Skip to main content

Secret

To pull custom images from my GitHub Container Registry (GHCR), we need to create a Kubernetes Secret that stores authentication credentials.

Personal Access Token (PAT)

` GitHub requires a Fine-grained Personal Access Token (PAT) to authenticate when pulling private container images.

Example token k3s_ghcr: github_pat_22AW2PJYA0AjBj2d73RtoG_aZHx78VDFXon4oEdHR`:

note

You only need to create a Secret for private repositories. Images from public repositories can be pulled directly, for example:

image: ghcr.io/username/my-public-app:latest

Creating a Secret (Terminal)

Use the following command to create a Docker registry secret that stores your GitHub credentials:

kubectl create secret docker-registry ghcr-secret \
  --docker-server=ghcr.io \
  --docker-username=my_name \
  --docker-password=ghp_abc1234567890 \
  --docker-email=email@dresse.com

Example output:

secret/ghcr-secret created

Referencing the Secret in a Deployment

To allow Kubernetes to use this secret when pulling container images, add the following section to your Deployment specification:

imagePullSecrets:
  - name: ghcr-secret

Create/Update Deployment + Service

vi demo-page.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-page-deployment
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-page
  template:
    metadata:
      labels:
        app: demo-page
    spec:
      imagePullSecrets:         # NEW SECTION: Enable access to the private container registry
        - name: ghcr-secret     # Reference to the created Secret for GitHub Container Registry
      containers:
        - name: demo-page
          image: docker pull ghcr.io/georgstrassberger/demo-page:v1.0.0   # Custom image hosted on GHCR
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: demo-page-svc
  labels:
    app: demo-page-deployment
spec:
  type: NodePort
  selector:
    app: demo-page
  ports:
    - port: 80
      targetPort: 80