{"id":134,"date":"2022-02-16T11:31:26","date_gmt":"2022-02-16T10:31:26","guid":{"rendered":"https:\/\/genc.tato.al\/?p=134"},"modified":"2024-08-06T15:21:10","modified_gmt":"2024-08-06T13:21:10","slug":"how-to-pull-images-from-a-gcp-container-registry-into-kubernetes","status":"publish","type":"post","link":"https:\/\/genc.tato.al\/index.php\/2022\/02\/16\/how-to-pull-images-from-a-gcp-container-registry-into-kubernetes\/","title":{"rendered":"How to pull images from a GCP container registry into Kubernetes"},"content":{"rendered":"\n


In this example we configure K8S to use an access token<\/a> in order to pull images from a GCP registry. <\/p>\n\n\n\n

As described in the link above (steps 1 and 2), the first step is to create a service account with a role which has read access on the registry (ex: Storage Admin), and associate a key to it. <\/p>\n\n\n\n

<\/p>\n\n\n\n

After creating the key, the downloaded JSON file should be stored in a machine which has Docker installed (in order to run steps 3 and 5). In my case I don’t want to install the Google Cloud SDK on my Docker host, therefore I am going to use a container which has the gcloud<\/em> tool already installed.<\/p>\n\n\n\n

# pull the sdk container\ndocker pull google\/cloud-sdk\n\n# log into it \ndocker run -v key.json:\/key.json -it google\/cloud-sdk bash\n\n# authenticate with the service account\ngcloud auth activate-service-account <service-account>@<project>.iam.gserviceaccount.com --key-file=key.json\n\n# print the access token\ngcloud auth print-access-token<\/code><\/pre>\n\n\n\n
The output of this command is then fed to docker login in the host machine.<\/p>\n\n\n\n
echo \"token\" | docker login -u oauth2accesstoken --password-stdin https:\/\/<hostname> #(ex: eu.gcr.io)<\/code><\/pre>\n\n\n\n
This would store the unencrypted token in ~\/.docker\/config.json<\/em>.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Next, we would have to add this config as a secret in Kubernetes. But first, we need to convert the content of config.json file to base64<\/p>\n\n\n\n
cat .docker\/config.json | base64 -w0<\/code><\/pre>\n\n\n\n
Then we create a secret yaml file (ex: registry-secret.yaml) with the following content:<\/p>\n\n\n\n
apiVersion: v1\nkind: Secret\nmetadata:\n  name: secret-dockerconfigjson\n  namespace: visuite\ntype: kubernetes.io\/dockerconfigjson\ndata:\n  .dockerconfigjson: <paste base64 config.json here><\/code><\/pre>\n\n\n\n
and apply it:<\/p>\n\n\n\n
kubectl apply -f registry-secret.yaml<\/code><\/pre>\n\n\n\n
Finally, we need to instruct K8S to use this secret to pull the required image using the docker configuration file.<\/p>\n\n\n\n
apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: pull-image-test\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: pull-image-test\n  template:\n    metadata:\n      labels:\n        app: pull-image-test\n    spec:\n      imagePullSecrets:\n      - name: secret-dockerconfigjson<\/strong>\n      containers:\n      - name: pull-image-test\n        image: eu.gcr.io\/project\/image-to-pull:latest\n    <\/code><\/pre>\n\n\n\n
Aaand there you go! Applying the deployment should result in a successful image pull. <\/p>\n","protected":false},"excerpt":{"rendered":"
In this example we configure K8S to use an access token in order to pull images from a GCP registry. As described in the link above (steps 1 and 2), the first step is to create a service account with a role which has read access on the registry (ex: Storage Admin), and associate a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[3],"tags":[6,5,4,8,7],"_links":{"self":[{"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/posts\/134"}],"collection":[{"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/comments?post=134"}],"version-history":[{"count":10,"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/posts\/134\/revisions"}],"predecessor-version":[{"id":146,"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/posts\/134\/revisions\/146"}],"wp:attachment":[{"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/media?parent=134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/categories?post=134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/genc.tato.al\/index.php\/wp-json\/wp\/v2\/tags?post=134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}