March 29, 2017 | Written by: Liam White
Categorized: Compute Services | How-tos
Share this post:
Why do I need a secret?
To use Kubernetes, you can use a Docker registry to store your images to deploy microservices into your Kubernetes cluster. A Docker registry can either be:
A public Docker registry, which is publicly accessible, or set up to provide access for a group of users. Public Docker registries generally do not require authentication, such as DockerHub, and can be used without additional configuration.
A private Docker registry, which is limited to an individual or authenticated access group of users.
If you’re using a private Docker registry, which requires authentication, you need to store credentials to access the registry in a Kubernetes secret, of type imagePullSecret. If you’re trying out the new Kubernetes beta in the IBM Bluemix Container Service, you’ll probably be using the IBM Bluemix registry, which creates the secret for you. If you have a private registry elsewhere though, you need to create your own Kubernetes secret.
The default IBM Bluemix registry secret
You can use the IBM Bluemix registry to access IBM provided public images or to set up your own Docker private image registry in Bluemix where you can safely store and share images across your organization.
When you create a cluster, an imagePullSecret is automatically created in the default Kubernetes namespace that securely stores the credentials to access your private registry in Bluemix. With the imagePullSecret you have read-only access to any images in your private registry, and also to the IBM-provided public images. When you create a deployment in your default namespace and you specify an image from your private registry in Bluemix, Kubernetes uses theimagePullSecret to find the credentials to access your private registry.
To use an image from the IBM Bluemix registry, you define the registry path to the image in your configuration script. During container creation, IBM Bluemix Container Service automatically recognizes this path and uses the imagePullSecret to access the IBM Bluemix registry. Therefore, you do not have to define the imagePullSecret as part of your configuration script.
So, what if you want to use images from your non-default Kubernetes namespace? This is when you want to be able to share your secret – your imagePullSecret.
Sharing the secret across multiple Kubernetes namespaces in IBM Bluemix Container Service
To pull images into a non-default Kubernetes namespace in IBM Bluemix Container Service, you must add a new secret in your new namespace. For the Beta, you can copy the existing default secret into the new namespace.
How can you do this? Run this single command from a command line where the KUBECONFIG is targeted at your cluster:
kubectl get secret bluemix-default-secret -o yaml | sed 's/default/<new-namespace>/g' | kubectl -n <new-namespace> create -f -
This command takes the following steps for you:
Getting the IBM Bluemix registry default imagePullSecret. This is the secret from Kubernetes that is automatically created for you when your cluster is created.
Replacing all references to the default namespace with the name of your new namespace in the imagePullSecret configuration file, including the name of the new secret.
Creating a new imagePullSecret in the new namespace from the modified configuration file.
You might also want to add the secret to the default Kubernetes service account of your new namespace, so that you can use the secret without having to explicitly reference it in your deployment files.
To learn more about how to do this, check out the Kubernetes documentation.
Sign up for Bluemix. It’s free!