Version: v0.16.x

Container Registry Configuration

The Build Plane requires a container registry to store built images. Both build pods (for pushing) and kubelets on the Data Plane (for pulling) need access to the registry.

Registry configuration lives in the publish-image ClusterWorkflowTemplate, not in Helm values. To use a different registry, replace the publish-image CWT with one that has your registry endpoint and TLS settings baked in.

Replacing the Publish Step

Create a custom publish-image CWT with your registry endpoint:

kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
  name: publish-image
spec:
  templates:
    - name: publish-image
      inputs:
        parameters:
          - name: git-revision
      outputs:
        parameters:
          - name: image
            valueFrom:
              path: /tmp/image.txt
      volumes:
        - name: registry-push-secret
          secret:
            optional: true
            secretName: '{{workflow.parameters.registry-push-secret}}'
      container:
        image: ghcr.io/openchoreo/podman-runner:v1.0
        command: [sh, -c]
        args:
          - |-
            set -e

            GIT_REVISION={{inputs.parameters.git-revision}}
            IMAGE_NAME={{workflow.parameters.image-name}}
            IMAGE_TAG={{workflow.parameters.image-tag}}
            SRC_IMAGE="\${IMAGE_NAME}:\${IMAGE_TAG}-\${GIT_REVISION}"

            # Replace with your registry endpoint
            REGISTRY_ENDPOINT="YOUR_REGISTRY_HOST/YOUR_REPO_PATH"
            AUTH_FILE="/etc/secrets/registry-push-secret/.dockerconfigjson"

            mkdir -p /etc/containers
            cat <<CONF > /etc/containers/storage.conf
            [storage]
            driver = "overlay"
            runroot = "/run/containers/storage"
            graphroot = "/var/lib/containers/storage"
            [storage.options.overlay]
            mount_program = "/usr/bin/fuse-overlayfs"
            CONF

            podman load -i /mnt/vol/app-image.tar
            podman tag \$SRC_IMAGE \$REGISTRY_ENDPOINT/\$SRC_IMAGE

            if [ -f "\$AUTH_FILE" ]; then
              podman push --tls-verify=true --authfile "\$AUTH_FILE" \$REGISTRY_ENDPOINT/\$SRC_IMAGE
            else
              podman push --tls-verify=true \$REGISTRY_ENDPOINT/\$SRC_IMAGE
            fi

            echo -n "\$REGISTRY_ENDPOINT/\$SRC_IMAGE" > /tmp/image.txt
        securityContext:
          privileged: true
        volumeMounts:
          - mountPath: /mnt/vol
            name: workspace
          - mountPath: /etc/secrets/registry-push-secret
            name: registry-push-secret
            readOnly: true
EOF

Replace YOUR_REGISTRY_HOST/YOUR_REPO_PATH with your registry endpoint and adjust --tls-verify as needed.

Registry Providers

Below are the REGISTRY_ENDPOINT values to use in the CWT above for common providers.

Amazon ECR

See Amazon ECR documentation for repository setup and IAM configuration.

REGISTRY_ENDPOINT="123456789.dkr.ecr.us-east-1.amazonaws.com/openchoreo-builds"

Google Artifact Registry

See Artifact Registry documentation for repository setup and authentication.

REGISTRY_ENDPOINT="us-central1-docker.pkg.dev/my-project/openchoreo-builds"

Azure Container Registry

See ACR documentation for registry setup and AKS integration.

REGISTRY_ENDPOINT="myregistry.azurecr.io"

GitHub Container Registry

See GHCR documentation for authentication setup.

REGISTRY_ENDPOINT="ghcr.io/my-org/openchoreo"

Docker Hub

See Docker Hub documentation for repository setup. Note the rate limits for free accounts.

REGISTRY_ENDPOINT="docker.io/your-username"

Authentication

Push Secret (Build Plane)

For registries requiring authentication, configure push credentials for the build plane.

Step 1: Encode Your Credentials

Generate base64-encoded credentials:

echo -n 'your-username:your-password' | base64

Example output: ZGVtby11c2VyOmRlbW8tcGFzcw==

Step 2: Create Docker Config JSON

Use the following format with escaped quotes (required for kubectl). Replace placeholders:

<REGISTRY-HOST>: Your registry host
<BASE64-TOKEN>: Your base64 string from Step 1

Template:

{\"auths\":{\"<REGISTRY-HOST>\":{\"auth\":\"<BASE64-TOKEN>\"}}}

Step 3: Apply to ClusterSecretStore

info

Development/Testing: Use the fake provider (shown below) Production: Add to your secret backend (AWS Secrets Manager, Vault, etc.) with key registry-push-secret

Apply the patch command with your formatted JSON from Step 2:

kubectl patch clustersecretstore default --type='json' -p='[
  {
    "op": "add",
    "path": "/spec/provider/fake/data/-",
    "value": {
      "key": "registry-push-secret",
      "value": "{\"auths\":{\"<REGISTRY-HOST>\":{\"auth\":\"<BASE64-TOKEN>\"}}}"
    }
  }
]'

Complete example for Docker Hub:

kubectl patch clustersecretstore default --type='json' -p='[
  {
    "op": "add",
    "path": "/spec/provider/fake/data/-",
    "value": {
      "key": "registry-push-secret",
      "value": "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"ZGVtby11c2VyOmRlbW8tcGFzcw==\"}}}"
    }
  }
]'

Pull Secret (Data Plane)

For pulling images from private registries, see Deploy from a Private Registry.

Troubleshooting

Symptom	Check
"unauthorized" error	Verify `registry-push-secret` exists and credentials are valid
`ImagePullBackOff`	Verify image exists and ImagePullSecret is configured
"x509: certificate signed by unknown authority"	Set `tlsVerify=false` or configure CA certificate
"connection refused"	Check network connectivity and firewall rules

Replacing the Publish Step​

Registry Providers​

Amazon ECR​

Google Artifact Registry​

Azure Container Registry​

GitHub Container Registry​

Docker Hub​

Authentication​

Push Secret (Build Plane)​

Step 1: Encode Your Credentials​

Step 2: Create Docker Config JSON​

Step 3: Apply to ClusterSecretStore​

Pull Secret (Data Plane)​

Troubleshooting​