Private Registry

by Ivan Pedrazas 2015-12-03 09:58 kubernetes registry core

The first time we tried to use a private registry in Kubernetes we got bitten by a weird bug: the format of the .dockercfg.

If you read the documentation you will see that you have to create a secret, and then use that secret in your pod definition.

What it seems to be missing from the docs is that the format of the json that contains the registry auth info is important.

This is the example in the documentation:

$ echo $(cat ~/.dockercfg)
{ "": { "auth": "ZmFrZXBhc3N3b3JkMTIK", "email": "" } }

But we need base64 encode text:

$ cat ~/.dockercfg | base64

Finally, we create the secret definiton using the base64

$ cat > /tmp/image-pull-secret.yaml <<EOF
apiVersion: v1
kind: Secret
  name: myregistrykey
  .dockercfg: eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJabUZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K

Finally, we create the secret in the cluster

$ kubectl create -f /tmp/image-pull-secret.yaml

Once we have the secret, we can use that secret in our pods.

apiVersion: v1
kind: Pod
  name: foo
    - name: foo
      image: janedoe/awesomeapp:v1
    - name: myregistrykey

This is all true and good, but the detail of the format of .dockercfg is the kind of thing that will have you running around calling names. So, what’s the problem? If you execute the first command of the post:

$ echo $(cat ~/.dockercfg)

You will see that it returns 1 line. However, between catting the file and echoing the catting fo the file there’s one little detail: that ECHO makes the file to be in one single line.

Now, look at this:

-> % cat .dockercfg| base64

-> % echo $(cat .dockercfg) | base64

I’m not sure why nobody has bothered writing this little note in the docs, but if you don’t echo the cat, the secret will be wrong. Anyway, from now on, remember, the format of the json is important… so make sure you verify the json you’re using is in one single line. is made with by @agonzalezro and @ipedrazas