Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Module Pull From Private Registries (With Auth)

For private registries or repositories, you need to provide credentials. The recommended way is to use a Kubernetes Secret and reference it in your configuration.

Secret Passing

This method requires you to have a Kubernetes Secret in the kustomize input stream having the credentials to access the private registry. The secret does not have to be present in the final output of kustomize, you can use the config.kubernetes.io/local-config: "true" annotation to tell kustomize to use the secret only during the build phase, and not show it anywhere in the rendered manifests. It is a standard way to pass sensitive data to KRM functions in kustomize.

You need to select a Kubernetes Secret through the .remoteModule.auth field:

remoteModule:
  ref: ghcr.io/workday/cuestomize/cuemodules/cuestomize-examples-simple:latest
  auth:
    kind: Secret
    name: oci-auth

This tells Cuestomize to use the oci-auth Secret for authenticating to the registry.
The secret must be in the kustomize input stream to the function in order for it to be found and used by it.

💡 You can use Kustomize’s secretGenerator to create a Secret from environment variables:

.env file

username=<username>
password=<password>

`kustomization.yaml

secretGenerator:
  - name: oci-auth
    envs:
      - .env
    options:
      disableNameSuffixHash: true
      annotations:
        # ensures this secret is not included in the final output
        config.kubernetes.io/local-config: "true"

This will generate a Secret named oci-auth with your credentials.

Auth Secret Configuration

The following structure types are supported for the auth secret:

Structure TypeDescription
SecretStandard Kubernetes Secret with username and password fields in the data or stringData

Support may be expanded in the future to include other types, such as Docker config files.

Structure Type – Secret

The Secret structure type expects a standard Kubernetes Secret containing the username and password fields in either the data or stringData sections.

The full list of supported fields is the following:

FieldAlternative FieldDescription
usernameREGISTRY_USERNAMEThe registry username
passwordREGISTRY_PASSWORDThe registry password
accessTokenREGISTRY_ACCESS_TOKEN(Optional) The registry access token
refreshTokenREGISTRY_REFRESH_TOKEN(Optional) The registry refresh token

Environment Variables (Discouraged)

This method of passing credentials is discouraged and may be removed in future kustomize versions, but is documented here for completeness, and because it may be useful when developing to quickly iterate.

TODO: document