Skip to content

Using a Docker Registry with Credentials

Why?

Some Docker images are stored in private docker registries. In order for the researcher to access the images, we will need to provide credentials for the registry.

How?

For each private registry you must perform the following (The example below uses Docker Hub):

kubectl create secret docker-registry <secret_name> -n runai \ 
--docker-server=https://index.docker.io/v1/ \
--docker-username=<user_name> --docker-password=<password>

Then:

kubectl label secret <secret_name> runai/cluster-wide="true" -n runai
  • secret_name may be any arbitrary string
  • user_name and password are the repository user and password

Note: the secret may take up to a minute to update in the system.

Google Cloud Registry

Follow the steps below to access private images in the Google Container Registry (GCR):

  • Create a service-account in GCP. Provide it Viewer permissions and download a JSON key.
  • Under GCR, go to image and locate the domain name. Example GCR domains can be gcr.io, eu.gcr.io etc.
  • On your local machine, login to docker with the new credentials:
    docker login -u _json_key -p "$(cat <config.json>)" <gcr-domain>
    

Where <gcr-domain> is the GCR domain we have located, <config.json> is the GCP configuration file. This will generate an entry for the GCR domain in your ~/.docker/config.json file.

  • Open the ~/.docker/config.json file. Copy the JSON structure under the GCR domain into a new file called ~/docker-config.json. When doing so, take care to remove all newlines. For example:

    {"https://eu.gcr.io": { "auth": "<key>"}}
    
  • Convert the file into base64:

    cat ~/docker-config.json | base64
    
  • Create a new file called secret.yaml:

    apiVersion: v1
    kind: Secret
    metadata:
        name: gcr-secret
        namespace: runai
        labels:
            runai/cluster-wide: "true"
    data:
       .dockerconfigjson: << PASTE_HERE_THE_LONG_BASE64_ENCODED_STRING >>
    type: kubernetes.io/dockerconfigjson
    
  • Apply to Kubernetes by running the command:

    kubectl create -f ~/secret.yaml
    
  • Test your settings by submitting a which references an image from the GCR repository


Last update: August 31, 2020