How to use imagePullSecrets on Container Runner

Overview

In some cases, you may wish to specify your secrets to pull a private image inside your Container Runner instead of your config.yml in CircleCI. 

To do so, please follow the instructions below. 

 

Google Container Registry / Google Artifact Registry

Step 1 - Create your access credentials per the Google Cloud documentation

You will need to verify that your access credentials include the correct permissions to pull and/or push your image.

 

Step 2 - Create a Secret in your Container Runner's Namespace

Google Container Registry:

$ NAMESPACE=<namespace>
$ SECRET_NAME=<secret_name>
$ EMAIL=<valid@email_address>
$ kubectl create secret docker-registry $SECRET_NAME -n $NAMESPACE \
--docker-server=gcr.io \
--docker-username=_json_key \
--docker-password="$(cat ~/json-key-file.json)" \
--docker-email=$EMAIL

 

Google Artifact Registry

$ NAMESPACE=<namespace>
$ SECRET_NAME=<secret_name>
$ REGION=<region>
$ EMAIL=<valid@email_address>
$ kubectl create secret docker-registry $SECRET_NAME -n $NAMESPACE \
--docker-server=$REGION-docker.pkg.dev \
--docker-username=_json_key \
--docker-password="$(cat ~/json-key-file.json)" \
--docker-email=$EMAIL

In both examples, the json-key-file.json is the key you have downloaded from creating your access credentials.

 

Step 3 - Update your imagePullSecrets in your values.yaml

# values.yaml
agent:
resourceClasses:
<namespace>/<resource_class_name>:
token: <token>
spec:
imagePullSecrets:
- name: "<secret_name>"

 

Step 4 - Update your Container Runner Deployment

$ NAMESPACE=<namespace>
$ VALUES_FILE=<values_file>
$ helm upgrade container-agent container-agent/container-agent -n $NAMESPACE -f $VALUES_FILE

 

AWS Elastic Container Registry

Step 1 - Confirm you have run aws configure.

This will need to be run for aws ecr get-login-password to properly function.

Please take note of the user and the permissions that this user has.

 

Step 2 - Create a Secret in your Container Runner's Namespace

$ NAMESPACE=<namespace>
$ SECRET_NAME=<secret_name>
$ AWS_ACCOUNT=<aws_account_id>
$ AWS_REGION=<aws_region>
$ kubectl create secret docker-registry $SECRET_NAME -n $NAMESPACE \
--docker-server=${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password)

 

Step 3 - Update your imagePullSecrets in your values.yaml

# values.yaml
agent:
resourceClasses:
<namespace>/<resource_class_name>:
token: <token>
spec:
imagePullSecrets:
- name: "<secret_name>"

 

Step 4 - Update your Container Runner Deployment

$ NAMESPACE=<namespace>
$ VALUES_FILE=<values_file>
$ helm upgrade container-agent container-agent/container-agent -n $NAMESPACE -f $VALUES_FILE

 

Docker Hub

Step 1 (optional) - Create your Personal Access Token

You can use a Personal Access Token in place of your Docker Hub password.
To create one, please follow the instructions from Docker here.

 

Step 2 - Create a Secret in your Container Runner's Namespace

$ NAMESPACE=<namespace>
$ SECRET_NAME=<secret_name>
$ EMAIL=<valid@email_address>
$ DOCKERHUB_USER=<Docker Hub username>
$ DOCKERHUB_PASS=<Docker Hub access token or password>
$ kubectl create secret docker-registry $SECRET_NAME -n $NAMESPACE \
--docker-server=docker.io \
--docker-username="${DOCKERHUB_USER}" \
--docker-password="${DOCKERHUB_PASS}" \
--docker-email=$EMAIL

 

Step 3 - Update your imagePullSecrets in your values.yaml

# values.yaml
agent:
resourceClasses:
<namespace>/<resource_class_name>:
token: <token>
spec:
imagePullSecrets:
- name: "<secret_name>"

 

Step 4 - Update your Container Runner Deployment

$ NAMESPACE=<namespace>
$ VALUES_FILE=<values_file>
$ helm upgrade container-agent container-agent/container-agent -n $NAMESPACE -f $VALUES_FILE

 

Additional Resources

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.