35 lines
1.3 KiB
Markdown
35 lines
1.3 KiB
Markdown
# Woodpecker: allow pulling from private registry
|
|
|
|
Woodpecker pipelines run as Kubernetes pods in the `woodpecker` namespace. If pipeline step images use `registry.nxtgauge.com/...` (private, Basic auth), kubelet needs an `imagePullSecret`.
|
|
|
|
This is required for base images (example `registry.nxtgauge.com/rust:alpine`) and also for any mirrored plugin images (example `registry.nxtgauge.com/kaniko:2.1.1`).
|
|
|
|
## Required secret
|
|
|
|
Create this once:
|
|
|
|
```bash
|
|
kubectl -n woodpecker create secret docker-registry registry-nxtgauge-pull \
|
|
--docker-server=registry.nxtgauge.com \
|
|
--docker-username="<REGISTRY_USERNAME>" \
|
|
--docker-password="<REGISTRY_PASSWORD>" \
|
|
--docker-email="ci@nxtgauge.com"
|
|
```
|
|
|
|
## Mirroring common plugin images (optional)
|
|
|
|
If your pipelines reference plugin images from the internal registry (example `registry.nxtgauge.com/kaniko:2.1.1`) make sure those images exist in the registry.
|
|
|
|
Example mirror from Docker Hub to internal:
|
|
|
|
```bash
|
|
docker pull woodpeckerci/plugin-kaniko:2.1.1
|
|
docker tag woodpeckerci/plugin-kaniko:2.1.1 registry.nxtgauge.com/kaniko:2.1.1
|
|
docker push registry.nxtgauge.com/kaniko:2.1.1
|
|
```
|
|
|
|
## What this kustomize applies
|
|
|
|
It patches/ensures the `default` ServiceAccount in `woodpecker` includes:
|
|
|
|
- `imagePullSecrets: [registry-nxtgauge-pull]`
|