Add OCI Packs Registry
You can add an OCI Pack registry to Palette and use the packs in your cluster profiles. OCI Pack registries are different from the legacy Pack registries. To interact with an OCI Pack registry, you use a tool, such as Oras CLI, to push and pull packs to and from the registry.
For guidance on how to add a custom pack to an OCI pack registry, check out the Deploy a Custom Pack tutorial.
Prerequisites
-
You must have a private OCI type Pack registry that supports basic authentication. Public OCI registries are not supported.
-
Credentials to access the OCI registry. If you are using an AWS ECR registry, you must have the AWS credentials to an IAM user or add a trust relationship to an IAM role so that Palette can access the registry.
-
If the OCI registry is using a self-signed certificate, or a certificate that is not signed by a trusted certificate authority (CA), you will need the certificate to add the registry to Palette.
-
Tenant admin access to Palette.
-
If you are using an AWS ECR registry, ensure you have the following Identity Access Management (IAM) permissions attached to the IAM user or IAM role that Palette will use to access the registry. You can reduce the
Resourcescope from*to the specific Amazon Resource Name (ARN) of the AWS ECR registry you are using.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr-public:DescribeRegistries",
"ecr:DescribeImageReplicationStatus",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:DescribeRepositories",
"ecr:BatchCheckLayerAvailability",
"ecr:GetLifecyclePolicy",
"ecr-public:DescribeImageTags",
"ecr-public:DescribeImages",
"ecr:GetRegistryPolicy",
"ecr-public:GetAuthorizationToken",
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr-public:GetRepositoryCatalogData",
"ecr:DescribeRegistry",
"ecr:GetAuthorizationToken",
"ecr-public:GetRepositoryPolicy",
"ecr-public:DescribeRepositories",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr-public:GetRegistryCatalogData",
"ecr-public:ListTagsForResource",
"ecr-public:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy"
],
"Resource": "*"
}
]
}Add OCI Packs Registry
Use the following steps to add an OCI Packs registry to Palette. Select the tab that corresponds to the type of OCI registry you are adding.
- Basic
- AWS ECR
-
Log in to the Palette as a Tenant administrator.
-
From the left Main Menu select Tenant Settings.
-
From the Tenant Settings Menu, Select Registries.
-
Click on the OCI Registries tab.
-
Click Add New OCI Registry.
-
Fill out the Name field and select Pack as the provider type.
-
Select the OCI Authentication Type as Basic.
-
Provide the registry URL in the Endpoint field.
-
Specify the Base Content Path. This is the path to the OCI registry where the OCI Packs are stored. For example, if the OCI registry URL is
https://registry.example.comand the OCI Packs are stored in theinternalrepository, the base content path isinternal. -
Fill out the Username and Password fields with the credentials to access the registry.
-
If your OCI registry server is using a self-signed certificate or if the server certificate is not signed by a trusted CA, check the Insecure Skip TLS Verify box to skip verifying the x509 certificate, and click Upload file to upload the certificate.
-
Click Confirm to complete adding the registry.
-
Log in to the Palette as a Tenant administrator.
-
From the left Main Menu select Tenant Settings.
-
From the Tenant Settings Menu, Select Registries.
-
Click on the OCI Registries tab.
-
Click Add New OCI Registry.
-
Fill out the Name field and select Pack as the provider type.
-
Select the OCI Authentication Type as ECR.
-
Provide the registry URL in the Endpoint field. Exclude the
https://prefix. -
Specify the Base Content Path. This is the path to the OCI registry where the OCI Packs are stored. For example, if the OCI registry URL is
https://registry.example.comand the OCI Packs are stored in thecustomrepository, the base content path iscustom. -
If you are using a private ECR registry, toggle the Enable Authentication option to expose the authentication fields.
-
Select the AWS Authentication Method. Choose Credentials if you want to provide the static AWS credentials for an IAM user. Choose STS if you want to Palette to assume an IAM role that has access to the ECR registry through the Security Token Service (STS). Refer to the table below to learn more about each credential type.
Credentials
| Field | Description |
|---|---|
| Access Key | The access key ID of the IAM user. |
| Secret access key | The secret access key of the IAM user. |
STS
| Field | Description |
|---|---|
| ARN | The Amazon Resource Name (ARN) of the IAM role to assume. Refer to the instructions exposed in the side-drawer to the right of the input field to review the IAM trust relationship changes you must add to your IAM role. |
If you selected STS as the authentication method, you must add a trust relationship to the IAM role you are using to access the ECR registry. Refer to the instructions exposed in the side-drawer to the right of the input field to review the IAM trust relationship changes you must add to your IAM role. Failure to add the trust relationship will result in an error when you attempt to validate the registry.
- Click Confirm to complete adding the registry.
Validate
Use the following steps to validate that the OCI registry is added to Palette correctly.
-
Log in to the Palette.
-
From the left Main Menu, click on Profiles.
-
Click Add Cluster Profile.
-
Provide a name and select the type Add-on.
-
In the following screen, click Add New Pack.
-
Verify the OCI Pack registry you added is displayed in the filter Registry drop-down Menu.
All the Packs in the OCI registry are displayed below, sorted by category. You can filter the Packs by Type or search for a specific Pack by name.