kubernetesgoogle-cloud-platformopenshiftgcloudgoogle-artifact-registry

How to pull docker image from Google Artifact Registry in k8s deployment.yaml via imagePullSecrets

I have a pod deployment in my helm chart.
I want my pod deployment to pull the docker image from google artifactory registry.
I created a service account in gcloud, gave artifactory registry reader permissions to this service account then created a json key under the service account which I want to use to login to artifactory registry from any machine.
I'm installing pod on openshift.

I want to use gcloud service account json key only as a mode of authentication to google artifactory registry.

This works:
I converted my service account json key to base64 and passed to docker login which gave me successful login to artifactory registry.

cat service_account_key_base64.json | docker login -u _json_key_base64 --password-stdin <docker registry url>

Now I can pull any docker image under google artifactory registry.
docker pull <docker-image-url>

This doesn't work:

I created a secret using my service account json key like this:

apiVersion: v1 
kind: Secret 
metadata:
  name: gcloud-secret
data:
  .dockerconfigjson: <base64 of my service account key>
type: kubernetes.io/dockerconfigjson

oc create -f <secret.yaml>

Added glcoud-secret as imagePullSecrets in my pod deployment file

imagePullSecrets:
- name: gcloud-secret

When I try to install my helm chart, pod goes to ImagePullBackOff state and describing pod gives me this error:
Requesting bearer token: invalid status code from registry 403 (Forbidden)

Solution

  • Found the only way to do which is to create secret as mentioned below so that kubernetes can pull the image from google artifactory registry

    first docker login manually on your machine

    cat service_account_key_base64.json | docker login -u _json_key_base64 --password-stdin <docker registry url>

    then:

    cat ~/.docker/config.json | base64 -w 0

    copy the long string which you get in your secret.yaml file as shown below.
    secret.yaml file

    apiVersion: v1
  kind: Secret
  metadata:
    name: glcoud_secret
  data:
    .dockerconfigjson: <paste your base64 encoded string>
  type: kubernetes.io/dockerconfigjson

    Now create the secret:

    $ kubectl create -f <secret.yaml

    Provide the secret name in your imagePullSecrets.