I am using IBM Cloud and its Terraform provider. Now, I would like to deploy a container image off the IBM Cloud Container Registry and need to provide pull secrets. How can I do that using Terraform?
Creating pull secrets via Terraform and then using them to pull a container image off the IBM Cloud Container Registry is possible with some configuration.
First, I have a template file for the Docker configuration named docker_config.json:
{"auths":{"${docker-server}":{"username":"${docker-username}","password":"${docker-password}","email":"${docker-email}","auth":"${auth}"}}}
That file is referenced from the Terraform code:
# template for container registry secrets
data "template_file" "docker_config_script" {
template = file("${path.module}/docker_config.json")
vars = {
docker-username = "iamapikey"
docker-password = var.ibmcloud_api_key
docker-server = var.docker-server
docker-email = var.docker-email
auth = base64encode("iamapikey:${var.ibmcloud_api_key}")
}
}
# Create secrets to access IBM Container Registry to pull container image
resource "kubernetes_secret" "registry_secrets" {
metadata {
name = "my-docker-registry"
namespace = var.iks_namespace
}
data = {
".dockerconfigjson" = data.template_file.docker_config_script.rendered
}
type = "kubernetes.io/dockerconfigjson"
}
The above code first reads the template and fills it with values from environment variables or current state. Thereafter, it creates a Kubernetes secret my-docker-registry of type Docker configuration. Later on, that secret can be referenced as image_pull_secret in the deployment configuration.
The above is a generic approach. Depending on your account setup, individual user and service ID privileges in that account and how the Kubernetes cluster was created, you may be able to use a pre-created pull secret. See this part in the IBM Cloud Kubernetes Service docs on how to authorize pulling images from private registries.
Also bear in mind that your cluster may already have suitable image pull secrets.
By default, new IBM Cloud Kubernetes Service clusters get a secret (all-icr-io
) containing credentials that will give read access to all images in IBM Cloud Container Registry namespaces owned by the same account as the cluster. https://cloud.ibm.com/docs/containers?topic=containers-registry#cluster_registry_auth_default
Alternatively, you can also import an existing pull secret all-icr-io
that comes with an IKS cluster following the below steps
main.tf
resource "kubernetes_secret" "all_icr_io" {
# (resource arguments)
}
provider.tf
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "1.13.2"
}
}
}
provider "kubernetes" {
# Configuration options
}
On a terminal:
terraform import kubernetes_secret.all_icr_io default/all-icr-io
To confirm,
terraform show
Result:
# kubernetes_secret.all_icr_io:
resource "kubernetes_secret" "all_icr_io" {
data = (sensitive value)
id = "default/all-icr-io"
type = "kubernetes.io/dockerconfigjson"
metadata {
annotations = {}
generation = 0
labels = {}
name = "all-icr-io"
namespace = "default"
resource_version = "267"
self_link = "/api/v1/namespaces/default/secrets/all-icr-io"
uid = "0dea7ee0-ab03-4fc1-a4e4-b2xxxxxxx"
}
}