Authenticated Container Registries
If you want to use an image from authenticated docker registry (e.g. for image cache/mirror), you'll need to add an imagePullSecret
to all relevant service accounts. This way all pods created by the operator (for service account: rook-ceph-system
) or all new pods in the namespace (for service account: default
) will have the imagePullSecret
added to their spec.
The whole process is described in the official kubernetes documentation.
Example setup for a ceph cluster¶
To get you started, here's a quick rundown for the ceph example from the quickstart guide.
First, we'll create the secret for our registry as described here (the secret will be created in the rook-ceph
namespace, make sure to change it if your Rook Ceph Operator/Cluster is in another namespace):
Next we'll add the following snippet to all relevant service accounts as described here:
The service accounts are:
rook-ceph-system
(namespace:rook-ceph
): Will affect all pods created by the rook operator in therook-ceph
namespace.default
(namespace:rook-ceph
): Will affect most pods in therook-ceph
namespace.rook-ceph-mgr
(namespace:rook-ceph
): Will affect the MGR pods in therook-ceph
namespace.rook-ceph-osd
(namespace:rook-ceph
): Will affect the OSD pods in therook-ceph
namespace.rook-ceph-rgw
(namespace:rook-ceph
): Will affect the RGW pods in therook-ceph
namespace.
You can do it either via e.g. kubectl -n <namespace> edit serviceaccount default
or by modifying the operator.yaml
and cluster.yaml
before deploying them.
Since it's the same procedure for all service accounts, here is just one example:
After doing this for all service accounts all pods should be able to pull the image from your registry.