kubernetesdocker-registryopenwhisk

Private Registry for Action Pods in Openwhisk deployed on Kubernetes through helm 3


As the title says, I am trying to deploy openwhisk on my kubernetes cluster (and as a containerFactory) using helm 3 but I am using a private registry to pull the action pod images, i.e, action-nodejs-v14.

Despite creating a docker registry secret inside the namespace, the action pod seems not aware of it and it fails saying:

rpc error: code = Unknown desc = Error response from daemon: Head "https://<registry_url>/v2/openwhisk/action-nodejs-v14/manifests/latest": no basic auth credentials

I found this and this issues stating that imagePullSecrets is not propagated when using kubernetes as a containerFactory and they recommend passing it through a pod-template from whisk.kubernetes.pod-template in whiskconfig.conf but I don't know how an Action Pod should look like since all of them are created by the invoker almost misteriously.

I can confirm the images exist on my private registry and I can download them if I do docker pull <registry_url>/openwhisk/action-nodejs-v14:latest after loging in.

Is there a way to do this from invoker pod template file? Or any other way?

Thanks!


Solution

  • The solution I found was by propagating the imagePullSecret with the pod-template configuration variable in whiskconfig.conf in the form:

    include classpath("application.conf")
    whisk{
      ...
      kubernetes {
        pod-template = """
    apiVersion: v1
    kind: Pod
    spec:
      imagePullSecrets:
      - name: <name of your private docker registry>
    """
      }
    }
    

    Using this configuration, you can pull the function images from your own private docker registry despite openwhisk not supporting this for Kubernetes' Container Factory. For openwhisk-deploy-kube, the name of your imagePullSecret is of the form {{ .Release.Name }}-private-registry.auth if you haven't modified the name on _helpers.tpl