Deploy Cluster with a Private Provider Registry
Palette Edge supports authentication with private image registries, which allows your cluster to pull provider images from a private registry during deployment. You can configure your cluster to pull provider images from a private registry for both cluster creation and cluster updates.
To configure a cluster to pull images from a private image registry, provide the registry URL and the credentials needed to authenticate with the registry in the cluster profile. This registry supplies the provider images only. If you want to use a private registry for images other the provider images, refer to Deploy Cluster with Private External Registry.
Limitations
-
A cluster cannot pull provider images from more than one private registry.
-
If you have already specified an external registry. the provider registry will be ignored and the provider images will be pulled from the external registry instead.
-
You cannot use private provider registries for clusters with a local Harbor registry. For more information, refer to Enable Local Harbor Registry.
-
If your private registry has TLS enabled, you can only configure a new cluster to use a TLS certificate with a private registry. You cannot configure an existing cluster with a TLS certificate to communicate with your private registry.
-
Palette Edge supports basic username/password authentication. Token authentication schemes used by services such as AWS ECR and Google Artifact Registry are not supported.
Prerequisites
-
At least one Edge host registered with your Palette account.
-
A private image registry.
-
A provider image you created in the EdgeForge process stored in your private image registry. For more information, refer to Build Artifacts.
Enablement
-
Log in to Palette.
-
Navigate to the left Main Menu and select Profiles.
-
If you already have an Edge cluster profile you want to deploy the cluster with, select that profile and select Create new version to create a new version of the profile to save your changes.
Otherwise, click Add new profile to create a new cluster profile.
-
Select the OS layer of your cluster profile. If you are creating a new profile, you will get to configuring the OS layer after filling out Basic Information and Cloud Type. You should choose the Bring Your Own OS (BYOOS) pack for your OS layer.
-
Update the
system.uriparameter in the pack editor for your OS layer. Use the custom OS image you created in the EdgeForge process. Refer to the EdgeForge Build Images guide if you are missing a custom OS image. The following is an example configuration using the BYOOS pack with a custom OS image.pack:
content:
images:
- image: "{{.spectro.pack.edge-native-byoi.options.system.uri}}"
# - image: example.io/my-other-images/example:v1.0.0
# - image: example.io/my-super-other-images/example:v1.0.0
options:
system.uri: example.io/my-images/example-custom-os:v1.4.5warningIf you have specified registry credentials in the
registryCredentialsfield in the user data file during the EdgeForge process, the credentials provided in the cluster profile will be ignored. For more information, refer to EdgeForge - Build Artifacts and Installer Configuration. -
At the root level of YAML for your OS layer, add the
providerCredentialsfield to provide the credentials you need to authenticate with your registry. For more information about theproviderCredentialsfield, refer to Bring Your Own OS (BYOOS) pack page. TheproviderCredentials.passwordfield will be masked when you provide it in the YAML file. You can also use a macro to store your credentials instead of providing it directly in the YAML file. For more information, refer to Macros Support:pack:
content:
images:
- image: '{{.spectro.pack.edge-native-byoi.options.system.uri}}'
# - image: example.io/my-other-images/example:v1.0.0
# - image: example.io/my-super-other-images/example:v1.0.0
providerCredentials:
registry: <registry_domain or IP Address>
# - e.x. registry: registry-1.docker.io
user: user
password: ******
certificates: |
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIRANtGPo/hFkZtYRNw0KaeW54wDQYJKoZIhvcNAQELBQAw
----------------------------------------------------------------
7OicCaV35lje5FSl0owu74ghAlCgMyAdKsJf615g1kKO4V5E2BMErd9Ibw==
-----END CERTIFICATE-----
options:
system.uri: example.io/my-images/example-custom-os:v1.4.5 -
If you are updating an existing profile, click Confirm changes, and then click Save changes to publish the new version of your cluster profile. If you are creating a new profile, click Next layer and finish configuring the remaining layers.
-
If you already have an active cluster that is using the original version of the cluster profile, update the cluster so that it uses the new version of the cluster profile you just published. For more information about updating clusters, refer to Update a Cluster. This will trigger a full cluster repave since it includes an update to the OS layer of the cluster. To learn more about cluster repave behavior, refer to Repave Behavior and Configuration.
If you don't have an active cluster yet, deploy a new cluster with the profile you just created, and the cluster will pull images from the private registry you specified.
Validate
-
Log in to Palette.
-
Navigate to the left Main Menu and select Clusters.
-
Select the cluster that is using the profile with the registry credentials.
-
Navigate to the Events tab of the cluster to confirm if the cluster is instructed pull images from the private registry.
-
If the cluster is successfully provisioned and enters the Running state, then you have successfully configured the cluster to authenticate with and pull images from the private registry. If the cluster does not enter the Running state, navigate to the Events table and observe if the cluster is emitting errors related to image pulls.