Kubernetes secrets from Docker login

A neat way to create a secret in Kubernetes, to store credentials for pulling images from a registry, is to create a secret from your Docker login. The process is pretty simple, so let's start from the beginning.

Generate secrets

The first thing we need to do is to create credentials in your registry. Best practices here, is often to generate credentials that does not belong to your own registry account, but to create a separate robot account (preferably with limited access), and to use the credentials for this account in Kubernetes.

Log into Docker

$ docker login --username my-robot-account --password <password>

Modify your config.json

Open your ~.docker/config.json, and remove the part that says "credsStore": "osxkeychain".

{
    "auths": {
            "registry.spak.no": {}
    },
    "credsStore": "osxkeychain",
    "experimental": "disabled"
}

(Remember to also remove the trailing comma after the "auths" block).

Log into Docker again

$ docker login <registry url> --username my-robot-account --password <robot-account-pwd>

Now, if you open your config.json again, you will see something like:

{
    "auths": {
            "registry.spak.no": {
                    "auth": "km9ib3QtY29yZXNlcnZpY2KvzK2s4cy1kY6RGgFeVZFT0tEZXNPT0JEek1JVnhFdFg22eTYydTU0U3Q="
            }
    }
}

Create a Kubernetes secret

Using this file, we can now generate a secret in k8s.

$ kubectl create secret generic test.secret --from-file=.dockerconfigjson=./config.json \
--type=kubernetes.io/dockerconfigjson -n <namespace>

Verify your secret

To verify your newly created secret, run:

$ kubectl get secret test.secret -o yaml

Output:

apiVersion: v1
data:
  .dockerconfigjson: woJImF1dGhJCSJ...UkYiCgkJfQoJfQp
kind: Secret
metadata:
  creationTimestamp: "2023-02-12T11:08:19Z"
  name: test.secret
  namespace: default
  resourceVersion: "18194215"
  uid: 1ff99003-3916-4f26-a737-b0287d4f52a2
type: kubernetes.io/dockerconfigjson

Retrieve the dockerconfigjson part:

$ kubectl get secret test.secret --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

Output:

{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "h3Bhaz...FtJCR"
        }
    }
}

Now, if you have read the Kubernetes guide to pulling private secrets, you probably have noticed that they suggest a different output. To see your username:password you have to do:

$ echo h3Bhaz...FtJCR | base64 --decode

This will output your username and password in the following format: username:password.

ok11 Unfortunately it does not work this way with Docker for Mac 4.25.x. The credStore gets added automatically when logging in to a Docker registry even if it is manually removed from config.json. The auth is then not exposed in config.json

2024-05-23

Andreas Spak Thanks ok11 for your reply. It may be that the functionality has changed, I'll review this and make updates to this article accordingly.