IBM Cloud: Access container registry from Terraform

Question

I am using IBM Cloud and its Terraform provider. Now, I would like to deploy a container image off the IBM Cloud Container Registry and need to provide pull secrets. How can I do that using Terraform?

Answer 1

Creating pull secrets via Terraform and then using them to pull a container image off the IBM Cloud Container Registry is possible with some configuration.

First, I have a template file for the Docker configuration named docker_config.json:

{"auths":{"${docker-server}":{"username":"${docker-username}","password":"${docker-password}","email":"${docker-email}","auth":"${auth}"}}}

That file is referenced from the Terraform code:

# template for container registry secrets
data "template_file" "docker_config_script" {
  template = file("${path.module}/docker_config.json")
  vars = {
    docker-username = "iamapikey"
    docker-password = var.ibmcloud_api_key
    docker-server   = var.docker-server
    docker-email    = var.docker-email
    auth            = base64encode("iamapikey:${var.ibmcloud_api_key}")
  }
}

# Create secrets to access IBM Container Registry to pull container image
resource "kubernetes_secret" "registry_secrets" {
  metadata {
    name      = "my-docker-registry"
    namespace = var.iks_namespace
  }

  data = {
    ".dockerconfigjson" = data.template_file.docker_config_script.rendered
  }

  type = "kubernetes.io/dockerconfigjson"
}

The above code first reads the template and fills it with values from environment variables or current state. Thereafter, it creates a Kubernetes secret my-docker-registry of type Docker configuration. Later on, that secret can be referenced as image_pull_secret in the deployment configuration.

The above is a generic approach. Depending on your account setup, individual user and service ID privileges in that account and how the Kubernetes cluster was created, you may be able to use a pre-created pull secret. See this part in the IBM Cloud Kubernetes Service docs on how to authorize pulling images from private registries.

Answer 2

Also bear in mind that your cluster may already have suitable image pull secrets.

By default, new IBM Cloud Kubernetes Service clusters get a secret (all-icr-io) containing credentials that will give read access to all images in IBM Cloud Container Registry namespaces owned by the same account as the cluster. https://cloud.ibm.com/docs/containers?topic=containers-registry#cluster_registry_auth_default

Answer 3

Alternatively, you can also import an existing pull secret all-icr-io that comes with an IKS cluster following the below steps

main.tf

resource "kubernetes_secret" "all_icr_io" {
  # (resource arguments)
}

provider.tf

terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "1.13.2"
    }
  }
}

provider "kubernetes" {
  # Configuration options
}

On a terminal:

terraform import kubernetes_secret.all_icr_io default/all-icr-io

To confirm,

terraform show

Result:

# kubernetes_secret.all_icr_io:
resource "kubernetes_secret" "all_icr_io" {
    data = (sensitive value)
    id   = "default/all-icr-io"
    type = "kubernetes.io/dockerconfigjson"

    metadata {
        annotations      = {}
        generation       = 0
        labels           = {}
        name             = "all-icr-io"
        namespace        = "default"
        resource_version = "267"
        self_link        = "/api/v1/namespaces/default/secrets/all-icr-io"
        uid              = "0dea7ee0-ab03-4fc1-a4e4-b2xxxxxxx"
    }
}