Skip to main content

Container (OCI) Registry

Registry is a service for storing private container images and Helm charts.

Availability

Registry is available as an optional service for NKE. It can be deployed using Cockpit and be used from any number of NKE clusters.

Pushing Container Images

To push container images, you will need to login through the URL and username and password combination that is provided in Cockpit.

$ docker login <url>
Username: <username>
Password: <password>
Login Succeded

Afterwards, images can be tagged with docker tag and pushed with docker push:

$ docker tag <image id> <url>/<image name>:<image version>
$ docker push <url>/<image name>:<image version>
The push refers to repository [<url>]
...

Pushing Helm charts

Note: To push Helm charts to the registry, Helm v3.8.0 or newer is required. Prior to v3.8.0, OCI support was considered experimental and needs to be explicitly enabled by setting the environment variable HELM_EXPERIMENTAL_OCI=1. You can read more about this here.

To upload a Helm chart to the registry, you will need to login through the URL and username and password combination that is provided in Cockpit.

$ helm registry login -u <user> <url>
Password:
Login Succeeded

After successful authentication, a chart can be pushed through the helm push command:

$ helm push <chart.tgz> oci://<url>
Pushed: ...
Digest: ...

The URL needs to be prefixed with oci:// instead of https:// in order to work correctly.

Note: The push command can only be used against .tgz files created ahead of time using helm package.

For more information about using Helm with the registry, please see the official Helm documentation.

Pulling Container Images in your Kubernetes Cluster

In order to use your private registry in your Kubernetes cluster, a container image pull secret has to be created and referenced in your deployment manifests.

To create the secret, you can fetch the .dockerconfigjson from Cockpit and use kubectl to create it in your cluster:

kubectl create secret docker-registry <secret name> \
  --from-file=.dockerconfigjson=<path to .dockerconfigjson>

This secret can then be referenced in the Pod's imagePullSecrets list. See the official Kubernetes documentation for more information regarding using private registries.