Skip to content

efavry/gcp-k8s-image-credential-provider

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
cmd
cmd
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.MD
README.MD
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

wrapper-based-gcp-k8s-image-credential-provider

Standalone Kubernetes credential helper for GCP artifact registry/GCR.

What does it do

If your Kubernetes clusters needs to access a restricted artifact registry on GCP you can use this combined with your usual auth method used for gcloud.

This is essentially a kubelet image credential provider.

How does it works

Internally it just wrap the code from google used with docker and available here: docker-credential-gcr

How to use

TLDR

Your kubelet needs to have the following argument:

  • --image-credential-provider-config the dir where the conf is
  • --image-credential-provider-bin-dir the dir where the binary from this repo is

And the yaml file in the folder pointed by --image-credential-provider-config

apiVersion: kubelet.config.k8s.io/v1
kind: CredentialProviderConfig
providers:
- name: wrapper-based-gcp-k8s-image-credential-provider
    matchImages:
    - "gcr.io"
    - "*.gcr.io"
    - "*.pkg.dev"
    defaultCacheDuration: "12h"
    apiVersion: credentialprovider.kubelet.k8s.io/v1
    env:
    - name: GOOGLE_APPLICATION_CREDENTIALS
        value: /example/path/to/credentials.json

More info

Example with k3s

  • Presuming you are in a folder containing the yaml and binary.
  • Presuming that the binary is named wrapper-based-gcp-k8s-image-credential-provider

As elevated user:

  1. creating the folders
mkdir -p /opt/k8s-image-credential-provider/bin
mkdir -p /opt/k8s-image-credential-provider/etc
  1. copying the binary
cp wrapper-based-gcp-k8s-image-credential-provider /opt/k8s-image-credential-provider/bin/gcr-provider
  1. Writing the config
echo 'apiVersion: kubelet.config.k8s.io/v1
kind: CredentialProviderConfig
providers:
- name: gcr-provider
    matchImages:
    - "gcr.io"
    - "*.gcr.io"
    - "*.pkg.dev"
    defaultCacheDuration: "12h"
    apiVersion: credentialprovider.kubelet.k8s.io/v1
    env:
    - name: GOOGLE_APPLICATION_CREDENTIALS
        value: /root/.config/gcloud/application_default_credentials.json
' | tee -a /opt/k8s-image-credential-provider/etc/credential_provider_config.yaml
  1. Setting the permissions
#files perms
chmod -R 444 /opt/k8s-image-credential-provider/
chmod 555 /opt/k8s-image-credential-provider/bin/gcr-provider
#folder perms
find /opt/k8s-image-credential-provider/ -type d -exec chmod 755 {} \;
  1. Installing k3s
export K3S_TOKEN=EXAMPLE
export INSTALL_K3S_EXEC=server --image-credential-provider-config /opt/k8s-image-credential-provider/etc/credential_provider_config.yaml --image-credential-provider-bin-dir /opt/k8s-image-credential-provider/bin
curl -sfL https://get.k3s.io | sh -s

Build

To build the easiest is:

make

See the makefile for more information.

License

This works is licensed under the Apache License 2.0 - see the LICENSE file.

About

Standalone Kubernetes credential helper for GCP artifact registry/GCR.

Topics

go kubernetes helper credentials gcp google-cloud k8s google-cloud-platform

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

1.0 Latest
Aug 28, 2025

Languages