Configuring Next-Gen Trust Security registry access¶
This topic explains how to configure access to Palo Alto Networks Kubernetes components in the private Next-Gen Trust Security OCI registry so you can pull container images and Helm charts.
To authenticate with the private registry, you'll need to create a Built-in account in Next-Gen Trust Security. Then, you'll use the account credentials to authenticate in your Kubernetes cluster with a pull secret or on your virtual machine with docker login.
NGTS registry URLs
The Next-Gen Trust Security OCI registry is at registry.ngts.paloaltonetworks.com. Most component images are private and require authentication through a pull secret.
- Private images:
registry.ngts.paloaltonetworks.com/<component>/<image>. Includes all standard, FIPS, and PKCS#11 images. - Public images: Only Distributed Issuer and Discovery Agent publish public images that require no authentication.
- Helm charts:
oci://registry.ngts.paloaltonetworks.com/charts/<chart>. All charts are public and require no authentication.
Prerequisites¶
To configure private registry access, you'll need:
- From Next-Gen Trust Security, an OCI Registry Built-in Account. Save the username and password provided during account creation.
- On your local machine,
kubectland Docker. - Administrative access to your cluster or Linux virtual machine.
Authenticating to the private registry¶
The following sections explain how to authenticate to the private registry using Docker, Kubernetes, or Helm.
To authenticate with Docker¶
-
Sign in to the private registry with your Built-in Account username and password:
docker login https://registry.ngts.paloaltonetworks.com \ --username your-username # (1)!- Your Built-in Account username, for example
sa@3bdc33de-a250-46f2-bdf9-d755970193fb.
- Your Built-in Account username, for example
-
When prompted, enter your password.
To authenticate with Kubernetes¶
Use kubectl to create a secret so your Kubernetes clusters can pull images from the private registry:
kubectl create secret docker-registry ngts-image-pull-secret \
--namespace venafi \
--docker-server=registry.ngts.paloaltonetworks.com \
--docker-username=<username> \
--docker-password=<password>
Verify your pull secret
To display a secret you previously created:
kubectl get secret ngts-image-pull-secret --namespace venafi \
--output="jsonpath={.data.\.dockerconfigjson}" \
| base64 --decode \
| jq
Example output:
{
"auths": {
"registry.ngts.paloaltonetworks.com": {
"username": "sa@3bdc33de-a250-46f2-bdf9-d755970193fb",
"auth": "c2EtdXNAYmZiYWMx...pYZFpPT2xvTDhm"
}
}
}
Additional setup¶
-
Configure a mirroring repository: To set up Docker mirroring, follow the process for your mirroring tool, such as Artifactory.
-
Firewall allowlisting: If required, add the
registry.ngts.paloaltonetworks.comto your corporate firewall allowlist.