Container Registry Configuration
The Build Plane requires a container registry to store built images. Both build pods (for pushing) and kubelets on the Data Plane (for pulling) need access to the registry.
Configuration Parametersβ
| Parameter | Description | Required |
|---|---|---|
global.defaultResources.registry.host | Registry hostname | Yes |
global.defaultResources.registry.repoPath | Path prefix for images | No |
global.defaultResources.registry.tlsVerify | Verify TLS certificates | No (default: false) |
Registry Providersβ
Amazon ECRβ
See Amazon ECR documentation for repository setup and IAM configuration.
helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
--version 0.13.0 \
--namespace openchoreo-build-plane \
--set global.defaultResources.registry.host=123456789.dkr.ecr.us-east-1.amazonaws.com \
--set global.defaultResources.registry.repoPath=openchoreo-builds \
--set global.defaultResources.registry.tlsVerify=true
Google Artifact Registryβ
See Artifact Registry documentation for repository setup and authentication.
helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
--version 0.13.0 \
--namespace openchoreo-build-plane \
--set global.defaultResources.registry.host=us-central1-docker.pkg.dev/my-project/openchoreo-builds \
--set global.defaultResources.registry.tlsVerify=true
Azure Container Registryβ
See ACR documentation for registry setup and AKS integration.
helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
--version 0.13.0 \
--namespace openchoreo-build-plane \
--set global.defaultResources.registry.host=myregistry.azurecr.io \
--set global.defaultResources.registry.tlsVerify=true
GitHub Container Registryβ
See GHCR documentation for authentication setup.
helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
--version 0.13.0 \
--namespace openchoreo-build-plane \
--set global.defaultResources.registry.host=ghcr.io \
--set global.defaultResources.registry.repoPath=my-org/openchoreo \
--set global.defaultResources.registry.tlsVerify=true
Docker Hubβ
See Docker Hub documentation for repository setup. Note the rate limits for free accounts.
helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
--version 0.13.0 \
--namespace openchoreo-build-plane \
--set global.defaultResources.registry.host=docker.io \
--set global.defaultResources.registry.repoPath=your-username \
--set global.defaultResources.registry.tlsVerify=true
Authenticationβ
Push Secret (Build Plane)β
For registries requiring authentication, configure push credentials for the build plane.
Step 1: Encode Your Credentialsβ
Generate base64-encoded credentials:
echo -n 'your-username:your-password' | base64
Example output: ZGVtby11c2VyOmRlbW8tcGFzcw==
Step 2: Create Docker Config JSONβ
Use the following format with escaped quotes (required for kubectl). Replace placeholders:
<REGISTRY-HOST>: Your registry host<BASE64-TOKEN>: Your base64 string from Step 1
Template:
{\"auths\":{\"<REGISTRY-HOST>\":{\"auth\":\"<BASE64-TOKEN>\"}}}
Step 3: Apply to ClusterSecretStoreβ
Development/Testing: Use the fake provider (shown below)
Production: Add to your secret backend (AWS Secrets Manager, Vault, etc.) with key registry-push-secret
Apply the patch command with your formatted JSON from Step 2:
kubectl patch clustersecretstore default --type='json' -p='[
{
"op": "add",
"path": "/spec/provider/fake/data/-",
"value": {
"key": "registry-push-secret",
"value": "{\"auths\":{\"<REGISTRY-HOST>\":{\"auth\":\"<BASE64-TOKEN>\"}}}"
}
}
]'
Complete example for Docker Hub:
kubectl patch clustersecretstore default --type='json' -p='[
{
"op": "add",
"path": "/spec/provider/fake/data/-",
"value": {
"key": "registry-push-secret",
"value": "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"ZGVtby11c2VyOmRlbW8tcGFzcw==\"}}}"
}
}
]'
Pull Secret (Data Plane)β
For pulling images from private registries, see Deploy from a Private Registry.
Troubleshootingβ
| Symptom | Check |
|---|---|
| "unauthorized" error | Verify registry-push-secret exists and credentials are valid |
ImagePullBackOff | Verify image exists and ImagePullSecret is configured |
| "x509: certificate signed by unknown authority" | Set tlsVerify=false or configure CA certificate |
| "connection refused" | Check network connectivity and firewall rules |