Using authenticated private registries

To enable the Porch function runner to pull kpt function images from authenticated private registries, the system requires:

Creating a kubernetes secret using a JSON file according to the Docker config schema, containing valid credentials for each authenticated registry.
Mounting this new secret as a volume on the function runner.
Providing the path of the mounted secret to the function runner using the argument --registry-auth-secret-path

An example template of what a docker config.json file looks like is as follows below. The base64 encoded value bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ= of the auth key decodes to my_username:my_password, which is the format used by the config when authenticating.


{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ="
        },
        "ghcr.io": {
            "auth": "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ="
        }
    }
}

A quick way to generate this secret for your use using your docker config.json would be to run the following command:


kubectl create secret generic <SECRET_NAME> --from-file=.dockerconfigjson=/path/to/your/config.json --type=kubernetes.io/dockerconfigjson --dry-run=client -o yaml -n porch-system

Note

The secret must be in the same namespace as the function runner deployment. By default, this is the porch-system namespace.

This should generate a secret template, similar to the one below, which you can add to the 2-function-runner.yaml file in the Porch catalog package found here


apiVersion: v1
data:
  .dockerconfigjson: <base64-encoded-data>
kind: Secret
metadata:
  creationTimestamp: null
  name: <SECRET_NAME>
  namespace: porch-system
type: kubernetes.io/dockerconfigjson

Next you must mount the secret as a volume on the function runner deployment. Add the following snippet to the Deployment object in the 2-function-runner.yaml file:


    volumeMounts:
      - mountPath: /pod-cache-config
        name: pod-cache-config-volume
      - mountPath: /var/tmp/auth-secret
        name: docker-config
        readOnly: true
volumes:
  - name: pod-cache-config-volume
    configMap:
      name: pod-cache-config
  - name: docker-config
    secret:
      secretName: <SECRET_NAME>

You may specify your desired mountPath: so long as the function runner can access it.

Note

The chosen mountPath: should use its own, dedicated sub-directory, so that it does not overwrite access permissions of the existing directory. For example, if you wish to mount on /var/tmp you should use mountPath: /var/tmp/<SUB_DIRECTORY> etc.

Lastly you must enable private registry functionality along with providing the path and name of the secret. Add the --enable-private-registry, --registry-auth-secret-path and --registry-auth-secret-name arguments to the function-runner Deployment object in the 2-function-runner.yaml file:


command:
  - /server
  - --config=/config.yaml
  - --enable-private-registry=true
  - --registry-auth-secret-path=/var/tmp/auth-secret/.dockerconfigjson
  - --registry-auth-secret-name=<SECRET_NAME>
  - --functions=/functions
  - --pod-namespace=porch-fn-system

The --enable-private-registry, --registry-auth-secret-path and --registry-auth-secret-name arguments have default values of false, /var/tmp/auth-secret/.dockerconfigjson and auth-secret respectively; however, these should be overridden to enable the functionality and match user specifications.

With this last step, if your Porch package uses a custom kpt function image stored in an authenticated private registry (for example - image: ghcr.io/private-registry/set-namespace:customv2), the function runner will now use the secret info to replicate your secret on the porch-fn-system namespace and specify it as an imagePullSecret for the function pods, as documented here.