Skip to content
Latchkey

How to Create imagePullSecrets for a Private Registry From CI

A docker-registry secret gives Kubernetes the credentials pods need to pull private images.

From CI, run kubectl create secret docker-registry (idempotently) and reference it in the pod spec via imagePullSecrets.

Steps

  • Create the secret with kubectl create secret docker-registry.
  • Use --dry-run=client -o yaml | kubectl apply -f - to make it idempotent.
  • Reference it under spec.imagePullSecrets in the workload.

Terminal

Terminal
kubectl create secret docker-registry ghcr-pull \
  --docker-server=ghcr.io \
  --docker-username="$GITHUB_ACTOR" \
  --docker-password="$GITHUB_TOKEN" \
  --dry-run=client -o yaml | kubectl apply -f -

Pod reference

deployment.yaml
spec:
  imagePullSecrets:
    - name: ghcr-pull
  containers:
    - name: app
      image: ghcr.io/acme/app:1.4.2

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →