External Image Registries
Overview
In the Appcircle's orchestrated application ecosystem, users have the flexibility to access container images through various external image registries.
These external repositories serve as integral components, offering users different avenues to retrieve and manage container images based on their preferences and infrastructure requirements.
These services act as intermediaries, facilitating seamless image retrieval, caching frequently accessed images, and providing enhanced security measures for image distribution.
Quay Configuration
Red Hat Quay provides a robust container registry solution that integrates well with Kubernetes and OpenShift environments. To configure Quay as your proxy registry, follow these steps:
-
Enable Proxy Cache feature by following one of these docs: Project Quay Proxy Cache, or Redhat Quay Proxy Cache.
-
Create a new organization in Quay (e.g., named
appcircle). -
Go to the organization settings and configure Proxy Cache section:
- Set Remote Registry as
europe-west1-docker.pkg.dev/appcircle/docker-registry. - Set Remote Registry username as
_json_key. - Copy the content of your
cred.jsonand paste into Remote Registry password field. - Save the configuration.
- Set Remote Registry as
-
Configuration page should look like this:
Appcircle Registry Configuration
For the Appcircle server to work with your own container image registry, you should add additional settings to the values.yaml file of your deployment.
In this documentation, we will use registry.spacetech.com as an example registry domain, spacetech as an example organization name and appcircle as an example namespace name.
To see name and namespace of your existing Helm deployment, you can use the command below.
helm list --all-namespaces
If your registry uses a non-standard port (anything other than 443 for HTTPS or 80 for HTTP), you must specify it in the configuration as shown in the examples below with port 8083.
- Add or find the
imageRegistryandimageRepositoryPathkeys in yourvalues.yamlfile. They should be set as follows:
# Container Image Registry host for container images
imageRegistry: registry.spacetech.com:8083
# Container Image Repository path between registry host and image name (for Quay it is the organization name)
imageRepositoryPath: appcircle
- Create a secret with credentials for the external registry.
- Kubernetes
- Openshift
kubectl create secret docker-registry containerregistry \
-n appcircle \
--docker-server='registry.spacetech.com:8083' \
--docker-username='yourRegistryUsername' \
--docker-password='superSecretRegistryPassword'
oc create secret docker-registry containerregistry \
-n appcircle \
--docker-server='registry.spacetech.com:8083' \
--docker-username='yourRegistryUsername' \
--docker-password='superSecretRegistryPassword'
Configuration is completed, you can continue to the installation using the external registry.
If Appcircle is already installed, you can test the registry connection using the command below. It will try to pull the all required images from the external registry and result with images already exists message, since the application version is not changed.
helm upgrade appcircle-server appcircle/appcircle \
-n appcircle \
-f values.yaml
Mirroring Images
If a proxy registry with pull-through cache ability is not available in your setup, you can mirror images manually with your preferred method using the following image list.
Retrieving the Image List
List of the all container images given below, image versions may vary depending on the Helm chart version.
Click to view the image list.
europe-west1-docker.pkg.dev/appcircle/docker-registry/agentcacheservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/appcircle-keycloak:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/appcircle-vault:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/appparserserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/buildserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/cert-utils-operator:v1.3.12
europe-west1-docker.pkg.dev/appcircle/docker-registry/dashboardserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/distributionserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/disttesterweb:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/kafkab:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/keycloakversioning:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/kube-rbac-proxy:v0.11.0
europe-west1-docker.pkg.dev/appcircle/docker-registry/licenseserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/minio/miniob:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/mongodb:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/notificationserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/otpservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/postgresqlb:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/privateapigateway:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/publishserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/redisb:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/reportserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/resignservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/resourceserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/schedulemanagerservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/signingidentityserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/storeadminservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/storeapiservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/storeprofileservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/storereportservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/storesubmitserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/storeweb:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/taskserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/testeradminservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/testerapiservice:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/toolbox:1.5.0
europe-west1-docker.pkg.dev/appcircle/docker-registry/uiserver:latest
europe-west1-docker.pkg.dev/appcircle/docker-registry/webhookservice:latest
You can also use the following command to get up-to-date image list required during helm install:
helm template appcircle appcircle/appcircle -f values.yaml | grep image: | sed 's/\s*image:\s*//; s/"//g' | sort -u
Insecure Registry
By default, Kubernetes and OpenShift require HTTPS connections to image registries. To use a registry over HTTP, you must configure it as an insecure registry.
Edit the cluster's image configuration:
- Kubernetes
- Openshift
kubectl edit image.config cluster
oc edit image.config cluster
Add your registry address to the insecureRegistries section:
...
spec:
...
registrySources:
insecureRegistries:
- registry.spacetech.com:8083
Save the file and exit. The configuration will be applied automatically without requiring a restart.
If your registry uses a non-standard port (anything other than 80 for HTTP), you must specify it in the configuration as shown in the example above with port 8083.