Accessing images stored in a private registry (authenticated image registry) from a cluster requires additional steps for the Helm release workloads to run as expected.
Prerequisites
You must have the credentials (registry URL, username and password) to access the image registry.
You have a Helm chart using a private image.
Log in to the Tanzu Mission Control console.
Make sure you have the appropriate permissions.
- To access an image sotred in a private registry, you must be associated with the
cluster.edit role in the cluster.
Procedure
- Create a
placeholder-secret.yaml file inside the templates folder with the following content. The .dockerconfigjson field will be populated by the secretgen controller automatically because of the annotation we have provided.
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.placeholderSecret.name }}
namespace: {{ .Values.placeholderSecret.namespace }}
annotations:
secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: e30K
- In the
values.yaml file add fields for the placeholder secret so that it can be populated by Helm in the above file.
placeholderSecret:
name: ""
namespace: ""
- Also, the
values.yaml file should contain a field for adding imagePullSecrets and the same should be referenced in all the deployments using images from the private registry.
In values.yaml:
imagePullSecrets: []
In deployments, .spec.template.spec should have the following:
spec:
template:
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
- While creating helm release you need to provide the placeholder secret and imagePullSecrets field in
.spec.values in the HelmRelease definition.
spec:
values:
placeholderSecret:
name: "myplaceholdersecretname"
namespace: "myplaceholdersecretns"
imagePullSecrets: [{ name: myplaceholdersecretname, name: anyothersecretname }]
- To add a registry secret on a cluster with Tanzu Mission Control, see Managing Cluster Secrets
