How to deploy an Azure Container Registry Image in Kubernetes

Today we are going to see another important topic, how we can deploy an image from Azure container registry to any Kubernetes environment, and also let’s see how to do via Argo CD also.

Azure Container Registry

Azure Container Registry allows you to build, store, and manage container images and artifacts in a private registry for all types of container deployments. Use Azure container registries with your existing container development and deployment pipelines. Use Azure Container Registry Tasks to build container images in Azure on-demand, or automate builds triggered by source code updates, updates to a container’s base image, or timers.

Features:

Registry service tiers – Registries are available in three tiers: Basic, Standard, and Premium, each of which supports webhook integration, registry authentication with Azure Active Directory, and delete functionality. Take advantage of local, network-close storage of your container images by creating a registry in the same Azure location as your deployments. Use the geo-replication feature of Premium registries for advanced replication and container image distribution scenarios.

Security and access – You log in to a registry using the Azure CLI or the standard docker login command. Azure Container Registry transfers container images over HTTPS, and supports TLS to secure client connections.

You control access to a container registry using an Azure identity, an Azure Active Directory-backed service principal, or a provided admin account. Use Azure role-based access control (Azure RBAC) to assign users or systems fine-grained permissions to a registry.

Security features of the Premium service tier include content trust for image tag signing, and firewalls and virtual networks (preview) to restrict access to the registry. Microsoft Defender for Cloud optionally integrates with Azure Container Registry to scan images whenever an image is pushed to a registry.

Supported images and artifacts – Grouped in a repository, each image is a read-only snapshot of a Docker-compatible container. Azure container registries can include both Windows and Linux images. You control image names for all your container deployments. In addition to Docker container images, Azure Container Registry stores related content formats such as Helm charts and images built to the Open Container Initiative (OCI) Image Format Specification.

Automated image builds – Use Azure Container Registry Tasks (ACR Tasks) to streamline building, testing, pushing, and deploying images in Azure. Multi-step tasks provide step-based task definition and execution for building, testing, and patching container images in the cloud. Task steps define individual container image build and push operations. They can also define the execution of one or more containers, with each step using the container as its execution environment.

Create a Registry:

As this is well documented in Microsoft portal, you can refer for UI https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal?tabs=azure-cli and for Azure CLI https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-azure-cli

Using Terraform:

resource "azurerm_container_registry" "acr" {
  name                = "foxutech"
  resource_group_name = azurerm_resource_group.rg.name
  location            = var.location
  sku                 = "Standard"
  admin_enabled       = true

  tags = {
    environment = "Staging"
  }
}

Demo

Build or Pull the docker image:

If you have Dockerfile you can build and use that or we can pull any public image and try to push to azure container registry. In this let’s pull nginx image and push to ACR.

Pull the nginx public image

# docker pull nginx

Check the images and get image iD

# docker images
REPOSITORY            TAG       IMAGE ID       CREATED         SIZE
nginx                 latest    b692a91e4e15   3 days ago      142MB

Tag the image to your registry

# docker tag b692a91e4e15 foxutech.azurecr.io/nginx:latest

Note: change to your registry name and image name.  

Login to your registry, you can get the credential from ACR portal in access keys section.

# docker login foxutech.azurecr.io

Push the image to your registry

# docker push foxutech.azurecr.io/nginx:latest

Verify Docker Image in ACR Repository

• Go to Services -> Container Registries -> foxutech
• Go to Repositories -> nginx

In case if you are using AKS, you can attach the ACR with AKS,

Configure ACR integration for existing AKS clusters

#Set ACR NAME
export ACR_NAME=foxutech
echo $ACR_NAME
Syntax

# az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>

Replace Cluster, Resource Group and ACR Repo Name

# az aks update -n ak8s -g foxutech-rg --attach-acr $ACR_NAME

If you are trying for testing you can detach using following command,

Detach ACR from AKS Cluster (Optional)

#Set ACR NAME
export ACR_NAME=foxutech
echo $ACR_NAME

# Detach ACR with AKS Cluster
az aks update -n ak8s -g foxutech-rg --detach-acr $ACR_NAME

Delete ACR Repository

• Go To Services -> Container Registries -> acrforaksdemo2 -> Delete it

When enabled the AKS and ACR the attachment it doesn’t need any authentication, but let’s assume you are using different promises, like in-house or EKS or custom k8s environment, in that time, we should create the secrets to access the image to deploy. Let’s see how to create it.

Create a secret:

We can secret using two-way, one using CLI and another using manifest. Let’s see one by one, we need to mention the name, docker server, username and password in the kubectl command as following and get the secret created, and also you can mention the namespace.

CLI:

# kubectl create secret docker-registry acr-secrets \
    --namespace argocd-motoskia \
    --docker-server=foxutech.azurecr.io \
    --docker-username=foxutech \
    --docker-password=8owM7r+c0KGGxymAJ8291poPm0Wzx3BN

Using Manifest:

If you are using manifest, you need encode the data to base64 format, otherwise you may get error while try to create the secret. How to convert to base64?

For encode:

# echo TEXT | base64

Incase if you want to decode:

# echo base64-text | base64 –decode

# cat secret.yaml
kind: Secret
apiVersion: v1
metadata:
  name: acr-secretes
  namespace: default
type: Opaque
data:
  docker-server: Zm94dXRlY2guYXp1PMOVjci5pbwo=
  docker-username: Zm94dXR1Y2gK
  docker-password: OG93TTdyK2MwSsawQeHltUUo4MjkxcG9DbTBXengzQk4K

Once created the secret, you can use following command to list the secret.

# kubectl get secrets –n NAMESPACE-NAME

Create pod:

Now let’s create the pod with secret. Here is the reference pod file for the deployment. In this file we have mention the secret name we have created.

# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: demoapp
  namespace: default
spec:
  containers:
    - name: nginx
      image: foxutech.azurecr.io/nginx
      imagePullPolicy: IfNotPresent
  imagePullSecrets:
    - name: acr-secretes

Once it done, you can check pod status and also describe it.

# kubectl get pods

If you have any namespaces,

# kubectl get pods -n NAMESPACENAME

To describe,

# Kubectl describe po POD-NAME

Hope this is useful, in future, will see more example. Happy learning.

Follow our Kubernetes Troubleshooting series on: https://foxutech.com/category/kubernetes/k8s-troubleshooting/

You can follow us on social media, to get some regular updates

• Facebook: https://www.facebook.com/foxutech/
• Instagram: https://www.instagram.com/foxutech/
• YouTube: Foxutech
• Twitter: https://twitter.com/foxutech
• Medium: FoxuTech – Medium