Using private image registries

1 minute read

If you need to use private image registries, an excellent start is understanding the various options Kubernetes provides for using private registries in general.

The option that CloudBees Previews exposes is specifying imagePullSecrets on Pods. Using this option, each Pod references a Secret containing the Docker credentials in its imagePullSecrets configuration.

apiVersion: v1 kind: Pod metadata: name: private-reg spec: containers: - name: private-reg-container image: <your-private-image> imagePullSecrets: - name: regcred

You can create Docker config secrets using one of the following commands:

kubectl -n previews create secret docker-registry <name> \ --docker-server=<docker-registry-server> \ --docker-username=<docker-user> \ --docker-password=<docker-password> \ --docker-email=<docker-email>

If you already have existing Docker credentials, you can use:

kubectl -n previews create secret generic <name> \ --from-file=.dockerconfigjson=<path/to/.docker/config.json> \

You must create the Secret in the CloudBees Previews installation namespace.

Once you have the necessary Docker config secrets, you need to make them available for the affected repositories by adding the imagePullSecretRefs option to the repository’s GitRepository CR.

GitRepository CR with image pull secret configuration.
apiVersion: kind: GitRepository metadata: name: acme-web spec: url: apiTokenSecretRef: name: acme-github-token imagePullSecretRefs: - name: acme-imagepull-secret (1)
1 List of image pull secret names.

CloudBees Previews will create the configured image pull secrets in the preview environments. In the case you are using generated manifests, CloudBees Previews will automatically configure the Pods to make use of the secrets. If you use Helm as the deployment technology, you can use ${{env.image.pullSecretName}} to pass the secret name to your Helm chart.