Skip to main content

Registry and Images

In order to deploy an application, all images referenced in the application specification need to be available in the Control Tower registry. You can either push images directly to the Control Tower registry, or add remote registries which can be automatically pulled from.

Default registry

If no registry URL is specified in the application specification, you can configure a default remote registry

supctl topdc create image-registry settings <<EOF
default-remote-registry: registry-1.docker.io
EOF

Add remote registry credentials

If your registry requires credentials, you need to register the remote registry and reference a strongbox vault and secret where credentials are stored.

Credentials are stored as encrypted secrets in the Strongbox key-value store. To add credentials related to a remote registry you need to add them to a path vault/<vault-name>/secrets/<secret-name>.

The following adds a new remote registry key-value map named example-registry for credentials, and adds a user bob with a password.

Configure credentials

In the UI:

  1. Create a vault names registry-credentials
  2. Create a secret called example-registry.
  3. Add username and password or if you have an access token: token.

Configure remote registry

The following adds a new remote registry with address registry.example.com listenting on the non-standard port 6000, and references the example-registry secret for credentials.

Select Remote Registries in the sidebar, click Connect new registry. Paste the following into the form and click Submit.

address: registry.example.com:6000
credentials:
  - repository: '*'
    vault: registry-credentials
    secret: example-registry

Refer to a remote registry in an application specification

Application specifications refer to container images using a string notation in the image: field. If the first part (before the first /) matches the name of a configured remote registry, the rest of the field will be treated as a path appended to the address of the remote registry when pulling containers.

The following application specification and remote registry configuration will result in attempted container image pulls from registry.gitlab.com/avassa-public/movie-theaters-demo/ticket-blipper.

name: ticket-manager
services:
  - name: ticket-manager-service
    containers:
      - name: ticket-blipper
        image: "registry.gitlab.com/avassa-public/movie-theaters-demo/ticket-blipper"
    mode: replicated
    replicas: 1

Push images to the Control Tower registry

Images can be pushed to the Control Tower registry and made available for reference in application specifications.

The container registry hostname is on the form registry.<name>.avassa.net, where <name> is the organization name configured for your environment. You need to authenticate to the registry using your login credentials.

The following uses the docker client to push a container example-container:latest to a registry at registry.example.avassa.net.

Create a token for docker login

Login using the token

Docker login
docker login -u any -p <generated token> registry.example.avassa.net
docker tag example-container:latest registry.example.avassa.net/example-container:latest
docker push registry.example.avassa.net/example-container:latest
Push image
docker tag example-container:latest registry.example.avassa.net/example-container:latest
docker push registry.example.avassa.net/example-container:latest
note

The user used to push images must have the Registry-Push capability through one of the user's policies. The capability can be added to existing policies, or a specific policy can be created and assigned to the user: registry push policy