If you use a private OCI registry for hosting module resources, follow the instructions to provide your authentication credentials.
For a private registry that requires access permissions, each major registry provider offers standard Docker access credentials with a username and password combination.
As an example, Docker Hub lets you create personal access tokens as an alternative to your password.
Before you proceed, prepare your registry credentials. Check also how to deal with the credentials rotation as is not covered in this guide.
TIP: To comply with the principle of least privilege (PoLP), make sure these credentials have no more than the read-only permissions granted.
-
Create a docker-registry Secret manifest. Run:
kubectl create secret docker-registry [secret name] --docker-server=[your oci registry host] --docker-username=[username] --docker-password=[password/token] --dry-run=client -oyaml > registry_cred_secret.yaml
-
Add the following labels to the Secret so that it can be configured later in the ModuleTemplate custom resource (CR) as a label selector.
apiVersion: v1 kind: Secret metadata: labels: "operator.kyma-project.io/managed-by": "lifecycle-manager" "operator.kyma-project.io/oci-registry-cred": "test-operator"
NOTE: The
"operator.kyma-project.io/managed-by": "lifecycle-manager"
label is mandatory for the Lifecycle Manager runtime controller to know which resources to cache. -
Deploy the Secret on the same cluster where the ModuleTemplate CR is to be located. For example, if the ModuleTemplate CR is on the SKR cluster, then the Secret should be deployed to the SKR. Otherwise, it should be deployed to the KCP cluster.
The oci-registry-cred
label in a ModuleTemplate CR allows Lifecycle Manager to parse the Secret label selector and propagate it to the Manifest CR so that Lifecycle Manager knows which credentials Secret to look up.
To support the ModuleTemplate CR with the oci-registry-cred
label, use modulectl with the registry-cred-selector
flag for creating a module command.
For example, you can run the following command to push your module image and generate a ModuleTemplate CR with the oci-registry-cred
label:
kyma alpha create module --module-config-file [module config file] --registry [private oci registry] -c [access credential with write permission] --registry-cred-selector=operator.kyma-project.io/oci-registry-cred=test-operator
Verify in each descriptor.component.resources layer, if it contains the oci-registry-cred
label.
descriptor:
component:
resources:
- access:
digest: sha256:bc2a16d9b01b4809f8123e9402e2c6e6be2ef815975ad4131282ceb33af4d5a5
type: localOciBlob
labels:
- name: oci-registry-cred
value:
operator.kyma-project.io/oci-registry-cred: test-operator
With this ModuleTemplate CR, Lifecycle Manager should access a private OCI registry without any authentication problems.