Authenticating Job pods to private registry

I’m using Replicated’s private image registry to host images for my application. This works well for all resources that are created at installation time, but I’m running into permission issues when I run a Kubernetes job that needs to retrieve an image from the same repository.

Message: Failed to pull image "": rpc error: code = Unknown desc = failed to pull and unpack image "": 
failed to resolve reference "": 
failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized

We’re running a Kubernetes Job that kicks off several pods to actually complete the pipeline tasks. The pipeline tasks (pods) are what are currently failing with the error above.

How would I update the pod spec for a Job so it got access to the necessary access credentials? It looks like the installer creates an imagePullSecret during installation time, but I’m not sure how to access that post-installation.

Solved it! The solution that worked for me is based on these instructions – I created a new Secret that contained the registry pull secret (see LocalRegistryImagePullSecret), and then added this as the imagePullSecret to the jobs & pods that were failing before. These instructions were helpful as well.

Thanks to the Replicated team (especially @jdewinne!) for the assistance resolving this offline.


For posterity, adding a few other links that will be useful for folks who stumble across this post:

Defining Additional Images - for when you want to include images in your airgap bundle that cannot be auto-detected from your YAML

kind: Application
  name: my-operator
    - elasticsearch:7.6.0

Referencing Images - for when you want to tell downstream workloads (e.g. those generated by an operator) where to get their images from with something like

repl{{ LocalImageName "elasticsearch:7.6.0" }}