08/17/2022, 2:33 AM
All of our service images are created and hosed in (GitHub Container Registry)… I cannot figure out how to use Pulumi to create the registry secret to enable the download of these images (currently EKS, but plans for Digital Ocean and Google Cloud)… Any help is appreciated. 1. I have the code code create the EKS cluster… 2. I have the code to install the NGinX proxy 3. I have the code to apply the ‘services’ YAML files… Between 1 and 2, I need to install this registry secret so that the YAML files will pull from successfully.


08/17/2022, 3:30 AM
I set a reminder for this tomorrow. Will get back to you then
@calm-iron-40008 do you have existing code you can share?


08/17/2022, 5:45 PM
I have a basic YAML file for the secret
# GitHub Registry Secret
apiVersion: v1
  .dockerconfigjson: bunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encodedbunchesofrandomnessbase64encoded
kind: Secret
  name: my-registry
  namespace: default
type: <|>
I also have a standard kubectl command
kubectl create secret docker-registry my-registry --docker-server=<> --docker-username=my-username --docker-password=ghp_bunchesofrandomnesstoken
What I’m hoping to do is create the secret using variables in the Pulumi config and pass that as a command into the Kubernetes cluster. Here’s the ‘index.ts’ file almost… There’s a YAML configgroup after this that loads the services from the designated folder, but that works fine IF the registry secret has been created. The configfile at the bottom loads randomly (the secret is a dockerjson config YAML)
import * as pulumi from "@pulumi/pulumi";
import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";
import * as k8s from "@pulumi/kubernetes";
import * as rabbitmq from "@pulumi/rabbitmq";
import * as path from "path";

// TODO: Complete local needs for Pulumi environments and secrets
// Config parameters contained within the stack YAML file
const config = new pulumi.Config();
const env_name = config.require("env_name");
const vpc_name = config.require( "vpc_name");
const proxy_name = config.require( "proxy_name");

// Create an EKS cluster with non-default configuration
// TODO: Finalize the variables for deployment and configuration
const vpc = new awsx.ec2.Vpc(vpc_name, { cidrBlock: "", numberOfAvailabilityZones: 3, subnets: [{ type: "public"}, { type: "private"}], } );
const cluster = new eks.Cluster(env_name, {
    publicSubnetIds: vpc.publicSubnetIds,
    privateSubnetIds: vpc.privateSubnetIds,
    nodeAssociatePublicIpAddress: false,
    // instanceType: "m5a.xlarge",
    desiredCapacity: 3,
    minSize: 2,
    maxSize: 8,
    storageClasses: "gp2",
    deployDashboard: false,
    enabledClusterLogTypes: [

// Export the clusters' kubeconfig.
export const kubeconfig = cluster.kubeconfig;
export const awsinfo = cluster.provider.urn;

// Create a Kubernetes Namespace
const ns = new k8s.core.v1.Namespace(env_name, {}, { provider: cluster.provider });
// Export the Namespace name
export const namespaceName = ns.metadata.apply(m =>;
// Create NGinX instances
const appLabels = {appClass: proxy_name};
const deployment = new k8s.apps.v1.Deployment(proxy_name, {
    metadata: {labels: appLabels},
    spec: {
        replicas: 2,
        selector: {matchLabels: appLabels},
        template: {
            metadata: {labels: appLabels},
            spec: {
                containers: [{
                    name: proxy_name,
                    image: "nginx:1.23.1-alpine",
                    ports: [{name: "https", containerPort: 443 }]
}, {provider: cluster.provider});
const service = new k8s.core.v1.Service(proxy_name, {
    metadata: {labels: appLabels},
    spec: {
        type: "LoadBalancer",
        ports: [{ port: 443, targetPort: "https"}],
        selector: appLabels,
}, {provider: cluster.provider, dependsOn: kubeconfig});

// Export the URL for the load balanced service.
export const url = service.status.loadBalancer.ingress[0].hostname;

// Deploy Kubernetes Secrets
const atsecrets = new k8s.yaml.ConfigFile("atsecrets", {file: "./secrets/all-my-secrets.yaml", }, {dependsOn: kubeconfig});


08/18/2022, 12:04 AM
@calm-iron-40008 really sorry for the delay getting back to you, crazy busy day!
you can do the following:
kubectl create secret docker-registry my-registry --docker-server=<> --docker-username=my-username --docker-password=ghp_bunchesofrandomnesstoken --dry-run -o yaml
which outputs:
apiVersion: v1
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2doY3IuaW8iOnsidXNlcm5hbWUiOiJteS11c2VybmFtZSIsInBhc3N3b3JkIjoiZ2hwX2J1bmNoZXNvZnJhbmRvbW5lc3N0b2tlbiIsImVtYWlsIjoiZW1haWxAbWluZS5jb20iLCJhdXRoIjoiYlhrdGRYTmxjbTVoYldVNloyaHdYMkoxYm1Ob1pYTnZabkpoYm1SdmJXNWxjM04wYjJ0bGJnPT0ifX19
kind: Secret
  creationTimestamp: null
  name: my-registry
type: <|>
you can then pipe that into kube2pulumi:
which gives you:
import * as pulumi from "@pulumi/pulumi";
import * as kubernetes from "@pulumi/kubernetes";

const my_registrySecret = new kubernetes.core.v1.Secret("my_registrySecret", {
    apiVersion: "v1",
    data: {
        ".dockerconfigjson": "eyJhdXRocyI6eyJodHRwczovL2doY3IuaW8iOnsidXNlcm5hbWUiOiJteS11c2VybmFtZSIsInBhc3N3b3JkIjoiZ2hwX2J1bmNoZXNvZnJhbmRvbW5lc3N0b2tlbiIsImVtYWlsIjoiZW1haWxAbWluZS5jb20iLCJhdXRoIjoiYlhrdGRYTmxjbTVoYldVNloyaHdYMkoxYm1Ob1pYTnZabkpoYm1SdmJXNWxjM04wYjJ0bGJnPT0ifX19",
    kind: "Secret",
    metadata: {
        creationTimestamp: undefined,
        name: "my-registry",
    type: "<|>",
You should be able to substitute the base64
fairly easily, but let me know if you have issue


08/21/2022, 10:11 PM
@billowy-army-68599 that worked perfectly. for some reason, my original code would not allow the ‘.’ dot on the dockerconfigjson name without error. Thanks again.