kubero-dev · nr-b · Dec 28, 2025 · Dec 28, 2025 · Dec 28, 2025
diff --git a/helm-charts/kubero/templates/registry.yaml b/helm-charts/kubero/templates/registry.yaml
@@ -9,20 +9,8 @@ type: Opaque
 data:
   auth: {{ $basicAuth | b64enc }}
 ---
-{{- $dockerAuth := (printf "%s:%s" .Values.registry.account.username .Values.registry.account.password) | b64enc -}}
-{{- $dockerconfigjson := printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.registry.host .Values.registry.account.username .Values.registry.account.password $dockerAuth -}}
-# copied to pipeline namespace for kpack, nixpack, dockerfile and to pull images
-apiVersion: v1
-kind: Secret
-metadata:
-  name: registry-login
-type: Opaque
-data:
-  username: {{ .Values.registry.account.username | b64enc }}
-  password: {{ .Values.registry.account.password | b64enc }}
-  .dockerconfigjson: {{ $dockerconfigjson | b64enc }}
----
 {{- if .Values.registry.create -}}
+{{- $kuberoUiHost := (index .Values.ingress.hosts 0) }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -53,20 +41,40 @@ spec:
     spec:
       containers:
       - name: registry
-        image: registry:2
+        image: registry:3
         ports:
         - containerPort: 5000
         env:
         - name: REGISTRY_HTTP_ADDR
           value: 0.0.0.0:5000
+        - name: REGISTRY_AUTH
+          value: token
+        - name: REGISTRY_AUTH_TOKEN_REALM
+          value: http{{ if .Values.ingress.tls }}s{{ end }}://{{ $kuberoUiHost.host }}{{ $kuberoUiHost.path }}/api/registry/token
+        - name: REGISTRY_AUTH_TOKEN_SERVICE
+          value: {{ .Values.registry.host }}
+        - name: REGISTRY_AUTH_TOKEN_ISSUER
+          value: todo.kubero.dev # TODO
+        - name: REGISTRY_AUTH_TOKEN_JWKS
+          value: /auth/jwk
+        - name: OTEL_TRACES_EXPORTER
+          value: "none"
         volumeMounts:
         - name: registry-data
           mountPath: /var/lib/registry
           subPath: registry
+        - name: jwt-pubkey
+          mountPath: /auth
+          readOnly: true
       volumes:
       - name: registry-data
         persistentVolumeClaim:
           claimName: kubero-registry-data-pvc
+      - name: jwt-pubkey
+        secret:
+          defaultMode: 0o640
+          # created by UI on startup
+          secretName: registry-jwt-pubkey
 ---
 apiVersion: v1
 kind: Service
@@ -95,9 +103,6 @@ metadata:
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     cert-manager.io/cluster-issuer: letsencrypt-prod
     kubernetes.io/tls-acme: "true"
-    nginx.ingress.kubernetes.io/auth-type: basic
-    nginx.ingress.kubernetes.io/auth-secret: registry-basic-auth
-    nginx.ingress.kubernetes.io/auth-realm: 'Kubero Registry'
     nginx.ingress.kubernetes.io/proxy-body-size: '0'
     {{- with .Values.ingress.annotations }}
     {{- toYaml . | nindent 4}}

diff --git a/helm-charts/kuberopipeline/secrets-pull-secret.yaml b/helm-charts/kuberopipeline/secrets-pull-secret.yaml
diff --git a/helm-charts/kuberopipeline/templates/secret-pull-secret-copy.yaml b/helm-charts/kuberopipeline/templates/secret-pull-secret-copy.yaml
diff --git a/helm-charts/kuberopipeline/templates/secret-pull-secret-create.yaml b/helm-charts/kuberopipeline/templates/secret-pull-secret-create.yaml