Imagepullsecrets
This section shows how to use the Template Driver for configuring cluster access to a private container image registry.
The example implements the Kubernetes standard mechanism to
Pull an Image from a Private Registry
. It creates a Kubernetes Secret of kubernetes.io/dockerconfigjson type, reading the credentials from a secret store. It then configures the secret as the imagePullSecret for a Workload’s Pod.
The example requires the
Humanitec Operator
to be configured on the cluster and connected to a secret store. The Resource Definition of type config will then read the credentials for the imagePullSecret from that secret store to populate the actual Kubernetes secret.
To use this mechanism, install the Resource Definitions of this example into your Organization, replacing some placeholder values with the actual values of your setup. Add the appropriate
matching criteria
to the workload Definition to match the Workloads you want to have access to the private registry.
Note:
workloadis an implicit Resource Type so it is automatically referenced for every Deployment.
config.yaml: Resource Definition oftype: configthat reads the credentials for the private registry from a secret store and creates the Kubernetes Secretworkload.yaml: Resource Definition oftype: workloadthat adds theimagePullSecretselement to the Pod spec, referencing theconfigResource
Resource Definitions
config.yaml
(
view on GitHub
)
:
# This Resource Definition pulls credentials for a container image registry from a secret store
# and creates a Kubernetes Secret of kubernetes.io/dockerconfigjson type
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
id: regcred-config
entity:
driver_type: humanitec/template
name: regcred-config
type: config
criteria:
- class: default
# This res_id must be used from a referencing Resource Definition to request this config Resource
res_id: regcred
driver_inputs:
# These secret references read the credentials from a secret store
# Note: Resolving secret references requires the use of the Humanitec Operator
# and a secret store configured for it on the target cluster
secret_refs:
password:
# Replace this value with the name of the secret that's supplying the password
ref: regcred-password
# Replace this value with the secret store id that's supplying the password
store: FIXME
username:
# Replace this value with the name of the secret that's supplying the username
ref: regcred-username
# Replace this value with the secret store id that's supplying the username
store: FIXME
values:
secret_name: regcred
# Replace this value with the servername of your image registry
server: FIXME
templates:
# The init template is used to prepare the "dockerConfigJson" content
init: |
dockerConfigJson:
auths:
{{ .driver.values.server | quote }}:
username: {{ .driver.secrets.username | toRawJson }}
password: {{ .driver.secrets.password | toRawJson }}
manifests:
# The manifests template creates the Kubernetes Secret
# which can then be used in the workload "imagePullSecrets"
regcred-secret.yaml:
data: |
apiVersion: v1
kind: Secret
metadata:
name: {{ .driver.values.secret_name }}
data:
.dockerconfigjson: {{ .init.dockerConfigJson | toRawJson | b64enc }}
type: kubernetes.io/dockerconfigjson
location: namespace
outputs: |
secret_name: {{ .driver.values.secret_name }}
workload.yaml
(
view on GitHub
)
:
# This workload Resource Definition adds an "imagePullSecrets" element to the Pod spec
# It references a "config" type Resource to obtain the secret name
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
id: custom-workload
entity:
name: custom-workload
type: workload
driver_type: humanitec/template
driver_inputs:
values:
templates:
outputs: |
update:
- op: add
path: /spec/imagePullSecrets
value:
- name: ${resources['config.default#regcred'].outputs.secret_name}
config.tf
(
view on GitHub
)
:
resource "humanitec_resource_definition" "regcred-config" {
driver_type = "humanitec/template"
id = "regcred-config"
name = "regcred-config"
type = "config"
driver_inputs = {
values_string = jsonencode({
"secret_name" = "regcred"
"server" = "FIXME"
"templates" = {
"init" = <<END_OF_TEXT
dockerConfigJson:
auths:
{{ .driver.values.server | quote }}:
username: {{ .driver.secrets.username | toRawJson }}
password: {{ .driver.secrets.password | toRawJson }}
END_OF_TEXT
"manifests" = {
"regcred-secret.yaml" = {
"data" = <<END_OF_TEXT
apiVersion: v1
kind: Secret
metadata:
name: {{ .driver.values.secret_name }}
data:
.dockerconfigjson: {{ .init.dockerConfigJson | toRawJson | b64enc }}
type: kubernetes.io/dockerconfigjson
END_OF_TEXT
"location" = "namespace"
}
}
"outputs" = "secret_name: {{ .driver.values.secret_name }}"
}
})
secret_refs = jsonencode({
"password" = {
"ref" = "regcred-password"
"store" = "FIXME"
}
"username" = {
"ref" = "regcred-username"
"store" = "FIXME"
}
})
}
}
resource "humanitec_resource_definition_criteria" "regcred-config_criteria_0" {
resource_definition_id = resource.humanitec_resource_definition.regcred-config.id
class = "default"
res_id = "regcred"
}
workload.tf
(
view on GitHub
)
:
resource "humanitec_resource_definition" "custom-workload" {
driver_type = "humanitec/template"
id = "custom-workload"
name = "custom-workload"
type = "workload"
driver_inputs = {
values_string = jsonencode({
"templates" = {
"outputs" = <<END_OF_TEXT
update:
- op: add
path: /spec/imagePullSecrets
value:
- name: $${resources['config.default#regcred'].outputs.secret_name}
END_OF_TEXT
}
})
}
}