Connecting to an Image Registry
This topic describes how to connect to an external private registry using the Replicated vendor portal or the replicated CLI.
For information about how the Replicated app manager processes images in external private registries, see About Using an External Registry.
For information about using the Replicated private registry, see Push Images to the Replicated Private Registry.
About Using External Private Registries
When packaging an application with Replicated, you can include private images for the application without distributing registry credentials to your customer.
The customer license file can grant revokable image pull access to private images, whether the images are stored in the Replicated private registry or a supported external registry.
If you use the Replicated private registry or proxy service, you can configure custom domains to alias registry.replicated.com and proxy.replicated.com, to remove the Replicated domains from a customer security review and reduce exposure. This feature is configured at the Team level. For more information about custom domains, see Using Custom Domains.
Supported Registries
Replicated recommends that application vendors use one the following external private registries, which have been tested for compatibility with the app manager:
- Amazon Elastic Container Registry (ECR)
- DockerHub
- GitHub Container Registry
- Google Container Registry
- Quay.io
You can also configure access to most other external registries if the registry conforms to the Open Container Initiative (OCI) standard.
Configure Access to an External Registry
You can provide the credentials for an external registry in the vendor portal to grant the app manager proxy access to the private application images in the registry.
All applications in your vendor portal Team have access to the external registry that you add. This means that you can use the images in the external registry across multiple apps in the Team.
Using the Vendor Portal
To configure access to your private images in an external registry using the vendor portal:
Log in to the vendor portal and go to the Images page.
Click Add external registry.
Click the Other Registry or DockerHub tab.
Complete the fields in the dialog:
Field Instructions Endpoint Enter the endpoint, such as quay.io, index.docker.io, or gcr.io. Username and Password Provide the username and password for an account that has pull access to the private registry.
For Amazon ECR registries, provide the Access Key ID and Secret Key for a Service Account User that has pull access to the registry. See Setting up the Service Account User.
Replicated stores your username and password encrypted and securely. Your credentials and the encryption key do not leave Replicated servers.
Using the CLI
To configure access to private images in an external registry using the replicated CLI:
Install and configure the replicated CLI. See Installing the replicated CLI.
Run the
registry addcommand for your external private registry. For more information about theregistry addcommand, see registry add in replicated CLI.For example, to add a DockerHub registry:
replicated regsitry add dockerhub --username USERNAME \
--password PASSWORDWhere:
USERNAMEis the username for DockerHub credentials with access to the registry.PASSWORDis the password for DockerHub credentials with access to the registry.noteTo prevent the password from being saved in your shell history, Replicated recommends that you use the
--password-stdinflag and entering the password when prompted.
Test External Registry Credentials
Replicated recommends that you test external registry credentials to ensure that the saved credentials on Replicated servers can pull the specified image.
To validate that the configured registry can pull specific images:
replicated registry test HOSTNAME \
--image IMAGE_NAME
Where:
HOSTNAMEis the name of the host, such asindex.docker.io.IMAGE_NAMEis the name of the target image in the registry.
For example:
replicated registry test index.docker.io --image my-company/my-image:v1.2.3