Skip to content

Configuring access to Venafi OCI Registry

This guide provides instructions on configuring access to Venafi Kubernetes components via a private OCI registry if you have already acquired access credentials. You'll learn how to access container images, Helm charts, and other artifacts, ensuring secure and streamlined operation within your Kubernetes infrastructure.

If you don't have Venafi OCI registry access credentials yet, see Acquiring Venafi OCI registry credentials.


  • Basic understanding of Kubernetes and container image registries.
  • Access to a system with kubectl. For testing, make sure that docker is also installed.
  • Administrative access to your Kubernetes or OpenShift cluster.

Authenticating your Docker instance

  1. If you already have credentials in the form of a username and password, and want to authenticate your Docker instance in order to pull images from the Venafi OCI registry, use the following command:

  2. Enter your password when prompted.

Creating a Kubernetes secret

If you have credentials in the form of a username and password, or in the form of dockerconfigjson, you can use kubectl to create a secret so your Kubernetes clusters can pull images from the Venafi OCI registry:

kubectl create secret docker-registry venafi-image-pull-secret --namespace venafi --docker-username=<your-name> --docker-password=<your-password> --docker-email=<your-email>
kubectl create secret generic venafi-image-pull-secret --namespace venafi --from-file=.dockerconfigjson=<path/to/.docker/config.json>

Investigating your Kubernetes secret

  1. If you want to check that your secret is correctly configured, use the following commands:

    kubectl get secret venafi-image-pull-secret --namespace venafi --output=yaml

    The output is similar to the following:

    apiVersion: v1
    kind: Secret
      name: venafi-image-pull-secret
      .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
  2. The value of the .dockerconfigjson field is a base64 representation of your Docker credentials. To decode it and see the username and password it contains, convert the secret data to a readable format using the following command:

    kubectl get secret venafi-image-pull-secret --namespace venafi --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

    This command produces an output similar to the following:


Helm configuration

  1. If you have downloaded the key file previously (from the Venafi Control Plane UI or using the venctl command), you can use the --registry-config flag to let Helm authenticate with the enterprise registry when retrieving the Helm chart.

You can use the following region-specific OCI registries:

  • US: oci://
  • EU: oci://

For example:

helm template cert-discovery-venafi \
oci:// \
 --registry-config venafi_registry_docker_config.json

All Venafi charts use container images in the enterprise registry. Ensure you install the credentials to the desired namespace in your cluster. The installation instructions for the chart will provide detailed guidance on specifying the flags that set the ImagePullSecret.

Additional configurations

Configuring mirroring repository

  • Set up Docker mirroring: Follow the specific process for your mirroring tool, like Artifactory.

    1. Set up docker mirroring with:


More information on mirroring for Artifactory can be found here.

Allow domains

Add the following domains to your corporate firewall allowlist as required:

For the US region:


For the EU region: