverflow