Login/Register
How can I use Github packages Docker registry in Kubernetes dockerconfigjson?
Asked Answered
Solved githubkubernetesdocker-registry
J

4

18

How can I pull docker.pkg.github.com Docker images from within Kubernetes cluster?

Currently, the Github Docker registry requires authentication even for packages from public Github repositories.

Jury answered 20/5, 2020 at 12:0 Comment(0)
J
31
  1. Create new Github Personal Access Token with read:packages scope at https://github.com/settings/tokens/new.

  2. Base-64 encode <your-github-username>:<TOKEN>, ie.:

    $ echo -n VojtechVitek:4eee0faaab222ab333aa444aeee0eee7ccc555b7 | base64
<AUTH>

    Note: Make sure not to encode a newline character at the end of the string.

  3. Create kubernetes.io/dockerconfigjson secret

    A) Create secret manually:

    $ echo '{"auths":{"docker.pkg.github.com":{"auth":"<AUTH>"}}}' | kubectl create secret generic dockerconfigjson-github-com --type=kubernetes.io/dockerconfigjson --from-file=.dockerconfigjson=/dev/stdin

    B) Or, create .yml file that can be used in kubectl apply -f:

    kind: Secret
type: kubernetes.io/dockerconfigjson
apiVersion: v1
metadata:
  name: dockerconfigjson-github-com
stringData:
  .dockerconfigjson: {"auths":{"docker.pkg.github.com":{"auth":"<AUTH>"}}}

    Note for GitOps: I strongly recommend not to store the above file in plain-text in your git repository. Hydrate the value in your CD pipeline or encrypt/seal the file with tools like https://github.com/mozilla/sops or https://github.com/bitnami-labs/sealed-secrets.

  4. Now, you can reference the above secret from your pod's spec definition via imagePullSecrets field:

    spec:
  containers:
  - name: your-container-name
    image: docker.pkg.github.com/<ORG>/<REPO>/<PKG>:<TAG>
  imagePullSecrets:
  - name: dockerconfigjson-github-com
Jury answered 20/5, 2020 at 12:0 Comment(5)
When I just copy-and-paste what you wrote, I got "error: error validating "secret.yaml": error validating data: ValidationError(Secret.stringData..dockerconfigjson): invalid type for io.k8s.api.core.v1.Secret.stringData: got "map", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false" error.Pinkham
@Sam that's weird, I don't get this error. Perhaps try using data instead of stringData. But you'll have to base64 encode your secret value.Jury
@Sam You can use "data" instead of "stringData" and put the value in single quotes: '{"auths":{"docker.pkg.github.com":{"auth":"<AUTH>"}}}'Professoriate
The same process above also works for pulling images from the newer GitHub Packages registry (ghcr.io) location. Just replace references to docker.pkg.github.com with ghcr.io.Petticoat
@Sam could you fix that error?Devilmaycare
M
11

I had to migrate from docker.pkg.github.com to ghcr.io to get this to work with containerd: https://docs.github.com/en/packages/working-with-a-github-packages-registry/migrating-to-the-container-registry-from-the-docker-registry

Don't forget to create the token with read:packages:

kubectl create secret docker-registry dockerconfigjson-github-com \
 --dry-run=true \
 --docker-server=https://docker.pkg.github.com \
 --docker-username=<username> \
 --docker-password=<https://github.com/settings/tokens/new> \
 --namespace=default -o yaml

Add the pull secret:

spec:
  containers:
  - name: your-container-name
    image: docker.pkg.github.com/<ORG>/<REPO>/<PKG>:<TAG>
  imagePullSecrets:
  - name: dockerconfigjson-github-com
Mortician answered 6/6, 2021 at 10:6 Comment(0)
P
5

Important notice as github changed it primary domain name from docker.pkg.github.com to ghcr.io (Release Note):

secrets.yml now should look like

kind: Secret
type: kubernetes.io/dockerconfigjson
apiVersion: v1
metadata:
  name: dockerconfigjson-github-com
stringData:
  .dockerconfigjson: {"auths":{"ghcr.io":{"auth":"<AUTH>"}}}

And the corresponding deployment spec

spec:
  containers:
  - name: your-container-name
    image: ghcr.io/<ORG>/<REPO>/<PKG>:<TAG>
  imagePullSecrets:
  - name: dockerconfigjson-github-com

Other than described, the old version did not work for me anymore. Maybe this helps someone else!

Professoriate answered 26/1, 2022 at 14:28 Comment(0)
V
0

Here is a solution for folks who are deploying a private ghcr.io image to a kubernetes cluster from within a Github Actions Workflow:

  1. You need to create a new token with read:packages scope. You can use this link: https://github.com/settings/tokens/new?scopes=read:packages
  2. Add the token as a repository secret KUBERNETES_GHCR_PACKAGES_TOKEN
  3. Add the following code to your .github/workflows/[action].yml:
# ...
jobs:
  build:
    name: Deploy to kubernetes cluster
    steps:
    # ... checkout, save x509 keys 
    - name: "Generate ghcr.io imagepullsecret"
        run: |
          DOCKER_AUTH_TOKEN=$(echo -n "${GHCR_USER}:${KUBERNETES_GHCR_PACKAGES_TOKEN}" | base64)
          DOCKER_CONFIG_JSON="{\"auths\":{\"${DOCKER_REGISTRY}\":{\"auth\":\"${DOCKER_AUTH_TOKEN}\"}}}"
          echo "
          kind: Secret
          type: kubernetes.io/dockerconfigjson
          apiVersion: v1
          metadata:
            name: dockerconfigjson-ghcr-io
          stringData:
            .dockerconfigjson: '${DOCKER_CONFIG_JSON}'
          " > "${KUBERNETES_DIR}/dockerconfigjson-ghcr-io.yml"
        env:
          KUBERNETES_DIR: "k8"
          GHCR_USER: "${{ github.actor }}"
          KUBERNETES_GHCR_PACKAGES_TOKEN: "${{ secrets.KUBERNETES_GHCR_PACKAGES_TOKEN }}"
          DOCKER_REGISTRY: ghcr.io

      - name: Deploy to Kubernetes
        run: |
          # Of course you need to specify server and x509 login certificates
          kubectl apply -f "${KUBERNETES_DIR}"
        env:
          KUBERNETES_DIR: "k8"
Vi answered 2/2, 2022 at 14:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.