dockerkubernetesminikubeghcrokteto

Cannot pull a private package/image from GitHub Container Registry into Okteto Kubernetes

I hope it's ok to ask for your advice.

The problem in a nutshell: my pipeline cannot pull private images from GHCR.IO into Okteto Kubernetes, but public images from the same private repo work.

I'm on Windows 10 and use WSL2-Ubuntu 20.04 LTS with kinD for development and tried minikube too.

I get an error in Okteto which says that the image pull is “unauthorized” -> “imagePullBackOff”.

Things I did:browsed Stack Overflow, RTFM, Okteto FAQ, download the Okteto kubeconfig, pulled my hair out and spent more hours than I would like to admit – still no success yet.

For whatever reason I cannot create a “kubectl secret” that works. When logged-in to ghcr.io via “docker login --username” I can pull private images locally.

No matter what I’ve tried I still get the error “unauthorized” when trying to pull a private image in Okteto.

My Setup with latest updates:

Setup kinD

kind create cluster --name my-name

kubectl create my-namespace

// create a secret to pull images from ghcr.io       
kubectl create secret docker-registry my-secret -n my-namespace --docker-username="my-username" --docker-password="my-password" --docker-email="my-email" --docker-server="https://ghcr.io"

// patch local service account
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "my-secret"}]}'

kubernetes.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: okteto-repo
  namespace: my-namespace
spec:
  replicas: 1
  selector:
    matchLabels:
      app: okteto-repo
  template:
    metadata:
      labels:
        app: okteto-repo
    spec:
      containers:
        - name: okteto-repo
          image: ghcr.io/user/okteto-repo:latest
          ports:
            - containerPort: 80
      imagePullSecrets:
        - name: my-secret
---
apiVersion: v1
kind: Service
metadata:
  name: okteto-repo
  annotations:
    dev.okteto.com/auto-ingress: "true"
spec:
  type: ClusterIP
  selector:
    app: okteto-repo
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 80

Do you have an idea why it doesn't work and what I could do?

Thanks a lot my dear friends, every input is highly appreciated!

Hope you guys have great holidays.

Cheers, Michael

Solution

  • I was able to pull a private image by doing the following:

    1. Create a personal token in GitHub with repo access.
    2. Build and push the image to GitHub's Container registry (I used okteto build -t ghcr.io/rberrelleza/go-getting-started:0.0.1)
    3. Download my kubeconfig credentials from Okteto Cloud by running okteto context update-kubeconfig.
    4. Create a secret with my credentials: kubectl create secret docker-registry gh-regcred --docker-server=ghcr.io --docker-username=rberrelleza --docker-password=ghp_XXXXXX
    5. Patched the default account to include the secret as an image pull secret: kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gh-regcred"}]}'
    6. Updated the image name in the kubernetes manifest
    7. Created the deployment (kubectl apply -f k8s.yaml)

    These is what my kubernetes resources looks like, in case it helps:

    # k8s.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-world
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-world
  template:
    metadata:
      labels:
        app: hello-world
    spec:
      containers:
      - image: ghcr.io/rberrelleza/go-getting-started:0.0.1
        name: hello-world

---

apiVersion: v1
kind: Service
metadata:
  name: hello-world
  annotations:
    dev.okteto.com/auto-ingress: "true"
spec:
  type: ClusterIP  
  ports:
  - name: "hello-world"
    port: 8080
  selector:
    app: hello-world

    # default SA
apiVersion: v1
imagePullSecrets:
- name: gh-regcred
- name: okteto-regcred
kind: ServiceAccount
metadata:
  creationTimestamp: "2021-05-21T22:26:38Z"
  name: default
  namespace: rberrelleza
  resourceVersion: "405042662"
  uid: 2b6a6eef-2ce7-40d3-841a-c0a5497279f7
secrets:
- name: default-token-7tm42