How can I use Github packages Docker registry in Kubernetes dockerconfigjson?

Question

How can I pull docker.pkg.github.com Docker images from within Kubernetes cluster?

Currently, the Github Docker registry requires authentication even for packages from public Github repositories.

Answer 1

1. Create new Github Personal Access Token with read:packages scope at https://github.com/settings/tokens/new.

2. Base-64 encode <your-github-username>:<TOKEN>, ie.:

   $ echo -n VojtechVitek:4eee0faaab222ab333aa444aeee0eee7ccc555b7 | base64
   <AUTH>
   

   Note: Make sure not to encode a newline character at the end of the string.

3. Create kubernetes.io/dockerconfigjson secret

   A) Create secret manually:

   $ echo '{"auths":{"docker.pkg.github.com":{"auth":"<AUTH>"}}}' | kubectl create secret generic dockerconfigjson-github-com --type=kubernetes.io/dockerconfigjson --from-file=.dockerconfigjson=/dev/stdin
   

   B) Or, create .yml file that can be used in kubectl apply -f:

   kind: Secret
   type: kubernetes.io/dockerconfigjson
   apiVersion: v1
   metadata:
     name: dockerconfigjson-github-com
   stringData:
     .dockerconfigjson: {"auths":{"docker.pkg.github.com":{"auth":"<AUTH>"}}}
   

   Note for GitOps: I strongly recommend not to store the above file in plain-text in your git repository. Hydrate the value in your CD pipeline or encrypt/seal the file with tools like https://github.com/mozilla/sops or https://github.com/bitnami-labs/sealed-secrets.

4. Now, you can reference the above secret from your pod's spec definition via imagePullSecrets field:

   spec:
     containers:
     - name: your-container-name
       image: docker.pkg.github.com/<ORG>/<REPO>/<PKG>:<TAG>
     imagePullSecrets:
     - name: dockerconfigjson-github-com