Illumina Innovates with Rancher and Kubernetes
Registries are Kubernetes secrets containing credentials used to authenticate with private Docker registries.
The word “registry” can mean two things, depending on whether it is used to refer to a Docker or Kubernetes registry:
Deployments use the Kubernetes registry secret to authenticate with a private Docker registry and then pull a Docker image hosted on it.
Currently, deployments pull the private registry credentials automatically only if the workload is created in the Rancher UI and not when it is created via kubectl.
Prerequisites: You must have a private registry available to use.
From the Global view, select the project containing the namespace(s) where you want to add a registry.
From the main menu, select Resources > Registries. Click Add Registry.
Enter a Name for the registry.
Note: Kubernetes classifies secrets, certificates, ConfigMaps, and registries all as secrets, and no two secrets in a project or namespace can have duplicate names. Therefore, to prevent conflicts, your registry must have a unique name among all secrets within your workspace.
Select a Scope for the registry. You can either make the registry available for the entire project or a single namespace.
Select the website that hosts your private registry. Then enter credentials that authenticate with the registry. For example, if you use DockerHub, provide your DockerHub username and password.
Click Save.
Result:
You can deploy a workload with an image from a private registry through the Rancher UI, or with kubectl.
kubectl
To deploy a workload with an image from your private registry,
quay.io/<Quay profile name>/<Image name>
Result: Your deployment should launch, authenticate using the private registry credentials you added in the Rancher UI, and pull the Docker image that you specified.
When you create the workload using kubectl, you need to configure the pod so that its YAML has the path to the image in the private registry. You also have to create and reference the registry secret because the pod only automatically gets access to the private registry credentials if it is created in the Rancher UI.
The secret has to be created in the same namespace where the workload gets deployed.
Below is an example pod.yml for a workload that uses an image from a private registry. In this example, the pod uses an image from Quay.io, and the .yml specifies the path to the image. The pod authenticates with the registry using credentials stored in a Kubernetes secret called testquay, which is specified in spec.imagePullSecrets in the name field:
pod.yml
testquay
spec.imagePullSecrets
name
apiVersion: v1 kind: Pod metadata: name: private-reg spec: containers: - name: private-reg-container image: quay.io/<Quay profile name>/<image name> imagePullSecrets: - name: testquay
In this example, the secret named testquay is in the default namespace.
You can use kubectl to create the secret with the private registry credentials. This command creates the secret named testquay:
kubectl create secret docker-registry testquay \ --docker-server=quay.io \ --docker-username=<Profile name> \ --docker-password=<password>
To see how the secret is stored in Kubernetes, you can use this command:
kubectl get secret testquay --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
The result looks like this:
{"auths":{"quay.io":{"username":"<Profile name>","password":"<password>","auth":"c291bXlhbGo6dGVzdGFiYzEyMw=="}}}
After the workload is deployed, you can check if the image was pulled successfully:
kubectl get events
The result should look like this:
14s Normal Scheduled Pod Successfully assigned default/private-reg2 to minikube 11s Normal Pulling Pod pulling image "quay.io/<Profile name>/<image name>" 10s Normal Pulled Pod Successfully pulled image "quay.io/<Profile name>/<image name>"
For more information, refer to the Kubernetes documentation on creating a pod that uses your secret.