From d02b703c33afbbc2c2202ec429a17e2cdcb46665 Mon Sep 17 00:00:00 2001 From: LakshanSS Date: Tue, 20 Jan 2026 10:33:42 +0530 Subject: [PATCH 1/4] Add doc about deploying an image from private registry --- docs/use-cases/deploy-prebuilt-image.mdx | 116 ++++++++++++++++++++++- 1 file changed, 111 insertions(+), 5 deletions(-) diff --git a/docs/use-cases/deploy-prebuilt-image.mdx b/docs/use-cases/deploy-prebuilt-image.mdx index fe2bfc8..b51ac93 100644 --- a/docs/use-cases/deploy-prebuilt-image.mdx +++ b/docs/use-cases/deploy-prebuilt-image.mdx @@ -1,6 +1,6 @@ --- title: Deploy a Prebuilt Container Image -description: Deploy your existing container images to OpenChoreo without using the Build Plane. +description: Deploy your existing container images to OpenChoreo from public or private registries without using the Build Plane. sidebar_position: 5 --- @@ -13,7 +13,10 @@ This guide walks you through deploying a prebuilt container image to OpenChoreo. ## Overview -OpenChoreo supports deploying applications from prebuilt container images, commonly referred to as "Bring Your Own Image" (BYOI). +OpenChoreo supports deploying applications from prebuilt container images, commonly referred to as "Bring Your Own Image" (BYOI). You can deploy images from: + +- **Public registries** (e.g., Docker Hub, GitHub Container Registry public images) - No additional configuration needed +- **Private registries** - Requires setting up image pull credentials ## Prerequisites @@ -23,9 +26,9 @@ Before you begin, ensure you have: - **kubectl** configured to access your cluster - **A container image** to deploy -## Deploy an Image +## Deploy a Public Image -Deploying an image is straightforward - simply create the Component and Workload resources. +Deploying an image from a public registry is straightforward - simply create the Component and Workload resources. ### Example @@ -104,9 +107,112 @@ curl http://development.openchoreoapis.localhost:19080/my-app/ --- +## Deploy from a Private Registry + +To pull images from a private registry, you need to: + +1. Store your registry credentials in your secret store +2. Add an ExternalSecret resource to your ComponentType to sync the credentials +3. Add `imagePullSecrets` to the Deployment in your ComponentType + +### Store Registry Credentials + +:::note +This example uses the `default` ClusterSecretStore included with the default OpenChoreo installation. For production environments, see [Secret Management](../operations/secret-management.mdx) to configure a proper secret backend. +::: + +Here's an example using Docker Hub: + +**1. Generate the auth string** (base64-encoded `username:password`): + +```bash +echo -n "your-dockerhub-username:your-access-token" | base64 +``` + +**2. Create the Docker config JSON:** + +```json +{ + "auths": { + "https://index.docker.io/v1/": { + "auth": "eW91ci1kb2NrZXJodWItdXNlcm5hbWU6eW91ci1hY2Nlc3MtdG9rZW4=" + } + } +} +``` + +**3. Store the credentials in the ClusterSecretStore:** + +```bash +kubectl patch clustersecretstore default --type='json' -p='[ + { + "op": "add", + "path": "/spec/provider/fake/data/-", + "value": { + "key": "registry-credentials", + "value": "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"\"}}}" + } + } +]' +``` + +Replace `` with the value generated in step 1. + +### Update Your ComponentType + +Add an ExternalSecret resource to sync the registry credentials: + +```yaml +- id: registry-pull-secret + template: + apiVersion: external-secrets.io/v1 + kind: ExternalSecret + metadata: + name: registry-pull-secret + namespace: ${metadata.namespace} + spec: + refreshInterval: 15s + secretStoreRef: + name: ${dataplane.secretStore} + kind: ClusterSecretStore + target: + name: registry-pull-secret + creationPolicy: Owner + template: + type: kubernetes.io/dockerconfigjson + data: + - secretKey: .dockerconfigjson + remoteRef: + key: registry-credentials + property: dockerconfigjson +``` + +Then add `imagePullSecrets` to your Deployment template: + +```yaml +- id: deployment + template: + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ${metadata.name} + namespace: ${metadata.namespace} + spec: + template: + spec: + imagePullSecrets: + - name: registry-pull-secret + containers: + - name: main + image: ${workload.containers.main.image} + # ... rest of container config +``` + +--- + ## Summary -You've learned how to deploy prebuilt container images using the OpenChoreo BYOI (Bring Your Own Image) flow. +You've learned how to deploy prebuilt container images using the OpenChoreo BYOI (Bring Your Own Image) flow from both public and private registries. ## Next Steps From 4bd5f84b21dba635b329d85d9ee9a3c5831d1503 Mon Sep 17 00:00:00 2001 From: LakshanSS Date: Tue, 20 Jan 2026 10:36:16 +0530 Subject: [PATCH 2/4] Update registry pull secret --- docs/use-cases/deploy-prebuilt-image.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/use-cases/deploy-prebuilt-image.mdx b/docs/use-cases/deploy-prebuilt-image.mdx index b51ac93..9d28089 100644 --- a/docs/use-cases/deploy-prebuilt-image.mdx +++ b/docs/use-cases/deploy-prebuilt-image.mdx @@ -184,7 +184,6 @@ Add an ExternalSecret resource to sync the registry credentials: - secretKey: .dockerconfigjson remoteRef: key: registry-credentials - property: dockerconfigjson ``` Then add `imagePullSecrets` to your Deployment template: From df8838b3c218a4497c59b73cf282c76b7dca4d09 Mon Sep 17 00:00:00 2001 From: LakshanSS Date: Tue, 20 Jan 2026 10:42:37 +0530 Subject: [PATCH 3/4] Update description --- docs/use-cases/deploy-prebuilt-image.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/use-cases/deploy-prebuilt-image.mdx b/docs/use-cases/deploy-prebuilt-image.mdx index 9d28089..e58cdb7 100644 --- a/docs/use-cases/deploy-prebuilt-image.mdx +++ b/docs/use-cases/deploy-prebuilt-image.mdx @@ -15,7 +15,7 @@ This guide walks you through deploying a prebuilt container image to OpenChoreo. OpenChoreo supports deploying applications from prebuilt container images, commonly referred to as "Bring Your Own Image" (BYOI). You can deploy images from: -- **Public registries** (e.g., Docker Hub, GitHub Container Registry public images) - No additional configuration needed +- **Public registries** - No additional configuration needed - **Private registries** - Requires setting up image pull credentials ## Prerequisites @@ -109,7 +109,7 @@ curl http://development.openchoreoapis.localhost:19080/my-app/ ## Deploy from a Private Registry -To pull images from a private registry, you need to: +In addition to creating the Component and Workload resources as shown above, pulling images from a private registry requires setting up authentication. You need to: 1. Store your registry credentials in your secret store 2. Add an ExternalSecret resource to your ComponentType to sync the credentials From 6adfd2b1e23117ba3c8599b4a1b65521944b27ac Mon Sep 17 00:00:00 2001 From: LakshanSS Date: Tue, 20 Jan 2026 11:02:32 +0530 Subject: [PATCH 4/4] Address review suggestions --- docs/use-cases/deploy-prebuilt-image.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/use-cases/deploy-prebuilt-image.mdx b/docs/use-cases/deploy-prebuilt-image.mdx index e58cdb7..a208ac7 100644 --- a/docs/use-cases/deploy-prebuilt-image.mdx +++ b/docs/use-cases/deploy-prebuilt-image.mdx @@ -26,7 +26,7 @@ Before you begin, ensure you have: - **kubectl** configured to access your cluster - **A container image** to deploy -## Deploy a Public Image +## Deploy from a Public Registry Deploying an image from a public registry is straightforward - simply create the Component and Workload resources. @@ -135,7 +135,7 @@ echo -n "your-dockerhub-username:your-access-token" | base64 { "auths": { "https://index.docker.io/v1/": { - "auth": "eW91ci1kb2NrZXJodWItdXNlcm5hbWU6eW91ci1hY2Nlc3MtdG9rZW4=" + "auth": "" } } }