main
Website Devtron demo Github Repo Join Discord

Container/OCI Registry

While container registries are typically used for storing images built by the CI Pipeline, an OCI registry can store container images as well as other artifacts such as helm charts. In other words, all container registries are OCI registries, but not all OCI registries are container registries.

You can configure a container registry using any registry provider of your choice. It allows you to build, deploy, and manage your container images or charts with easy-to-use UI.

Add Container Registry

  1. From the left sidebar, go to Global ConfigurationsContainer/OCI Registry.

  2. Click Add Registry.

  3. Choose a provider from the Registry provider dropdown. View the Supported Registry Providers.

  4. Choose the Registry type:

    • Private Registry: Choose this if your images or artifacts are hosted or should be hosted on a private registry restricted to authenticated users of that registry. Selecting this option requires you to enter your registry credentials (username and password/token).

    • Public Registry: Unlike private registry, this doesn't require your registry credentials. Only the registry URL and repository name(s) would suffice.

  5. Assuming your registry type is private, here are few of the common fields you can expect:

  6. Click Save.

Supported Registry Providers

ECR

Amazon ECR is an AWS-managed container image registry service. The ECR provides resource-based permissions to the private repositories using AWS Identity and Access Management (IAM). ECR allows both Key-based and Role-based authentications.

Before you begin, create an IAM user and attach the ECR policy according to the authentication type.

Provide the following additional information apart from the common fields:

Docker

Provide the following additional information apart from the common fields:

Azure

For Azure, the service principal authentication method can be used to authenticate with username and password. Visit this link to get the username and password for this registry.

Provide the following additional information apart from the common fields:

Artifact Registry (GCP)

JSON key file authentication method can be used to authenticate with username and service account JSON file. Visit this link to get the username and service account JSON file for this registry.

Remove all the white spaces from JSON key and wrap it in a single quote before pasting it in Service Account JSON File field

Provide the following additional information apart from the common fields:

Google Container Registry (GCR)

JSON key file authentication method can be used to authenticate with username and service account JSON file. Please follow link to get the username and service account JSON file for this registry.

Remove all the white spaces from JSON key and wrap it in single quote before pasting it in Service Account JSON File field

Quay

Provide the following additional information apart from the common fields:

Other

Provide below information if you select the registry type as Other.

You can use any registry which can be authenticated using docker login -u <username> -p <password> <registry-url>. However these registries might provide a more secured way for authentication, which we will support later.

Registry Credential Access

You can create a Pod that uses a Secret to pull an image from a private container registry. You can use any private container registry of your choice, for e.g., Docker Hub.

Super-admin users can decide if they want to auto-inject registry credentials or use a secret to pull an image for deployment to environments on specific clusters.

  1. To manage the access of registry credentials, click Manage.

There are two options to manage the access of registry credentials:

  1. You can choose one of the two options for defining credentials:

Use Registry Credentials

If you select Use Registry Credentials, the clusters will be auto-injected with the registry credentials of your registry type. As an example, If you select Docker as Registry Type, then the clusters will be auto-injected with the username and password/token which you use on the Docker Hub account.

Click Save.

Specify Image Pull Secret

You can create a Secret by providing credentials on the command line.

Create this Secret and name it regcred (let's say):

kubectl create -n <namespace> secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

where,

  • namespace is your sub-cluster, e.g., devtron-demo

  • your-registry-server is your Private Docker Registry FQDN. Use https://index.docker.io/v1/ for Docker Hub.

  • your-name is your Docker username

  • your-pword is your Docker password

  • your-email is your Docker email

You have successfully set your Docker credentials in the cluster as a Secret called regcred.

Typing secrets on the command line may store them in your shell history unprotected, and those secrets might also be visible to other users on your PC during the time when kubectl is running.

Enter the Secret name in the field and click Save.

PreviousGit AccountsNextChart Repositories

Last updated