Search code examples
dockerkubernetesgitlabk3sgitops

Connect kubernetes to GitLab Container Registry

I got problem with connecting my k3s cluster to GitLab Docker Registry.

On cluster I got created secret in default namespace like this

kubectl create secret docker-registry regcred --docker-server=https://gitlab.domain.tld:5050 --docker-username=USERNAME --docker-email=EMAIL --docker-password=TOKEN

Then in Deployment config I got this secret included, my config:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app
  labels:
    app.kubernetes.io/name: "app"
    app.kubernetes.io/version: "1.0"
  namespace: default
spec:
  template:
    metadata:
      labels:
        app: app
    spec:
      imagePullSecrets:
        - name: regcred
      containers:
      - image: gitlab.domain.tld:5050/group/appproject:1.0
        name: app
        imagePullPolicy: Always
        ports:
        - containerPort: 80

But the created pod is still unable to pull this image. There is still error message of:

failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden

Can you help me, where the error may be? If I try connect to this GitLab registry via secrets above on local docker, it working fine, docker login is right, also a pulling of this image.

Thanks

Solution

  • To pull from a private container registry on Gitlab you must first create a Deploy Token similar to how the pipeline or similar "service" would access it. Go to the repository then go to Settings -> Repository -> Deploy Tokens

    Give the deploy token a name, and a username(it says optional but we'll be able to use this custom username with the token) and make sure it has read_registry access. That is all it needs to pull from the registry. If you later need to push then you would need write_registry. Once you click create deploy token it will show you the token be sure to copy it as you won't see it again.

    Now just recreate your secret in your k8s cluster.

     kubectl create secret docker-registry regcred --docker-server=<private gitlab registry> --docker-username=<deploy token username> --docker-password=<deploy token>

    Make sure to apply the secret to the same namespace as your deployment that is pulling the image.

    [See Docs] https://docs.gitlab.com/ee/user/project/deploy_tokens/#gitlab-deploy-token