1

Trying to following the use-case examples given in the official Kubernetes documentation for using secrets as environment variables (referenced here ), I made both my secret and my deployment yaml (which includes a pod spec) as follows:

Secret yaml:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  LOCAL_UID: dsdgvreRBRBBsdd=
  LOCAL_PWD: MmSDkfKDODbOU4NCg==

which is written to the namespace by doing: kubectl apply -f my-secret.yaml

Likewise, here is the deployment Yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  labels:
    app: my-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      terminationGracePeriodSeconds: 30
      containers:
        - name: my-app
          env:
            - name: REPO_APP_URL
              value: https://repo.myco.com/project.tar.gz
          envFrom:
            - secretRef:
                name: my-secret
          image: repo.myco.com/images/node-alpine:0.1.6
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
          readinessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 15
            periodSeconds: 15
          securityContext:
            runAsUser: 1000
      imagePullSecrets:
        - name: regcredepg
  • note shown above (but is in the deployment yaml) are the Service and Ingress specs.

This is run by doing the following

kubectl apply -f my-app.yaml

This actually works great given:

  1. the imagePullSecrets directive is included in the deployment YAML.

  2. that the name value given in the imagePullSecrets section is not the actual secret used in the envFrom: - secretRef: section.

If I try to set the name of the imagePullSecrets name field to my-secret, the pod fails to load (saying Error from server (BadRequest): container "my-app" in pod "my-app-597bb6c9b4-lh8rg" is waiting to start: image can't be pulled).

Also, it won't allow me to simply remove the imagePullSecrets section of the YAML in the pod spec, even though the documentation claims it its optional.

So, the only way this will work is if I include the imagePullSecrets reference to a valid secrets that I am not using in my envFrom: - secretRef: section. I am sure I am missing some logical obvious issue here. Can anyone shed light on this??

Kim Gentes
  • 1,496
  • 1
  • 18
  • 38

1 Answers1

3

imagePullSecrets has a different format than just the ID and password. You need to specify the registry FQDN and the username and password. You can find more information in Pull an Image from a Private Registry.

x80486
  • 6,627
  • 5
  • 52
  • 111
Reza Nasiri
  • 1,360
  • 1
  • 6
  • 19
  • Unfortunately, you are answering a question I did not ask. Look at : https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables this is the use case I am working on. It is documented in k8s docs, but the details of my issue is detailed in my post above, which is not related to the answer you gave. – Kim Gentes Nov 18 '21 at 15:57
  • the problem you are having is that kubelet can not pull the image from your private container registry and it is because your registry requires authentication and the secret you provided as imagePullSecrets does not have proper type and format. it has nothing to do with it being used in envFrom – Reza Nasiri Nov 18 '21 at 22:44
  • by private container registry do you mean the fact `image: repo.myco.com/images/node-alpine:0.1.6` requires something in a dockerconfigjson format or such? – Kim Gentes Nov 19 '21 at 16:42