Configuring access to Venafi OCI Registry¶
This guide provides instructions on configuring access to Venafi Kubernetes components via a private OCI registry if you have already acquired access credentials. You'll learn how to access container images, Helm charts, and other artifacts, ensuring secure and streamlined operation within your Kubernetes infrastructure.
If you don't have Venafi OCI registry access credentials yet, see Acquiring Venafi OCI registry credentials.
Prerequisites¶
- Basic understanding of Kubernetes and container image registries.
- Access to a system with
kubectl. For testing, make sure thatdockeris also installed. - Administrative access to your Kubernetes or OpenShift cluster.
Authenticating your Docker instance¶
-
If you already have credentials in the form of a username and password, and want to authenticate your Docker instance in order to pull images from the Venafi OCI registry, use the following command:
docker login https://private-registry.venafi.cloud --username REPLACE_WITH_YOUR_SERVICE_ACCOUNT_USERNAME -
Enter your password when prompted.
Creating a Kubernetes secret¶
If you have credentials in the form of a username and password, or in the form of dockerconfigjson, you can use kubectl to create a secret so your Kubernetes clusters can pull images from the Venafi OCI registry:
kubectl create secret docker-registry venafi-image-pull-secret --namespace venafi --docker-server=private-registry.venafi.cloud --docker-username=<your-name> --docker-password=<your-password> --docker-email=<your-email>
kubectl create secret generic venafi-image-pull-secret --namespace venafi --from-file=.dockerconfigjson=<path/to/.docker/config.json> --type=kubernetes.io/dockerconfigjson
Investigating your Kubernetes secret¶
-
If you want to check that your secret is correctly configured, use the following commands:
kubectl get secret venafi-image-pull-secret --namespace venafi --output=yamlThe output is similar to the following:
apiVersion: v1 kind: Secret metadata: ... name: venafi-image-pull-secret ... data: .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0= type: kubernetes.io/dockerconfigjson -
The value of the
.dockerconfigjsonfield is a base64 representation of your Docker credentials. To decode it and see the username and password it contains, convert the secret data to a readable format using the following command:kubectl get secret venafi-image-pull-secret --namespace venafi --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decodeThis command produces an output similar to the following:
{"auths":{"private-registry.venafi.cloud":{"username":"marysmith","password":"xxxxxxxxxxx","email":"msmith@yourcompany.com","auth":"c3R...zE2"}}}
Helm configuration¶
- If you have downloaded the key file previously (from the Venafi Control Plane UI or using the
venctlcommand), you can use the--registry-configflag to let Helm authenticate with the enterprise registry when retrieving the Helm chart.
You can use the following region-specific OCI registries:
- US:
oci://private-registry.venafi.cloud/ - EU:
oci://private-registry.venafi.eu/
For example:
helm template cert-discovery-venafi \
oci://private-registry.venafi.cloud/charts/cert-discovery-venafi \
--registry-config venafi_registry_docker_config.json
All Venafi charts use container images in the enterprise registry. Ensure you install the credentials to the desired namespace in your cluster. The installation instructions for the chart will provide detailed guidance on specifying the flags that set the ImagePullSecret.
Additional configurations¶
Configuring mirroring repository¶
-
Set up Docker mirroring: Follow the specific process for your mirroring tool, like Artifactory.
- Set up docker mirroring with:
Username: REPLACE_WITH_YOUR_SERVICE_ACCOUNT_USERNAME Password: REPLACE_WITH_YOUR_SERVICE_ACCOUNT_PASSWORD
Tip
More information on mirroring for Artifactory can be found here.
Allow domains¶
Add the following domains to your corporate firewall allowlist as required:
For the US region:
private-registry.venafi.cloud
For the EU region:
private-registry.venafi.eu