skip to Main Content

So we have a private package registry in github that hosts our docker images.
Now I want to use those images for deployment into GKE.
Here is a sample of my github action workflow so far.

name: Deploy API Deployments

on:
  push:
    branches:
      - master
      - main
    paths:
      - "k8s-cluster/deployments/api/**"

jobs:
  deploy:
    name: Deploy
    runs-on: ubuntu-latest
    environment: development
    permissions:
      packages: write
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Authenticate Into ghcr.io
        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin

      - name: Get GKE Cluster Credentials
        uses: google-github-actions/get-gke-credentials@v0
        with:
          cluster_name: ${{ secrets.GKE_CLUSTER }}
          location: ${{ secrets.GKE_ZONE }}
          credentials: ${{ secrets.GKE_SA_KEY }}

      - name: Deploy
        run: kubectl apply -f ./k8s-cluster/deployments/api/

      - name: Test API Deployment status
        run: |-
          kubectl rollout status deployment/test-api-deploy
          kubectl get services -o wide

The deployment kubernetes resource does get deployed but the pods are not created as it is not able to pull the image from github package registry

it just says ErrImagePull

I tried researching about how to do it but resources are scarce.

Any help is appreciated, Thanks in advance.

2

Answers


  1. Chosen as BEST ANSWER

    OK so basically the problem is we need to create a special type of secret inside the kubernetes cluster that is going to be used during image pull process to authenticate into github package registry and get access to the docker images hosted there.

    Here are the process I did to solve the problem.

    1. Create Github PAT (Personal Access Token). Refer to this link to create one.

    2. Create a secret of type kubernetes.io/dockerconfigjson in the kubernetes cluster. The command I used is as follows:

    kubectl create secret docker-registry dockerconfigjson-github-com 
    --docker-server=https://ghcr.io 
    --docker-username=<github username> 
    --docker-password=<personal access token key> 
    --namespace=default
    
    1. Use the secret in the deployments yaml file.
        spec:
          containers:
            - name: test-api
              image: ghcr.io/<github-project>/test-api:latest
    
          # Here we add the imagePullSecrets config to use a secret during image pull
          # The name of the secret here is the name of that special secret we created earlier
          imagePullSecrets:
            - name: dockerconfigjson-github-com
    

    And that is it, my github action workflow above now works. Being able to pull images hosted in Github Package Registry from GKE.


    Note: On my question I have this on my workflow.

          - name: Authenticate Into ghcr.io
            run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
    

    This isn't necessary and does nothing so it is ok to be removed.


  2. ImagePullBackOff and ErrImagePull indicate that the image used by a container cannot be loaded from the image registry.

    To understand the root cause and find more details about this error, use the Kubectl describe pod podname command. You can see the actual error message under the Events column.

    A few important steps you can check and use to troubleshoot the error:

    If the description says that the pod is stuck in an ImagePullBackOff/ErrImagePull because the image doesn’t exist and we cannot pull the image. The error could be either from a typo or the image was not pushed to the container registry, and also check whether you are referring to an image that doesn’t exist.

    Verify that the image's tag is correct. (Try :latest or no tag to pull the latest image). You should also check to be sure that your image tag includes the registry URL when one is required.

    Another common cause of image pull errors occurs when you’re using a private registry. Kubernetes needs to be given credentials it can use to authenticate to the registry. Without them, pulls will be unsuccessful; you’ll see a pull access denied message as a part of the ErrImagePull error. You must provide proper credentials to Kubernetes using the secret to pull the image from the registry.

    There could be a widespread network issue on the nodes of your kubernetes cluster, and the container runtime will not be able to pull the image from the container registry which may cause the error. So, check the network connectivity on all the nodes of the cluster.

    Refer to the link for more information on the troubleshooting process.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search