I have a private Docker repo with bunch of images. I am using Helm to deploy them to a Kubernetes cluster.
Helm values.yaml contains the repository credentials:
image:
repository: <repo>
tag: <version tag>
pullPolicy: IfNotPresent
imageCredentials:
registry: <repo>
username: <username>
password: <pw>
After doing the helm installation
helm install myhelmchart --values values.yaml --version
the pod's status is Init:ErrImagePull. kubectl describe pods gives this error:
Failed to pull image "image:tag": rpc error: code = Unknown desc = Error response from daemon: Get [image]/manifests/[version]: unauthorized: authentication required
It depends on the output of your helm chart. You can use helm template
to see the resulting kubernetes resources without actually deploying it. Using an image from a private docker registry comes down to two steps:
Make sure that you have a secret
resource for the private repository. Note that the type here is kubernetes.io/dockerconfigjson
or kubernetes.io/dockercfg
.
How to create this with templates from helm is described here.
Refer to that secret in the pod that uses the image from that private repository, as shown below:
Pod resource/template:
spec:
containers:
- name: some-pod
image: <image>
imagePullSecrets:
- name: <name-of your secret>
You can first build the resources by hand without helm. This helps to verify that the resources themselves are correct. Then you can adapt the helm templates to output the correct resources given your values.
imageCredentials needs to be at the root level, like so:
image:
repository: <repo>
tag: <version tag>
pullPolicy: IfNotPresent
imageCredentials:
registry: <repo>
username: <username>
password: <pw>
because
{{- define "imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.imageCredentials.registry (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }}
{{- end }}
references .Values.imageCredentials.* and not .Values.image.imageCredentials.*.
Also, you need to add
imagePullSecrets:
- name: {{ .Values.imageCredentials.name }}
to the template (e.g. pod or deployment) that pulls the image from the private registry. And as that references .Values.imageCredentials.name, which isn't defined in your snippet, you need to add it, like so:
image:
repository: <repo>
tag: <version tag>
pullPolicy: IfNotPresent
imageCredentials:
name: <registry_name>_credentials
registry: <repo>
username: <username>
password: <pw>