Kubernetes pod spec requires imagePullSecrets that does NOT match referenced secret?

11/17/2021

Trying to following the use-case examples given in the official Kubernetes documentation for using secrets as environment variables (referenced here ), I made both my secret and my deployment yaml (which includes a pod spec) as follows:

Secret yaml:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  LOCAL_UID: dsdgvreRBRBBsdd=
  LOCAL_PWD: MmSDkfKDODbOU4NCg==

which is written to the namespace by doing: kubectl apply -f my-secret.yaml

Likewise, here is the deployment Yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  labels:
    app: my-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      terminationGracePeriodSeconds: 30
      containers:
        - name: my-app
          env:
            - name: REPO_APP_URL
              value: https://repo.myco.com/project.tar.gz
          envFrom:
            - secretRef:
                name: my-secret
          image: repo.myco.com/images/node-alpine:0.1.6
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
          readinessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 15
            periodSeconds: 15
          securityContext:
            runAsUser: 1000
      imagePullSecrets:
        - name: regcredepg
  • note shown above (but is in the deployment yaml) are the Service and Ingress specs.

This is run by doing the following

kubectl apply -f my-app.yaml

This actually works great given:

  1. the imagePullSecrets directive is included in the deployment YAML.

  2. that the name value given in the imagePullSecrets section is not the actual secret used in the envFrom: - secretRef: section.

If I try to set the name of the imagePullSecrets name field to my-secret, the pod fails to load (saying Error from server (BadRequest): container "my-app" in pod "my-app-597bb6c9b4-lh8rg" is waiting to start: image can't be pulled).

Also, it won't allow me to simply remove the imagePullSecrets section of the YAML in the pod spec, even though the documentation claims it its optional.

So, the only way this will work is if I include the imagePullSecrets reference to a valid secrets that I am not using in my envFrom: - secretRef: section. I am sure I am missing some logical obvious issue here. Can anyone shed light on this??

-- Kim Gentes
kubernetes
kubernetes-secrets
yaml

1 Answer

11/18/2021

imagePullSecrets has a different format than just the ID and password. You need to specify the registry FQDN and the username and password. You can find more information in Pull an Image from a Private Registry.

-- Reza Nasiri
Source: StackOverflow