How to pull private images with 1.0

Pulling private images is not working in OSS version. See http://community.harness.io/t/pulling-private-images-not-working-in-oss-version/7594

I’d like to understand how to accomplish this without using Drone UI for secrets (our goal is to never use any kind of GUI configuration, pure IaC) with Kubernetes.

My cluster already has a working dockerconfigjson secret for our repository. My expectation is that using image_pull_secrets in the pipeline will add the listed secret names to the imagePullSecrets field in the resulting Kubernetes pod configuration.

However, the field does not appear in the pod’s manifest, regardless of whether I just list secret names as they appear in the cluster, or use drone-kubernetes-secrets extension (which works otherwise) to pull the secret into my pipeline.

How exactly does Drone accomplish telling Kubernetes what secret to use, if this field is not utilized? TIA.

The image_pull_secrets in the drone yaml file references a drone secret, not a kubernetes secret. You can learn more about drone secrets and pulling private images at these links:

If something in our documentation led you to expect that Drone would automatically read a kuberetetes dockerconfigjson secret defined in your cluster please let me know, and we can correct the documentation and reset expectations accordingly.

use option 2 as defined at the top of this thread (also described here).

Thank you for the quick reply.

I have read the documentation and it was not it that led me to believe it would work that way - it is simply the easiest and the most logical implementation. To learn that this is not the case is quite surprising, given that Drone already supports setting image pull policy for containers via pipeline step settings. What should probably be corrected is not the documentation but the lack of following the Kubernetes design patterns.

Regardless, I would still like to understand how exactly Drone uses the secret it’s been given.

I think it is important to clarify that Drone does not pull an image. Drone makes an API call to the host machine Docker daemon and instructs it to pull an image.

In Kubernetes world, this would mean using the imagePullSecrets field - however, I don’t see that happening. What does Drone actually do with the provided dockerconfigjson secret in order to use it to pull the image?

Managed to solve it. Suppose we have the following Kubernetes secret (created via kubectl create secret docker-registry from credentials provided by Gitlab registry, in this example):

Note: the base64-encoded string below does not contain any private information, only dummy credentials for demonstration.

apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJyZWdpc3RyeS5naXRsYWIuY29tIjp7InVzZXJuYW1lIjoic29tZS11c2VyIiwicGFzc3dvcmQiOiJzb21lLXBhc3N3b3JkIiwiYXV0aCI6InNvbWUtYXV0aCJ9fX0=
kind: Secret
  name: gitlab-docker-auth
  namespace: drone
type: kubernetes.io/dockerconfigjson

We can now mount this secret in our pipeline with drone-kubernetes-secrets extension. Just make sure that its namespace is the same as the extension’s rbac.secretNamespace (in this example drone) and its name (gitlab-docker-auth) is added to rbac.restrictToSecrets list (if you’re limiting what secrets can be mounted by the extension).

kind: secret
name: docker-private-images
get:
  path: gitlab-docker-auth
  name: .dockerconfigjson

Contrary to one of the comments in this thread, there are no issues with .dockerconfigjson starting with a dot. We can now reference this mounted secret anywhere in our pipeline(s):

image_pull_secrets:
- docker-private-images

My main mistake here was not realizing that the entire JSON structure referenced by .dockerconfigjson can be mounted as a secret. Once functional, this is a much cleaner solution for Drone on Kubernetes than using Drone’s web UI to manually add secrets.

1 Like

Thanks for base64 tip. Was much convinient.

1 Like

Can you configure credentials as dockerconfigjson for hub.docker as well? or is it just for private registries.

Recently docker hub has introduced rate limiting and would require credentials for a higher rate limit.

Hi, I little late here, but for me, this worked:

drone exec --trusted --secret-file=secrets.txt --event=push .drone.yaml

With the --trusted I was able to download private images, that required authentication, that is passed (in my case was Google Images) using the secrets.txt file.

In drone.yaml:

    pull: if-not-exists
    image: eu.gcr.io/private-org/private-repo/latest
    environment:
        GITHUB_TOKEN:
            from_secret: GITHUB_TOKEN

The secrets.txt file contains just (a valid) GitHub token:

GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx