Using CCR with Kubernetes, including Crusoe Managed Kubernetes (CMK)
To pull images from a CCR repository into your Kubernetes cluster, such as a Crusoe Managed Kubernetes (CMK) cluster, you must provide credentials via a Kubernetes Secret. This allows your pods to authenticate with CCR.
Step 1: Create a Registry Token
First, generate a new, long-lived token for your cluster to use.
crusoe registry tokens create --alias prod-cluster-token
- Visit the Crusoe Cloud console
- Select the "Container Registry" tab in the left nav
- Select your repository
- Select "Create Token"
Save the generated token in a secure location; it will not be shown again.
Step 2: Create the Kubernetes Secret
Next, use kubectl to create a docker-registry secret in your cluster. Provide your CCR repository URL, your Crusoe account email as the username, and the token from the previous step as the password.
kubectl create secret docker-registry ccr-credentials \
--docker-server=<your-ccr-repository-url> \
--docker-username=<[email protected]> \
--docker-password='<paste-your-ccr-token-here>' \
--namespace=my-app-namespace
Docker registry passwords often contain special characters (such as $) that are interpreted as variables by your command line shell. Enclose your token in single quotes (') when using the CLI, as shown above, to avoid errors during secret creation and image pulls.
Step 3: Reference the Secret in a Deployment
In your Kubernetes Deployment manifest, reference the secret in the spec.template.spec.imagePullSecrets field. This allows pods created by this deployment to authenticate with CCR.
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-app-on-kubernetes
spec:
template:
spec:
containers:
- image: registry.us-east1-a.ccr.crusoecloudcompute.com/my-app-repo.7dhg29ls/my-app:v1.2
name: app-image
imagePullSecrets:
- name: ccr-credentials
Now, when you apply this deployment, your pods will be able to successfully pull the private image from your CCR repository.