I use a self-hosted instance of GitLab to store my Docker images. As we've recently set up Project Access Tokens, we want to pull images on AKS using individual Secrets for each registry. It means that we have specific credentials for each image in "the same registry".

Problem is, Deployments have a global imagePullSecrets list that refers to multiple Secrets. And those Secrets, which essentially hold different credentials (one per GitLab Container Registry), share the same Docker Registry URL!

Put simply, here an example Deployment:

spec:
  template:
    spec:
      containers:
        - name: one
          image: 'gitlab.company.com/project-one:1.0.0'
        - name: two
          image: 'gitlab.company.com/project-two:1.2.0'
      imagePullSecrets:
        - name: secret-project-one
        - name: secret-project-two

The Secret 1 (secret-project-one):

{
  "auths": {
    "https://gitlab.company.com": {
      "username": "project_111_bot",
      "password": "password-project-one",
      "auth": "Password"
    }
  }
}

And the Secret 2 (secret-project-two):

{
  "auths": {
    "https://gitlab.company.com": {
      "username": "project_222_bot",
      "password": "password-project-two",
      "auth": "Password"
    }
  }
}

How is Kubernetes supposed to differentiate which Secret to use? Does it assume you have different URLs and will match the right Secret based on the image name? Or will it just try every Secret until one works?

Documentations don't seem to cover this scenario. Any help would be appreciated!

In source code I have found that it just tries all one by one, and returns the first one that succeedes.

I am not going to explain the whole process of how I have found this, but here is some of explaination/proof:

When PullImage function is called, it grabs the docker registry credentials and loops over them trying one by one to get an image, and returns the first one that it finds that does not result in error.