Private Registries

Tools with Image from a Private Registries

Configuring Private Registry Access

To utilize images from a private registry within the Kubiya platform, it's crucial to provide valid authentication credentials. This ensures secure access to private images, whether they reside in Docker Hub, Amazon ECR, or Jfrog Artifactory. Follow the specific configuration guidelines for each registry type to establish proper connectivity and authorization.

image_provider Field

The image_provider is a configuration field used to specify the source of Docker images. It indicates whether the image comes from a public or private registry. When using private registries, image_provider includes authentication details necessary for accessing the registry securely. Different registries have distinct kind values, such as aws for Amazon ECR or dockerhub for Docker Hub. This ensures that the Kubiya platform can access and deploy images appropriately from the specified registry.

Configurations

  • kind: Defines the registry type (e.g., aws for ECR, dockerhub for Docker Hub , jfrog for Jfrog).

  • auth : For private registries, authentication details are provided in the section.

1. Docker Hub Image Configuration

For using a private image from Docker Hub, the auth field is used to provide the necessary credentials for accessing the private registry.

Example Configuration for Docker Hub:

tools:
  - name: checkdh
    alias: checkdh
    image: docker.io/mitrabeast/python:myversion
    image_provider:
      kind: dockerhub
      auth:
        - name: username
          value: coolname
        - name: password
          valueFrom:
            secret: DOCKERHUB_PASSWORD
    content: python -c "print('hello from dockerhub, {{.name}}!')"
    args:
      - name: name
        description: A name to greet from dockerhub
        required: true
    secrets:
      - DOCKERHUB_PASSWORD

Explanation:

  • image_provider.kind: dockerhub: Specifies that the image is hosted on Docker Hub.

  • auth: Provides authentication details.

    • username: The Docker Hub username (in this case, coolname).

    • password: The password is securely pulled from a secret (DOCKERHUB_PASSWORD) using the valueFrom field.

Ensure the secret is securely attached to the Teammate entity on the Kubiya platform

This ensures that sensitive information like the password is stored securely in a secret and never exposed directly in the configuration.

2. AWS Image Configuration

For using a private image from AWS Elastic Container Registry (ECR), credentials can be pulled from the hosting container, typically using IAM roles or other authentication methods provided by AWS.

Example Configuration for AWS:

tools:
  - name: checkaws
    alias: checkaws
    image: api:main
    image_provider:
      kind: aws
    content: python -c "print('hello from aws!')"    

Explanation:

  • image_provider.kind: aws: Specifies that the image is hosted on Amazon Elastic Container Registry (ECR).

  • Credentials: For AWS, the credentials (like access keys) are automatically managed by the hosting container using IAM roles or other AWS mechanisms. The image_provider does not need to explicitly define auth here, as the hosting container handles the authentication automatically.

This configuration allows seamless access to AWS-hosted private images without manually specifying credentials.

3. JFrog Image Configuration

For using a private image from JFrog Artifactory, credentials are provided under the auth field, which can pull values from environment variables.

Example Configuration for JFrog:

tools:
  - name: checkjf
    alias: checkjf
    image: trialc5eche.jfrog.io/test-docker/hello-world:latest
    image_provider:
      kind: jfrog
      auth:
        - name: username
          valueFrom:
            env: JF_USERNAME
        - name: password
          valueFrom:
            env: JF_PASSWORD
    content: echo "Hello, world!"
    env:
      - JF_USERNAME
      - JF_PASSWORD

Explanation:

  • image_provider.kind: jfrog: Specifies that the image is hosted on JFrog Artifactory.

  • auth: Authentication details are provided via environment variables:

    • username: The JFrog username is retrieved from the environment variable JF_USERNAME.

    • password: The JFrog password is retrieved from the environment variable JF_PASSWORD using valueFrom.

    This approach allows the image credentials to be securely managed via environment variables, ensuring sensitive data is not exposed directly in the configuration.

Last updated

Was this helpful?