Overview
In some cases, you may wish to specify your secrets to pull a private image inside your Container Runner instead of your config.yml in CircleCI.
To do so, please follow the instructions below.
Google Container Registry / Google Artifact Registry
Step 1 - Create your access credentials per the Google Cloud documentation
You will need to verify that your access credentials include the correct permissions to pull and/or push your image.
Step 2 - Create a Secret in your Container Runner's Namespace
Google Container Registry:
$ NAMESPACE=<namespace>
$ SECRET_NAME=<secret_name>
$ EMAIL=<valid@email_address>
$ kubectl create secret docker-registry $SECRET_NAME -n $NAMESPACE \
--docker-server=gcr.io \
--docker-username=_json_key \
--docker-password="$(cat ~/json-key-file.json)" \
--docker-email=$EMAILGoogle Artifact Registry
$ NAMESPACE=<namespace>
$ SECRET_NAME=<secret_name>
$ REGION=<region>
$ EMAIL=<valid@email_address>
$ kubectl create secret docker-registry $SECRET_NAME -n $NAMESPACE \
--docker-server=$REGION-docker.pkg.dev \
--docker-username=_json_key \
--docker-password="$(cat ~/json-key-file.json)" \
--docker-email=$EMAILIn both examples, the json-key-file.json is the key you have downloaded from creating your access credentials.
Step 3 - Update your imagePullSecrets in your values.yaml
# values.yaml
agent:
resourceClasses:
<namespace>/<resource_class_name>:
token: <token>
spec:
imagePullSecrets:
- name: "<secret_name>"Step 4 - Update your Container Runner Deployment
$ NAMESPACE=<namespace> $ VALUES_FILE=<values_file> $ helm upgrade container-agent container-agent/container-agent -n $NAMESPACE -f $VALUES_FILE
AWS Elastic Container Registry
Step 1 - Confirm you have run aws configure.
This will need to be run for aws ecr get-login-password to properly function.
Please take note of the user and the permissions that this user has.
Step 2 - Create a Secret in your Container Runner's Namespace
$ NAMESPACE=<namespace>
$ SECRET_NAME=<secret_name>
$ AWS_ACCOUNT=<aws_account_id>
$ AWS_REGION=<aws_region>
$ kubectl create secret docker-registry $SECRET_NAME -n $NAMESPACE \
--docker-server=${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password) Step 3 - Update your imagePullSecrets in your values.yaml
# values.yaml
agent:
resourceClasses:
<namespace>/<resource_class_name>:
token: <token>
spec:
imagePullSecrets:
- name: "<secret_name>"Step 4 - Update your Container Runner Deployment
$ NAMESPACE=<namespace> $ VALUES_FILE=<values_file> $ helm upgrade container-agent container-agent/container-agent -n $NAMESPACE -f $VALUES_FILE
Docker Hub
Step 1 (optional) - Create your Personal Access Token
You can use a Personal Access Token in place of your Docker Hub password.
To create one, please follow the instructions from Docker here.
Step 2 - Create a Secret in your Container Runner's Namespace
$ NAMESPACE=<namespace>
$ SECRET_NAME=<secret_name>
$ EMAIL=<valid@email_address>
$ DOCKERHUB_USER=<Docker Hub username>
$ DOCKERHUB_PASS=<Docker Hub access token or password>
$ kubectl create secret docker-registry $SECRET_NAME -n $NAMESPACE \
--docker-server=docker.io \
--docker-username="${DOCKERHUB_USER}" \
--docker-password="${DOCKERHUB_PASS}" \
--docker-email=$EMAILStep 3 - Update your imagePullSecrets in your values.yaml
# values.yaml
agent:
resourceClasses:
<namespace>/<resource_class_name>:
token: <token>
spec:
imagePullSecrets:
- name: "<secret_name>"Step 4 - Update your Container Runner Deployment
$ NAMESPACE=<namespace> $ VALUES_FILE=<values_file> $ helm upgrade container-agent container-agent/container-agent -n $NAMESPACE -f $VALUES_FILE