Skip to main content

Pull Images from Private Registries for Kubernetes

This content is for Harness FirstGen. Switch to NextGen.

Typically, If the Docker artifact source is in a private registry, Harness has access to that registry using the credentials set up in the Harness Add Artifact Servers.

In some cases, your Kubernetes cluster might not have the permissions needed to access a private Docker registry. For these cases, the default values.yaml file in Service Manifests section contains dockercfg: ${artifact.source.dockerconfig} . This key will import the credentials from the Docker credentials file in the artifact.

Before You Begin

Ensure you have reviewed and set up the following:

Step 1: Use the dockercfg Value

  1. In your Harness Kubernetes Service, in Manifests, click values.yaml.

  2. Verify that dockercfg key exists, and uses the ${artifact.source.dockerconfig} expression to obtain the credentials:

    dockercfg: ${artifact.source.dockerconfig}
  3. Click the deployment.yaml file.

  4. Verify that the Secret object is inside an if argument using dockercfg and the {{.Values.dockercfg}} value:

    {{- if .Values.dockercfg}}  
    apiVersion: v1
    kind: Secret
    metadata:
    name: {{.Values.name}}-dockercfg
    annotations:
    harness.io/skip-versioning: "true"
    data:
    .dockercfg: {{.Values.dockercfg}}
    type: kubernetes.io/dockercfg
    ---
    {{- end}}

    With these requirements met, the cluster import the credentials from the Docker credentials file in the artifact.

Notes

  • Any secrets in the manifest are sanitized when they are displayed in the deployment logs. See Secrets and Log Sanitization.
  • When you are using a public repo, the dockercfg: ${artifact.source.dockerconfig} in values.yaml is ignored by Harness. You do not need to remove it.
  • If you want to use a private repo and no imagePullSecret, then set dockercfg to empty in values.yaml.
  • Legacy imagePullSecret Method — Previously, Harness used a createImagePullSecret value in values.yaml that could be set to true or false, and dockercfg: ${artifact.source.dockerconfig} to obtain the credentials. If createImagePullSecret was set to true, the following default Secret object in deployment.yaml would be used:
{{- if .Values.createImagePullSecret}}  
apiVersion: v1
kind: Secret
metadata:
name: {{.Values.name}}-dockercfg
annotations:
harness.io/skip-versioning: "true"
data:
.dockercfg: {{.Values.dockercfg}}
type: kubernetes.io/dockercfg
---
{{- end}}

This legacy method is still supported for existing Services that use it, but the current method of using the default values.yaml and deployment.yaml files is recommended.

Next Steps