Skip to content

Update steps for using the proxy registry in Helm installs #3141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Apr 10, 2025
Merged

Update steps for using the proxy registry in Helm installs #3141

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
26f935c
Update steps for using the proxy registry in Helm installs
paigecalvert Mar 27, 2025
8e92f68
update examples
paigecalvert Apr 1, 2025
a438364
edit pull secret example
paigecalvert Apr 2, 2025
120d175
yaml spacing
paigecalvert Apr 2, 2025
5740a9a
Merge branch 'main' into 121666
paigecalvert Apr 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion docs/partials/proxy-service/_step-creds.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
Provide read-only credentials for the external private registry in your Replicated account. This allows Replicated to access the images through the proxy registry. See [Add Credentials for an External Registry](packaging-private-images#add-credentials-for-an-external-registry) in _Connecting to an External Registry_.
In the Vendor Portal, go to **Images > Add external registry** and provide read-only credentials for your registry. This allows Replicated to access the images through the proxy registry. See [Add Credentials for an External Registry](packaging-private-images#add-credentials-for-an-external-registry) in _Connecting to an External Registry_.

<img alt="Link a new registry in the Vendor Portal" src="../images/add-external-registry.png" width="500"/>
2 changes: 1 addition & 1 deletion docs/partials/proxy-service/_step-custom-domain.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
(Optional) Add a custom domain for the proxy registry instead of `proxy.replicated.com`. See [Using Custom Domains](custom-domains-using).
(Recommended) Go to **Custom Domains > Add custom domain** and add a custom domain for the proxy registry. See [Using Custom Domains](custom-domains-using).
140 changes: 69 additions & 71 deletions docs/vendor/helm-image-registry.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,56 +7,52 @@ This topic describes how to use the Replicated proxy registry to proxy images fo

## Overview

With the Replicated proxy registry, each customer's unique license can grant proxy access to images in an external private registry. To enable the proxy registry for Helm installations, you must create a Secret with `type: kubernetes.io/dockerconfigjson` to authenticate with the proxy registry.
With the Replicated proxy registry, each customer's unique license can grant proxy access to images in an external private registry.

During Helm installations, after customers provide their license ID, a `global.replicated.dockerconfigjson` field that contains a base64 encoded Docker configuration file is automatically injected in the Helm chart values. You can use this `global.replicated.dockerconfigjson` field to create the required pull secret.
During Helm installations, after customers provide their license ID, a `global.replicated.dockerconfigjson` field that contains a base64 encoded Docker configuration file is automatically injected in the Helm chart values. You can use this `global.replicated.dockerconfigjson` field to create the pull secret required to authenticate with the proxy registry.

For information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to authenticate to a private image registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation.
Copy link
Contributor Author

@paigecalvert paigecalvert Mar 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ moved some of this preamble down to the relevant step(s)

## Pull Private Images Through the Proxy Registry in Helm Installations

## Enable the Proxy Registry

This section describes how to enable the proxy registry for applications deployed with Helm, including how to use the `global.replicated.dockerconfigjson` field that is injected during application deployment to create the required pull secret.

To enable the proxy registry:
To use the Replicated proxy registry for applications installed with Helm:

1. <StepCreds/>

1. <StepCustomDomain/>

1. In your Helm chart templates, create a Kubernetes Secret to evaluate if the `global.replicated.dockerconfigjson` value is set, and then write the rendered value into a Secret on the cluster:
1. In your Helm chart values file, set your image repository URL to the location of the image on the proxy registry. If you added a custom domain, use your custom domain. Otherwise, use `proxy.replicated.com`.
Copy link
Contributor Author

@paigecalvert paigecalvert Mar 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ tell them to update their Helm values rather than having the user pass a values.yaml file to set the registry during install


```yaml
# /templates/replicated-pull-secret.yaml
The proxy registry URL has the following format: `DOMAIN/proxy/APP_SLUG/EXTERNAL_REGISTRY_IMAGE_URL`

Where:
* `DOMAIN` is either `proxy.replicated.com` or your custom domain.
* `APP_SLUG` is the unique slug of your application.
* `EXTERNAL_REGISTRY_IMAGE_URL` is the path to the private image on your external registry.

{{ if .Values.global.replicated.dockerconfigjson }}
apiVersion: v1
kind: Secret
metadata:
name: replicated-pull-secret
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ .Values.global.replicated.dockerconfigjson }}
{{ end }}
```
**Example with custom domain:**

:::note
If you use the Replicated SDK, do not use `replicated` for the name of the image pull secret because the SDK automatically creates a Secret named `replicated`. Using the same name causes an error.
:::
```yaml
# values.yaml
images:
your-app:
apiImageRepository: images.yourcompany.com/proxy/your-app-slug/ghcr.io/org-name/api
Copy link
Member

@ajp-io ajp-io Mar 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'd probably match the style of the example below with the same reg, repo, tag fields. that's more standard anyway.

apiImageTag: v1.0.1
```

**Example with proxy.replicated.com:**

1. Ensure that you have a field in your Helm chart values file for your image repository URL, and that any references to the image in your Helm chart access the field from your values file.
```yaml
# values.yaml
images:
your-app:
registry: proxy.replicated.com
repository: proxy/your-app-slug/ghcr.io/cloudnative-pg/cloudnative-pg
tag: catalog-1.24.0
```
Copy link
Contributor Author

@paigecalvert paigecalvert Mar 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ is it generally preferable to have separate registry and repository values over just repository (with the full url)? if so I can update the first example too do split registry and repository

Copy link
Member

@ajp-io ajp-io Mar 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, that's more standard


1. Ensure that any references to the image in your Helm chart access the field from your values file.

**Example**:

```yaml
# values.yaml
...
dockerconfigjson: '{{ .Values.global.replicated.dockerconfigjson }}'
images:
myapp:
# Add image URL in the values file
apiImageRepository: quay.io/my-org/api
apiImageTag: v1.0.1
```
```yaml
# /templates/deployment.yaml

Expand All @@ -69,65 +65,67 @@ To enable the proxy registry:
spec:
containers:
- name: api
# Access the apiImageRepository field from the values file
image: {{ .Values.images.myapp.apiImageRepository }}:{{ .Values.images.myapp.apiImageTag }}
# Access the repository and tag fields from the values file
image: {{ .Values.images.your-app.apiImageRepository }}:{{ .Values.images.your-app.apiImageTag }}
```
**Example**:

1. In your Helm chart templates, add the image pull secret that you created to any manifests that reference the private image:
```yaml
apiVersion: v1
kind: Pod
spec:
containers:
- name:
# Access the registry, repository, and tag fields from the values file
image: {{ .Values.images.your-app.registry }}/{{ .Values.images.your-app.repository }}:{{ .Values.images.your-app.tag }}
```

1. In your Helm chart templates, create a Kubernetes Secret to evaluate if the `global.replicated.dockerconfigjson` value is set and then write the rendered value into a Secret on the cluster, as shown below.

This Secret is used to authenticate with the proxy registry. For information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to provide authentication for a private registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation.

:::note
Do not use `replicated` for the name of the image pull secret because the Replicated SDK automatically creates a Secret named `replicated`. Using the same name causes an error.
:::

```yaml
# /templates/example.yaml
...
# /templates/replicated-pull-secret.yaml

{{ if .Values.global.replicated.dockerconfigjson }}
imagePullSecrets:
- name: replicated-pull-secret
apiVersion: v1
kind: Secret
metadata:
# Note: Do not use "replicated" for the name of the pull secret
name: replicated-pull-secret
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ .Values.global.replicated.dockerconfigjson }}
{{ end }}
```


1. Add the image pull secret that you created to any manifests that reference the image:

**Example:**

```yaml
# /templates/deployment.yaml
...
image: "{{ .Values.images.myapp.apiImageRepository }}:{{ .Values.images.myapp.apiImageTag }}"

image: "{{ .Values.images.your-app.apiImageRepository }}:{{ .Values.images.your-app.apiImageTag }}"
# Add the pull secret
{{ if .Values.global.replicated.dockerconfigjson }}
imagePullSecrets:
- name: replicated-pull-secret
{{ end }}
name: myapp
name: your-app
ports:
- containerPort: 3000
name: http
```

1. Package your Helm chart and add it to a release. Promote the release to a development channel. See [Managing Releases with Vendor Portal](releases-creating-releases).

1. Install the chart in a development environment to test your changes:

1. Create a local `values.yaml` file to override the default external registry image URL with the URL for the image on `proxy.replicated.com`.

The proxy registry URL has the following format: `proxy.replicated.com/proxy/APP_SLUG/EXTERNAL_REGISTRY_IMAGE_URL`

Where:
* `APP_SLUG` is the slug of your Replicated application.
* `EXTERNAL_REGISTRY_IMAGE_URL` is the path to the private image on your external registry.

**Example**
```yaml
# A local values.yaml file
...
images:
myapp:
apiImageRepository: proxy.replicated.com/proxy/my-app/quay.io/my-org/api
apiImageTag: v1.0.1

```

:::note
If you configured a custom domain for the proxy registry, use the custom domain instead of `proxy.replicated.com`. For more information, see [Using Custom Domains](custom-domains-using).
:::

1. Log in to the Replicated registry and install the chart, passing the local `values.yaml` file you created with the `--values` flag. See [Installing with Helm](install-with-helm).
1. Install in a development environment to test your changes. See [Installing with Helm](/vendor/install-with-helm).