I have a pod deployment in my helm chart.
I want my pod deployment to pull the docker image from google artifactory registry.
I created a service account in gcloud, gave artifactory registry reader permissions to this service account then created a json key under the service account which I want to use to login to artifactory registry from any machine.
I'm installing pod on openshift.
I want to use gcloud service account json key only as a mode of authentication to google artifactory registry.
This works:
I converted my service account json key to base64 and passed to docker login which gave me successful login to artifactory registry.
cat service_account_key_base64.json | docker login -u _json_key_base64 --password-stdin <docker registry url>
Now I can pull any docker image under google artifactory registry.
docker pull <docker-image-url>
This doesn't work:
I created a secret using my service account json key like this:
apiVersion: v1
kind: Secret
metadata:
name: gcloud-secret
data:
.dockerconfigjson: <base64 of my service account key>
type: kubernetes.io/dockerconfigjson
oc create -f <secret.yaml>
Added glcoud-secret as imagePullSecrets in my pod deployment file
imagePullSecrets:
- name: gcloud-secret
When I try to install my helm chart, pod goes to ImagePullBackOff state and describing pod gives me this error:
Requesting bearer token: invalid status code from registry 403 (Forbidden)
Found the only way to do which is to create secret as mentioned below so that kubernetes can pull the image from google artifactory registry
first docker login manually on your machine
cat service_account_key_base64.json | docker login -u _json_key_base64 --password-stdin <docker registry url>
then:
cat ~/.docker/config.json | base64 -w 0
copy the long string which you get in your secret.yaml file as shown below.
secret.yaml file
apiVersion: v1
kind: Secret
metadata:
name: glcoud_secret
data:
.dockerconfigjson: <paste your base64 encoded string>
type: kubernetes.io/dockerconfigjson
Now create the secret:
$ kubectl create -f <secret.yaml
Provide the secret name in your imagePullSecrets.