Skip to content

Authenticated Container Registries

If you want to use an image from authenticated docker registry (e.g. for image cache/mirror), you'll need to add an imagePullSecret to all relevant service accounts. This way all pods created by the operator (for service account: rook-ceph-system) or all new pods in the namespace (for service account: default) will have the imagePullSecret added to their spec.

The whole process is described in the official kubernetes documentation.

Example setup for a ceph cluster

To get you started, here's a quick rundown for the ceph example from the quickstart guide.

First, we'll create the secret for our registry as described here (the secret will be created in the rook-ceph namespace, make sure to change it if your Rook Ceph Operator/Cluster is in another namespace):

1
kubectl -n rook-ceph create secret docker-registry my-registry-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

Next we'll add the following snippet to all relevant service accounts as described here:

1
2
imagePullSecrets:
- name: my-registry-secret

The service accounts are:

  • rook-ceph-system (namespace: rook-ceph): Will affect all pods created by the rook operator in the rook-ceph namespace.
  • default (namespace: rook-ceph): Will affect most pods in the rook-ceph namespace.
  • rook-ceph-mgr (namespace: rook-ceph): Will affect the MGR pods in the rook-ceph namespace.
  • rook-ceph-osd (namespace: rook-ceph): Will affect the OSD pods in the rook-ceph namespace.
  • rook-ceph-rgw (namespace: rook-ceph): Will affect the RGW pods in the rook-ceph namespace.

You can do it either via e.g. kubectl -n <namespace> edit serviceaccount default or by modifying the operator.yaml and cluster.yaml before deploying them.

Since it's the same procedure for all service accounts, here is just one example:

1
kubectl -n rook-ceph edit serviceaccount default

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: rook-ceph
secrets:
- name: default-token-12345
# Add the highlighted lines:
imagePullSecrets:
- name: my-registry-secret

After doing this for all service accounts all pods should be able to pull the image from your registry.