Private Registry is not accessible from Rancher Deployment using Helm chart

2
votes

I feel there is a big blocker in Rancher V2.2.2 where I can't define the Private Azure registry containing the docker images to be used to create a K8s deployment.

I can define the azure registry credentials in the Resources -> Registries and authenticate it to create a workload. ( The Workload access the private azure registry and authenticates it using the credentials set )

Now if I create a Helm chart that access the same private Azure registry to pull the image and create a pod , it fails saying the docker image could not be pulled. I have researched over it and I find that K8s deployment can find the credentials set in the Rancher UI but the kublet has no access to this credentials.

The common suggestion that people give is to use the secrets in the help chart deployment file and that works also but it is a security concern as any person can access the helm chart to find the azure credentials described in it. I feel its still a common problem in Rancher V2.

The Question : Helm chart deployment and private docker repository caters to the problem but it has the security concern as expressed above.

I am not sure if Rancher community also has the answer because the helm repo also suggests the same solution. Please refer (https://github.com/helm/helm/blob/master/docs/charts_tips_and_tricks.md#creating-image-pull-secrets)

I dont want to define image pull secrets in deployement.yaml file of Helm chart as mentioned below

  name: credentials-name
  registry: private-docker-registry
  username: user
  password: pass
2
kuberneteskubernetes-helmrancher
You don't have to specify the username password while you are launching the chart. You can override the values using values.yaml. In that you can specify the imagePullSecrets section of deployment. - leodotcloud
I understand this part of values.yml and doing the same currently as I consider this as a workaround because still one can see the content of values.yml and get the credentials. I don't anyone to get those except. One way could be injecting it at run time and then use RBAC (role based access control) but still I don't consider it as a suitable option as I want anyone to configure Rancher and use my helm ( if person configures helm himself then any how he need to have credentials) - Shubhanshu Rastogi

2 Answers

4
votes

When you configure a new set of registry credentials under Resources -> Registries in your current project, Rancher creates a Kubernetes secret resource for you that holds the specified credentials.

You can verify that the secret exists in all namespaces belonging to the project by running the following command:

$ kubectl get secrets -n <some-project-namespace>

Then - instead of persisting your plaintext account credentials in your deployment.yaml - you are going to reference the secret resource in the containers spec like so:

spec:
  containers:
  - name: mycontainer
    image: myregistry.azurecr.io/org/myimage
  imagePullSecrets:
  - name: project-azure-reg-creds

In the example above project-azure-reg-creds matches the name of the registry credential you added in Rancher. Also note, that your deployment must be created in a namespace assigned to the project.

1
votes

Kubernetes is what it is. If you want to pull from a private repo you need an imagePullSecret. This is true in the Rancher UI too, it's just automatically associated for you so you don't have to explicitly define it yourself.