Connecting to an External Registry
This topic describes how to add credentials for an external private registry. Adding an external registry allows you to grant proxy access to private images using the Replicated proxy service. For more information about how to enable the proxy service, see About Proxying Images with Replicated.
Replicated recommends that application vendors use one the following external private registries:
- Amazon Elastic Container Registry (ECR)
- GitHub Container Registry
- Google Artifact Registry
- Google Container Registry
These registries have been tested for compatibility with KOTS.
You can also configure access to most other external registries if the registry conforms to the Open Container Initiative (OCI) standard.
Add Credentials for an External Registry
All applications in your team have access to the external registry that you add. This means that you can use the images in the external registry across multiple apps in the same team.
Using the Vendor Portal
To add an external registry using the vendor portal:
Log in to the vendor portal and go to the Images page.
Click Add External Registry.
In the Provider drop-down, select your registry provider.
Complete the fields in the dialog, depending on the provider that you chose:note
Replicated stores your credentials encrypted and securely. Your credentials and the encryption key do not leave Replicated servers.
Field Instructions Endpoint Enter the host name for the registry. Access Key ID Enter the Access Key ID for a Service Account User that has pull access to the registry. See Setting up the Service Account User. Secret Access Key Enter the Secret Access Key for the Service Account User.
Field Instructions Endpoint Enter the host name for the registry, such as index.docker.io. Auth Type Select the authentication type for a DockerHub account that has pull access to the registry. Username Enter the host name for the account. Password or Token Enter the password or token for the account, depending on the authentication type you selected.
GitHub Container Registry
Field Instructions Endpoint Enter the host name for the registry. Username Enter the username for an account that has pull access to the registry. GitHub Token Enter the token for the account.
Google Container Registry
Field Instructions Endpoint Enter the host name for the registry, such as gcr.io. Service Account JSON Key
Enter the JSON Key for a Service Account in Google Cloud Platform that is assigned the Storage Object Viewer role.
For more information about creating a Service Account, see Access Control with IAM in the Google Cloud documentation.
Field Instructions Endpoint Enter the host name for the registry, such as quay.io. Username and Password Enter the username and password for an account that has pull access to the registry.
Field Instructions Endpoint Enter the host name for the registry, such as example.registry.com. Username and Password Enter the username and password for an account that has pull access to the registry.
For Image name & tag, enter the image name and image tag and click Test to confirm that the vendor portal can access the image. For example,
Click Link registry.
Using the CLI
To configure access to private images in an external registry using the replicated CLI:
Install and configure the replicated CLI. See Installing the replicated CLI.
registry addcommand for your external private registry. For more information about the
registry addcommand, see registry add in replicated CLI.
For example, to add a DockerHub registry:
replicated registry add dockerhub --username USERNAME \
USERNAMEis the username for DockerHub credentials with access to the registry.
PASSWORDis the password for DockerHub credentials with access to the registry.note
To prevent the password from being saved in your shell history, Replicated recommends that you use the
--password-stdinflag and entering the password when prompted.
Test External Registry Credentials
Replicated recommends that you test external registry credentials to ensure that the saved credentials on Replicated servers can pull the specified image.
To validate that the configured registry can pull specific images:
replicated registry test HOSTNAME \
HOSTNAMEis the name of the host, such as
IMAGE_NAMEis the name of the target image in the registry.
replicated registry test index.docker.io --image my-company/my-image:v1.2.3