GitHub had announced a major feature on their platform which is GitHub packages. As well as hosting private npm or NuGet registries, GitHub packages also includes private docker registries. If you use GitHub for hosting your private project, it might make sense to use the private docker registry from GitHub.

Private Registry Authentication

Login to docker from your workstation with the personal access token. You can find out more details about GitHub packages, and specifically about the token permissions.

cat ~/gh-do-package.txt | docker login https://docker.pkg.github.com -u USERNAME --password-stdin

Replace USERNAME with your GitHub username.

If you can see an auth key with your base64 encoded value, then create a Kubernetes secret value.

kubectl create secret generic ghregcred \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
    --type=kubernetes.io/dockerconfigjson

In my case however, the value is not available as I am using the credStore. Therefore, I will have to create the secret using the command:

kubectl create secret docker-registry ghregcred \
    --docker-server=docker.pkg.github.com \
    --docker-username=<your-name> \
    --docker-password=<your-pword> \
    --docker-email=<your-email>

where:

  • <your-name> is your GitHub username.
  • <your-pword> is your GitHub personal access token.
  • <your-email> is your GitHub email.

You can inspect the value that was created with:

kubectl get secret ghregcred --output=yaml

The output is similar to this:

apiVersion: v1
kind: Secret
metadata:
    ...
    name: ghregcred
    ...
data:
    .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
type: kubernetes.io/dockerconfigjson

Read more about inspecting the secret.

Create a Deployment that uses the secret

Create a deployment.yaml file as below with the USERNAME, REPOSITORY and mysecret values replaced with the appropriate ones making sure the indentation for imagePullSecrets matches.

apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: mysecret-deployment
spec:
  selector:
    matchLabels:
      app: mysecret
  replicas: 1 # tells deployment to run 1 pod matching the template
  template:
    metadata:
      labels:
        app: mysecret
    spec:
      containers:
      - name: mysecret
        image: docker.pkg.github.com/USERNAME/REPOSITORY/mysecret:latest
        ports:
        - containerPort: 8080
      imagePullSecrets:
      - name: ghregcred

Run the kubectl apply command pointing to the file.

 kubectl apply -f ./deployment.yaml

Display information about the Deployment:

 kubectl describe deployment mysecret-deployment

Tip: You can verify that the pod is deployed correct if its a web application by using kube-proxy. Follow the url pattern http://localhost:8001/api/v1/namespaces/xxx/pods/mysecret-deployment-xxx:/proxy/

Summary

You can follow the same steps to setup private docker registry authentication for any registries that support docker’s login protocol. All I did was put together various docs already available; together.