Private images¶
As we learned in the Flyte Fundamentals guide, Flyte uses OCI-compatible containers to package up your code and third-party dependencies. For production use-cases your images may require proprietary code and configuration that you want to keep private.
You can use different private container registries to host your images, such as AWS ECR, Docker Hub, GitLab Container Registry, and GitHub Container Registry.
To pull private images, ensure that you have the command line tools and login information associated with the registry.
Create a secret¶
First create a secret that contains all the credentials needed to log into the registry.
Configure imagePullSecrets¶
Then, you’ll need to specify a imagePullSecrets configuration to pull a
private image using one of two methods below.
You can use the default or new service account for this option:
Add your
imagePullSecretsconfiguration to the service account.Use this service account to log into the private registry and pull the image.
When you create a task/workflow execution this service account should be specified to access the private image.
This option uses a custom pod template
to create a pod. This template is automatically added to every pod that
Flyte creates.
Add your
imagePullSecretsconfiguration to this custom pod template.Update FlytePropeller about the pod created in the previous step.
FlytePropeller adds
imagePullSecrets, along with other customization for the pod, to the PodSpec, which should look similar to this manifest.The pods with their keys can log in and access the images in the private registry. Once you set up the token to authenticate with the private registry, you can pull images from them.