Configure k8s to use GitHub Container Registry

Updated 2021-01-22

TL;DR

  • Create Token
  • Encode the User Name and Token
  • Create .dockerconfigjson file
  • Execute Imperative kubectl command
  • Create Pod that uses Secret
  • Modify Service Account to use Secret

To encode the user name and token, execute the below;

echo -n "jtfogarty:VGhpcyBJcyBOb3QgYSBSZWFsIEdpdEh1YiBUb2tlbg==" | base64

which yields

anRmb2dhcnR5OlZHaHBjeUJKY3lCT2IzUWdZU0JTWldGc0lFZHBkRWgxWWlCVWIydGxiZz09

Build the .dockerconfigjson file as below;

{
    "auths":
    {
        "ghcr.io":
            {
                "auth":"anRmb2dhcnR5OlZHaHBjeUJKY3lCT2IzUWdZU0JTWldGc0lFZHBkRWgxWWlCVWIydGxiZz09"
            }
    }
}

Create a docker registry secret using the below command

kubectl create secret docker-registry ghcr-config-jtf --from-file=.dockerconfigjson

Create a pod manifest to pull from ghcr.io

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: my-pod
  name: my-pod
spec:
  containers:
  - image: gchr.io/jtfogarty/my-image:1.1
    name: my-pod
  imagePullSecrets:
  - name: ghcr-config-jtf
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

An alternative approach is to modify the default service account for the namespace to use the newly created secret.

kubectl patch serviceaccount default -p ‘{“imagePullSecrets”: [{“name”: “ghcr-config-jtf”}]}’

When a new pod is created, the spec.imagePullSecrets field is set automatically.