I have a pod deployment in my helm chart.
I want my pod deployment to pull the docker image from google artifact registry.
I created a service account in gcloud, gave artifact registry reader permissions to this service account then created a json key under the service account which I want to use to login to artifact registry from any machine.
I'm installing pod on openshift.
I want to use gcloud service account json key only as a mode of authentication to google artifact registry.
This works:
I converted my service account json key to base64 and passed to docker login which gave me successful login to artifact registry.
cat service_account_key_base64.json | docker login -u _json_key_base64 --password-stdin <docker registry url>
Now I can pull any docker image under google artifact registry.
docker pull <docker-image-url>
This doesn't work:
I created a secret using my service account json key like this:
apiVersion: v1
kind: Secret
name: gcloud-secret
.dockerconfigjson: <base64 of my service account key>
type: kubernetes.io/dockerconfigjson
oc create -f <secret.yaml>
Added glcoud-secret as imagePullSecrets in my pod deployment file
- name: gcloud-secret
When I try to install my helm chart, pod goes to ImagePullBackOff state and describing pod gives me this error:
Requesting bearer token: invalid status code from registry 403 (Forbidden)
Found the only way to do which is to create secret as mentioned below so that kubernetes can pull the image from google artifactory registry
first docker login manually on your machine
cat service_account_key_base64.json | docker login -u _json_key_base64 --password-stdin <docker registry url>
cat ~/.docker/config.json | base64 -w 0
copy the long string which you get in your secret.yaml file as shown below.
secret.yaml file
apiVersion: v1
kind: Secret
name: glcoud_secret
.dockerconfigjson: <paste your base64 encoded string>
type: kubernetes.io/dockerconfigjson
Now create the secret:
$ kubectl create -f <secret.yaml
Provide the secret name in your imagePullSecrets.