This message was deleted.
# general
s
This message was deleted.
g
I’m not going to pretend I’m an expert on this, but you might give this a try. A K8s secret for private registries is of type “kubernetes.io/dockerconfigjson”. The content is stored in “.dockerconfigjson” under the data element and always follows a specific format:
Copy code
{
  "auths": {
    "<http://your.private.registry.example.com|your.private.registry.example.com>": {
      "username": "janedoe",
      "password": "xxxxxxxxxxx",
      "email": "<mailto:jdoe@example.com|jdoe@example.com>",
      "auth": "c3R...zE2"
    }
  }
}
The auth part is base64 encoded and seems to be username and password concatenated with a : So if you know your Registry server, username, password, email address you could construct the content of that file programmatically and create a secret like
Copy code
new k8s.core.v1.Secret("myK8sSecret", {
        metadata: {
            name: "imagePullSecret",
            namespace: "default"
        },
        type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
        data: {
            ".dockerconfigjson": toBase64(<the entire auth string>),
        }
    }
In that case, the contents needed to generate the secret are always in your possession and should indeed never be in git. Source for coming up with this potential solution: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred
v
Thanks, that was pretty much what I ended up with:
Copy code
const deployToken = new k8s.core.v1.Secret("shrcc-deploy-token", {
  stringData: pulumi.all([
    config.requireSecret("deployTokenUsername"),
    config.requireSecret("deployTokenPassword"),
  ]).apply(([username, password]) => ({
    ".dockerconfigjson": JSON.stringify({
      auths: {
        "<http://registry.gitlab.com|registry.gitlab.com>": { username, password }
      }
    }),
  })),
  type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
}, { additionalSecretOutputs: ["stringData"], provider })
but it doesn't quite feel right...
g
It makes sense to me to do it this way to be honest 🤔
If you do happen to find a different approach, I’d love to hear it
v
thanks, will do 🙂
f
Hi there, I was searching how to do this too and ended up on this thread. I agree with @victorious-scientist-9866, I would expect a less “handmade” way, and maybe there is, but that will do for now. Thanks !