This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

03/23/2020, 2:05 AM

This message was deleted.

green-morning-1318

03/23/2020, 2:23 AM

I’m not going to pretend I’m an expert on this, but you might give this a try. A K8s secret for private registries is of type “kubernetes.io/dockerconfigjson”. The content is stored in “.dockerconfigjson” under the data element and always follows a specific format:

Copy code

{
  "auths": {
    "<http://your.private.registry.example.com|your.private.registry.example.com>": {
      "username": "janedoe",
      "password": "xxxxxxxxxxx",
      "email": "<mailto:jdoe@example.com|jdoe@example.com>",
      "auth": "c3R...zE2"
    }
  }
}

The auth part is base64 encoded and seems to be username and password concatenated with a : So if you know your Registry server, username, password, email address you could construct the content of that file programmatically and create a secret like

Copy code

new k8s.core.v1.Secret("myK8sSecret", {
        metadata: {
            name: "imagePullSecret",
            namespace: "default"
        },
        type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
        data: {
            ".dockerconfigjson": toBase64(<the entire auth string>),
        }
    }

In that case, the contents needed to generate the secret are always in your possession and should indeed never be in git. Source for coming up with this potential solution: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred

victorious-scientist-9866

03/23/2020, 2:24 AM

Thanks, that was pretty much what I ended up with:

Copy code

const deployToken = new k8s.core.v1.Secret("shrcc-deploy-token", {
  stringData: pulumi.all([
    config.requireSecret("deployTokenUsername"),
    config.requireSecret("deployTokenPassword"),
  ]).apply(([username, password]) => ({
    ".dockerconfigjson": JSON.stringify({
      auths: {
        "<http://registry.gitlab.com|registry.gitlab.com>": { username, password }
      }
    }),
  })),
  type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
}, { additionalSecretOutputs: ["stringData"], provider })

victorious-scientist-9866

03/23/2020, 2:27 AM

but it doesn't quite feel right...

green-morning-1318

03/23/2020, 2:42 AM

It makes sense to me to do it this way to be honest 🤔

green-morning-1318

03/23/2020, 2:43 AM

If you do happen to find a different approach, I’d love to hear it

victorious-scientist-9866

03/23/2020, 3:01 AM

thanks, will do 🙂

faint-motherboard-95438

03/30/2020, 10:29 PM

Hi there, I was searching how to do this too and ended up on this thread. I agree with @victorious-scientist-9866, I would expect a less “handmade” way, and maybe there is, but that will do for now. Thanks !

Open in Slack

Previous Next