Add OCI Helm Registry
You can add an OCI type Helm registry to Palette and use the Helm Charts in your cluster profiles.
Prerequisites
-
Credentials to access the OCI registry. If you are using an AWS ECR registry, you must have the AWS credentials to an IAM user or add a trust relationship to an IAM role so that Palette can access the registry.
-
If the OCI registry is using a self-signed certificate, or a certificate that is not signed by a trusted certificate authority (CA), you will need the certificate to add the registry to Palette.
-
Tenant admin access to Palette.
-
If you are using an AWS ECR registry, ensure you have the following Identity Access Management (IAM) permissions attached to the IAM user or IAM role that Palette will use to access the registry. You can reduce the
Resource
scope from*
to the specific Amazon Resource Name (ARN) of the AWS ECR registry you are using.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr-public:DescribeRegistries",
"ecr:DescribeImageReplicationStatus",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:DescribeRepositories",
"ecr:BatchCheckLayerAvailability",
"ecr:GetLifecyclePolicy",
"ecr-public:DescribeImageTags",
"ecr-public:DescribeImages",
"ecr:GetRegistryPolicy",
"ecr-public:GetAuthorizationToken",
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr-public:GetRepositoryCatalogData",
"ecr:DescribeRegistry",
"ecr:GetAuthorizationToken",
"ecr-public:GetRepositoryPolicy",
"ecr-public:DescribeRepositories",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr-public:GetRegistryCatalogData",
"ecr-public:ListTagsForResource",
"ecr-public:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy"
],
"Resource": "*"
}
]
}
Add OCI Helm Registry
Use the following steps to add an OCI Helm registry to Palette. Select the tab that corresponds to the type of OCI registry you are adding.
- Basic
- AWS ECR
-
Log in to the Palette as a Tenant administrator.
-
From the left Main Menu select Tenant Settings.
-
From the Tenant Settings Menu, Select Registries.
-
Click on the OCI Registries tab.
-
Click Add New OCI Registry.
-
Fill out the Name field and select Helm as the provider type.
-
Select the OCI Authentication Type as Basic.
-
Toggle the Synchronization option to enable or disable synchronization for the registry. To learn more about the synchronization behavior of Helm registries, refer to the Helm Registry resource.
-
Provide the registry URL in the Endpoint field.
-
Specify the base path in the Base Content Path field. The base path is the path to the repository in the registry where the Helm Charts are stored. You can specify multiple base paths by pressing the Enter key after each path. Providing multiple base paths is useful when Helm Charts are stored in different directories or projects, such as multiple projects in a Harbor registry.
-
Fill out the Username and Password fields with the credentials to access the registry.
-
If your OCI registry server is using a self-signed certificate or if the server certificate is not signed by a trusted CA, check the Insecure Skip TLS Verify box to skip verifying the x509 certificate, and click Upload file to upload the certificate.
-
Click Confirm to complete adding the registry.
-
Log in to the Palette as a Tenant administrator.
-
From the left Main Menu select Tenant Settings.
-
From the Tenant Settings Menu, Select Registries.
-
Click on the OCI Registries tab.
-
Click Add New OCI Registry.
-
Fill out the Name field and select Helm as the provider type.
-
Select the OCI Authentication Type as ECR.
-
Provide the registry URL in the Endpoint field. Exclude the
https://
prefix. -
If you are using a private ECR registry, toggle the Enable Authentication option to expose the authentication fields.
-
Select the AWS Authentication Method. Choose Credentials if you want to provide the static AWS credentials for an IAM user. Choose STS if you want to Palette to assume an IAM role that has access to the ECR registry through the Security Token Service (STS). Refer to the table below to learn more about each credential type.
Credentials
Field | Description |
---|---|
Access Key | The access key ID of the IAM user. |
Secret access key | The secret access key of the IAM user. |
STS
Field | Description |
---|---|
ARN | The Amazon Resource Name (ARN) of the IAM role to assume. Refer to the instructions exposed in the side-drawer to the right of the input field to review the IAM trust relationship changes you must add to your IAM role. |
If you selected STS as the authentication method, you must add a trust relationship to the IAM role you are using to access the ECR registry. Refer to the instructions exposed in the side-drawer to the right of the input field to review the IAM trust relationship changes you must add to your IAM role. Failure to add the trust relationship will result in an error when you attempt to validate the registry.
- Click Confirm to complete adding the registry.
Validate
Use the following steps to validate that the OCI registry is added to Palette correctly.
-
Log in to the Palette.
-
From the left Main Menu, click on Profiles.
-
Click Add Cluster Profile.
-
Provide a name and select the type Add-on.
-
In the following screen, click Add Helm Chart and select Public Packs.
-
Verify the Helm Chart registry you added is displayed in the Registry drop-down Menu.