3.8. Using docker credentials for private registries

Procedure

1. Create the secret from your local .docker/config.json file:

   $ oc create secret generic dockerhub \
       --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
       --type=kubernetes.io/dockerconfigjson

   Copy to Clipboard Toggle word wrap

   This generates a JSON specification of the secret named dockerhub and creates the object.

2. Add a pushSecret field into the output section of the BuildConfig and set it to the name of the secret that you created, which in the previous example is dockerhub:

   spec:
     output:
       to:
         kind: "DockerImage"
         name: "private.registry.com/org/private-image:latest"
       pushSecret:
         name: "dockerhub"

   Copy to Clipboard Toggle word wrap

   You can use the oc set build-secret command to set the push secret on the build configuration:

   $ oc set build-secret --push bc/sample-build dockerhub

   Copy to Clipboard Toggle word wrap

   You can also link the push secret to the service account used by the build instead of specifying the pushSecret field. By default, builds use the builder service account. The push secret is automatically added to the build if the secret contains a credential that matches the repository hosting the build’s output image.

   $ oc secrets link builder dockerhub

   Copy to Clipboard Toggle word wrap

3. Pull the builder container image from a private container image registry by specifying the pullSecret field, which is part of the build strategy definition:

   strategy:
     sourceStrategy:
       from:
         kind: "DockerImage"
         name: "docker.io/user/private_repository"
       pullSecret:
         name: "dockerhub"

   Copy to Clipboard Toggle word wrap

   You can use the oc set build-secret command to set the pull secret on the build configuration:

   $ oc set build-secret --pull bc/sample-build dockerhub

   Copy to Clipboard Toggle word wrap
   注意

   This example uses pullSecret in a Source build, but it is also applicable in Docker and Custom builds.

   You can also link the pull secret to the service account used by the build instead of specifying the pullSecret field. By default, builds use the builder service account. The pull secret is automatically added to the build if the secret contains a credential that matches the repository hosting the build’s input image. To link the pull secret to the service account used by the build instead of specifying the pullSecret field, run:

   $ oc secrets link builder dockerhub

   Copy to Clipboard Toggle word wrap
   注意

   You must specify a from image in the BuildConfig spec to take advantage of this feature. Docker strategy builds generated by oc new-build or oc new-app may not do this in some situations.