Private Registry is not accessible from Rancher Deployment using Helm chart

4/17/2019

I feel there is a big blocker in Rancher V2.2.2 where I can't define the Private Azure registry containing the docker images to be used to create a K8s deployment.

I can define the azure registry credentials in the Resources -> Registries and authenticate it to create a workload. ( The Workload access the private azure registry and authenticates it using the credentials set )

Now if I create a Helm chart that access the same private Azure registry to pull the image and create a pod , it fails saying the docker image could not be pulled. I have researched over it and I find that K8s deployment can find the credentials set in the Rancher UI but the kublet has no access to this credentials.

The common suggestion that people give is to use the secrets in the help chart deployment file and that works also but it is a security concern as any person can access the helm chart to find the azure credentials described in it. I feel its still a common problem in Rancher V2.

The Question : Helm chart deployment and private docker repository caters to the problem but it has the security concern as expressed above.

I am not sure if Rancher community also has the answer because the helm repo also suggests the same solution. Please refer (https://github.com/helm/helm/blob/master/docs/charts_tips_and_tricks.md#creating-image-pull-secrets)

I dont want to define image pull secrets in deployement.yaml file of Helm chart as mentioned below

  name: credentials-name
  registry: private-docker-registry
  username: user
  password: pass
-- Shubhanshu Rastogi
kubernetes
kubernetes-helm
rancher

2 Answers

4/17/2019

When you configure a new set of registry credentials under Resources -> Registries in your current project, Rancher creates a Kubernetes secret resource for you that holds the specified credentials.

You can verify that the secret exists in all namespaces belonging to the project by running the following command:

$ kubectl get secrets -n <some-project-namespace>

Then - instead of persisting your plaintext account credentials in your deployment.yaml - you are going to reference the secret resource in the containers spec like so:

spec:
  containers:
  - name: mycontainer
    image: myregistry.azurecr.io/org/myimage
  imagePullSecrets:
  - name: project-azure-reg-creds

In the example above project-azure-reg-creds matches the name of the registry credential you added in Rancher. Also note, that your deployment must be created in a namespace assigned to the project.

-- DockrMeister
Source: StackOverflow

4/17/2019

Kubernetes is what it is. If you want to pull from a private repo you need an imagePullSecret. This is true in the Rancher UI too, it's just automatically associated for you so you don't have to explicitly define it yourself.

-- Vincent Fiduccia
Source: StackOverflow