dockerbuildopenshiftbuildconfigs2i

How to supply multiple ImagePullSecrets to an s2i build in OpenShift

I'm trying to build an OCI image using the s2i mechanism of OpenShift. The Dockerfile is multi-stage, both base images are hosted inside two different, only privately accessible docker repositories.

My BuildConfig looks like this:

apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: ${NAME}
spec:
  failedBuildsHistoryLimit: 5
  nodeSelector: { }
  output:
    pushSecret:
      name: ${PUSH_SECRET}
    to:
      kind: DockerImage
      name: >-
        ${IMAGE_NAME}:${IMAGE_VERSION}
  postCommit: { }
  resources: { }
  runPolicy: Serial
  source:
    binary: { }
    type: Binary
  strategy:
    dockerStrategy:
      pullSecret:
        name: ${PULL_SECRET}
    type: Docker
  successfulBuildsHistoryLimit: 5
  triggers: [ ]

I know I can supply the ImagePullSecret to use with the .spec.strategy.dockerStrategy.pullSecret.name field. But how can I use multiple pull secrets, i.e. enable the build to pull from two separate private docker registries?

Creating the ImagePullSecrets in OpenShift and then assigning them to the builder ServiceAccount did not work, as s2i seems to ignore this configuration and only use the secrets listed in the BuildConfig.

Solution

  • The field : spec.strategy.dockerStrategy.pullSecret must contains only one pullSecret.

    pullSecret: LocalObjectReference: The name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries.

    Make sure you have define all registry server name/auth inside your pull secret, for example:

    // dockerconfig.json
{
 "auths":{
  "registry.yourdomain.com":{"auth":"<hash>","email":"<email_address>"},
  "cloud.openshift.com":{"auth":"<hash>","email":"<email_address>"},
  "quay.io/repository-main":{"auth":"<hash>","email":"<email_address>"} 
 }
}

// Create pull secret from dockerconfig file
$ oc create secret generic <pull_secret_name> \
  --from-file=.dockerconfigjson=<path/to/dockerconfig.json> \
  --type=kubernetes.io/dockerconfigjson

// Add the secret to your service account
$ oc secrets link builder <pull_secret_name> --for=pull

    When configuring the BuildConfig, the PullSecret can be overridden to manually choose the ImagePullSecret used by the OpenShift Build when there are multiple to choose from in the Builder ServiceAccount.