35

I can run this command to create a docker registry secret for a kubernetes cluster:

kubectl create secret docker-registry regsecret \
--docker-server=docker.example.com \
--docker-username=kube \
--docker-password=PW_STRING \
--docker-email=my@email.com \
--namespace mynamespace

I would like to create the same secret from a YAML file. Does anyone know how this can be set in a YAML file?

I need this as a YAML file so that it can be used as a Helm template, which allows for a Helm install command such as this (simplified) one:

helm install ... --set docker.user=peter,docker.pw=foobar,docker.email=...
Tung
  • 1,579
  • 4
  • 15
  • 32
Rotareti
  • 49,483
  • 23
  • 112
  • 108

5 Answers5

82

You can write that yaml by yourself, but it will be faster to create it in 2 steps using kubectl:

  1. Generate a 'yaml' file. You can use the same command but in dry-run mode and output mode yaml.

Here is an example of a command that will save a secret into a 'docker-secret.yaml' file for kubectl version < 1.18 (check the version by kubectl version --short|grep Client):

kubectl create secret docker-registry --dry-run=true $secret_name \
  --docker-server=<DOCKER_REGISTRY_SERVER> \
  --docker-username=<DOCKER_USER> \
  --docker-password=<DOCKER_PASSWORD> \
  --docker-email=<DOCKER_EMAIL> -o yaml > docker-secret.yaml

For kubectl version >= 1.18:

kubectl create secret docker-registry --dry-run=client $secret_name \
  --docker-server=<DOCKER_REGISTRY_SERVER> \
  --docker-username=<DOCKER_USER> \
  --docker-password=<DOCKER_PASSWORD> \
  --docker-email=<DOCKER_EMAIL> -o yaml > docker-secret.yaml

  1. You can apply the file like any other Kubernetes 'yaml':

    kubectl apply -f docker-secret.yaml

UPD, as a question has been updated.

If you are using Helm, here is an official documentation about how to create an ImagePullSecret.

From a doc:

  1. First, assume that the credentials are defined in the values.yaml file like so:
imageCredentials:
  registry: quay.io
  username: someone
  password: sillyness
  1. We then define our helper template as follows:
{{- define "imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.imageCredentials.registry (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }}
{{- end }}
  1. Finally, we use the helper template in a larger template to create the Secret manifest:
apiVersion: v1
kind: Secret
metadata:
  name: myregistrykey
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: {{ template "imagePullSecret" . }}
Anton Kostenko
  • 8,200
  • 2
  • 30
  • 37
  • This is nice! But it leaves me with a problem. The docker related values get base64 encoded. I need this yaml file for a *Helm* template, so the values have to be plain text. Not sure if this is possible at all. – Rotareti Apr 03 '18 at 23:56
  • @Rotareti base64 specially designed to encode any data to a plain text format. You can use generated line as plain text in Helm variables. – Anton Kostenko Apr 04 '18 at 07:54
  • Sorry I wasn't clear. I updated the question.. I hope it makes more sense now! – Rotareti Apr 04 '18 at 08:26
  • @AntonKostenko @Rotareti this means that the secret password should be typed in text plain in `values.yaml` file? If I use the `b64enc` I am encoding the password, really, and then, could I type the secret already encoding (`echo | base64`) and use the resulting hash there, and then in the template helper instead of use `b64enc` I should decode it? Maybe is there some tag like `b64dec` – bgarcial May 02 '19 at 12:32
  • Thank you! Your hint of writing to a `docker-secret.yaml` solved my problem, since I could see I was pointing the secrets to the wrong namespace – Andre Ravazzi May 09 '19 at 15:28
  • As of version kubectl 1.18 `--dry-run=true` is deprecated (boolean value) and can be replaced with `--dry-run=client` – Ivan De Paz Centeno Apr 24 '20 at 11:49
7

You can kubectl apply the output of an imperative command in one line:

kubectl create secret docker-registry --dry-run=true $secret_name \
  --docker-server=<DOCKER_REGISTRY_SERVER> \
  --docker-username=<DOCKER_USER> \
  --docker-password=<DOCKER_PASSWORD> \
  --docker-email=<DOCKER_EMAIL> -o yaml | kubectl apply -f -
Sébastien Dan
  • 1,314
  • 9
  • 9
6

In case someone also just wants to have a mapping of kubectl command to yaml file:

kubectl create secret docker-registry --dry-run=true dockerhostsecretname \
  --docker-server=localhost \
  --docker-username=root \
  --docker-password=toor \
  --docker-email=root@toor.nl -o yaml

gives me

apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJsb2NhbGhvc3QiOnsidXNlcm5hbWUiOiJyb290IiwicGFzc3dvcmQiOiJ0b29yIiwiZW1haWwiOiJyb290QHRvb3IubmwiLCJhdXRoIjoiY205dmREcDBiMjl5In19fQ==
kind: Secret
metadata:
  creationTimestamp: null
  name: dockerhostsecretname
type: kubernetes.io/dockerconfigjson

The base64 string for the password:

eyJhdXRocyI6eyJsb2NhbGhvc3QiOnsidXNlcm5hbWUiOiJyb290IiwicGFzc3dvcmQiOiJ0b29yIiwiZW1haWwiOiJyb290QHRvb3IubmwiLCJhdXRoIjoiY205dmREcDBiMjl5In19fQ

decodes as:

{"auths":{"localhost":{"username":"root","password":"toor","email":"root@toor.nl","auth":"cm9vdDp0b29y"}}}
frbl
  • 1,172
  • 11
  • 17
3
cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: Secret
metadata:
  name: regcred
data:
  .dockerconfigjson: $(echo "{\"auths\": {\"https://index.docker.io/v1/\": {\"auth\": \"$(echo "janedoe:xxxxxxxxxxx" | base64)\"}}}" | base64)
type: kubernetes.io/dockerconfigjson
EOF
Dudo
  • 4,002
  • 8
  • 32
  • 57
2
apiVersion: v1
kind: Secret
metadata:
  name: <NAME>
  namespace: <NAMESPACE>
data:
  .dockercfg: eyJldXJvcGEubGFSfsdfsdfSFSDFsdfsdfSFSDFSDfjM2x1SDFSDFSDFSDFSDFSDFSFSDFSDFSDFSDFG9mZmVyLm5pY2tsYXNzb25AbGVuc3dheWdyb3VwLmNvbSIsImF1dGgiOiJWRTlMUlU0Nk1EZDBNM0JxTXpWak0yeDFNakEwZEdkbGRHVndjVzQ1YUdZPSJ9fQ==
type: kubernetes.io/dockercfg

This works in k8s 1.11.2. I haven't tested it on anything below 1.9. as they changed the type.

Dominique
  • 16,450
  • 15
  • 56
  • 112
Coffe
  • 39
  • 2