Kubernetes and Google Cloud Container Registry
KubernetesDevOpsWe want an read access to a private Google Cloud Container Registry for a Kubernetes Deployment, we'll see for Helm here as well.
Service Account Key #
First, you need to create a service account in GCP.
- IAM
- Service Account
- Create
- Gives rights (more on that)
- Generate the json key and keep it safe
About rights, I might gave something too broad, but is seems that I needed something like that:
- Cloud Storage access
- Container Registry Service Agent
- Developper on Kubernetes Engine
- Reader on the Cluster Kubernetes Engine
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
container.clusters.get
container.clusters.get
container.configMaps.create
[...]
Create a Kubernetes Secret #
The idea is to add a secret inside the cluster.
- docker-registry: this is the "secret engine" used. leave it as it is.
- gcr-io: this is the name, use what you want but, I will use
gcr-ioas example. docker.jsonis the json key you generate earlier.
kubectl create secret docker-registry gcr-io --docker-server eu.gcr.io --docker-username _json_key --docker-email xxx@xxx.iam.gserviceaccount.com --docker-password="$(cat ./docker.json)"This will give you something like that:
$ k describe secret/gcr-io
Name: gcr-io
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 5718 bytes
Kubernetes Deployment #
Let's simplify it. The important bit is ImagePullSecrets.
apiVersion: apps/v1
kind: Deployment
metadata:
name: foo
spec:
replicas: 1
selector:
matchLabels:
- foo
template:
metadata:
labels:
- foo
spec:
imagePullSecrets:
- gcr_io
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
protocol: TCPWith Helm #
It's ready to be inject in the default template, just add in the values.yaml
imagePullSecrets:
- name: gcr-ioIt's not difficult to add your Kubernetes Cluster rigths to read the Google Cloud Container Registry.