Helm chart deployment and private docker repository

Question

I have a private Docker repo with bunch of images. I am using Helm to deploy them to a Kubernetes cluster.

Helm values.yaml contains the repository credentials:

image:
  repository: <repo>
  tag: <version tag>
  pullPolicy: IfNotPresent
  imageCredentials:
    registry: <repo>
    username: <username>
    password: <pw>

After doing the helm installation

helm install myhelmchart --values values.yaml --version

the pod's status is Init:ErrImagePull. kubectl describe pods gives this error:

Failed to pull image "image:tag": rpc error: code = Unknown desc = Error response from daemon: Get [image]/manifests/[version]: unauthorized: authentication required

Answer 1

It depends on the output of your helm chart. You can use helm template to see the resulting kubernetes resources without actually deploying it. Using an image from a private docker registry comes down to two steps:

1. Make sure that you have a secret resource for the private repository. Note that the type here is kubernetes.io/dockerconfigjson or kubernetes.io/dockercfg.

   How to create this with templates from helm is described here.

2. Refer to that secret in the pod that uses the image from that private repository, as shown below:

Pod resource/template:

spec:
  containers:
  - name: some-pod
    image: <image>
  imagePullSecrets:
  - name: <name-of your secret>

You can first build the resources by hand without helm. This helps to verify that the resources themselves are correct. Then you can adapt the helm templates to output the correct resources given your values.

Answer 2

imageCredentials needs to be at the root level, like so:

image:
  repository: <repo>
  tag: <version tag>
  pullPolicy: IfNotPresent
imageCredentials:
  registry: <repo>
  username: <username>
  password: <pw>

because

{{- define "imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.imageCredentials.registry (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }}
{{- end }}

references .Values.imageCredentials.* and not .Values.image.imageCredentials.*.

Also, you need to add

imagePullSecrets:
- name: {{ .Values.imageCredentials.name }}

to the template (e.g. pod or deployment) that pulls the image from the private registry. And as that references .Values.imageCredentials.name, which isn't defined in your snippet, you need to add it, like so:

image:
  repository: <repo>
  tag: <version tag>
  pullPolicy: IfNotPresent
imageCredentials:
  name: <registry_name>_credentials
  registry: <repo>
  username: <username>
  password: <pw>