mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
83 lines
2.2 KiB
Plaintext
83 lines
2.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
// * openshift_images/using-image-pull-secrets
|
|
// * openshift_images/managing-image-streams.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="using-pull-secret_{context}"]
|
|
= Using a pull secret in a workload
|
|
|
|
You can use a pull secret to allow workloads to pull images from a private registry with one of the following methods:
|
|
|
|
* By linking the secret to a `ServiceAccount`, which automatically applies the secret to all pods using that service account.
|
|
* By defining `imagePullSecrets` directly in workload configurations, which is useful for environments like GitOps or ArgoCD.
|
|
|
|
.Procedure
|
|
|
|
* You can use a secret for pulling images for pods by adding the secret to your service account. Note that the name of the service account should match the name of the service account that pod uses. The default service account is `default`.
|
|
|
|
** Enter the following command to link the pull secret to a `ServiceAccount`:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc secrets link default <pull_secret_name> --for=pull
|
|
----
|
|
|
|
** To verify the change, enter the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get serviceaccount default -o yaml
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
imagePullSecrets:
|
|
- name: default-dockercfg-123456
|
|
- name: <pull_secret_name>
|
|
kind: ServiceAccount
|
|
metadata:
|
|
annotations:
|
|
openshift.io/internal-registry-pull-secret-ref: <internal_registry_pull_secret>
|
|
creationTimestamp: "2025-03-03T20:07:52Z"
|
|
name: default
|
|
namespace: default
|
|
resourceVersion: "13914"
|
|
uid: 9f62dd88-110d-4879-9e27-1ffe269poe3
|
|
secrets:
|
|
- name: <pull_secret_name>
|
|
----
|
|
|
|
* Instead of linking the secret to a service account, you can alternatively reference it directly in your pod or workload definition. This is useful for GitOps workflows such as ArgoCD. For example:
|
|
+
|
|
.Example pod specification
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: <secure_pod_name>
|
|
spec:
|
|
containers:
|
|
- name: <container_name>
|
|
image: quay.io/my-private-image
|
|
imagePullSecrets:
|
|
- name: <pull_secret_name>
|
|
----
|
|
+
|
|
.Example ArgoCD workflow
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: argoproj.io/v1alpha1
|
|
kind: Workflow
|
|
metadata:
|
|
generateName: <example_workflow>
|
|
spec:
|
|
entrypoint: <main_task>
|
|
imagePullSecrets:
|
|
- name: <pull_secret_name>
|
|
---- |