Configure an external container registry

To use an external container registry with Kalix, you need to give Kalix permissions to connect to your registry. To add credentials for your container registry to Kalix, you can use the Kalix CLI or the Kalix Console.

If the container registry you’re using does not require authentication, you don’t have to add any credentials. Kalix will automatically pull the container image using the URL you use to deploy your service.

External container registries are configured by creating a Kalix secret, and then configuring your Kalix project to use that secret as docker registry credentials. The secret, and project configuration, are both managed by the kalix docker command.

There are four parameters you need to specify, depending on the registry you want to connect to:

  • Server: The first part of the container image URL. For example, if your image is at us.gcr.io/my-project/my-image, the server is https://us.gcr.io (mandatory).

  • Username: The username (optional).

  • Email: The email address (optional).

  • Password: The password (mandatory).

Use the kalix docker add-credentials command.

kalix docker add-credentials --docker-server <my-server> \ (1)
  --docker-username <my-username> \ (2)
  --docker-email <my-email> \ (3)
  --docker-password <my-password> (4)
1 Server
2 Username
3 Email
4 Password

If you wish to specify the name of the secret that you want to use, that can be done using the --secret-name parameter. By default, if not specified, the name of the secret will be docker-credentials.

Updating credentials

The add-credentials command can also be used to update existing credentials. Simply ensure that the --secret-name argument matches the secret name used when the credentials were added, if it was specified then.

Listing credentials

To list all container registry credentials for your Kalix project, you can use the Kalix CLI or the Kalix Console. For security purposes, neither the CLI nor the Console will show the password of the configured registry.

Use the kalix docker list-credentials command:

kalix docker list-credentials

The results should look something like:

NAME                STATUS  SERVER             EMAIL             USERNAME
docker-credentials  OK      https://us.gcr.io  user@example.com  _json_key

Removing credentials

To remove container registry credentials from your Kalix project, you can use the Kalix CLI or the Kalix Console.

If you specified a --secret-name when creating the credentials, this is the name that you must pass to the command to remove. Otherwise, you should pass the default secret name of docker-credentials. The name of the secret appears in the NAME column when listing credentials.

kalix docker delete-credentials docker-credentials

Note that this will only remove the credentials from the configuration for the project, it will not delete the underlying secret. To delete the secret as well, run:

Use the 'ID' returned from the kalix docker list-credentials command as the ID in the kalix docker delete-credentials command:

kalix secrets delete docker-credentials

Supported external registries

Private container registries

To connect your Kalix project to private or self-hosted container registries, the parameters you need are:

  • Server: The full URL of your container registry, including the API version (like https://mycontainerregistry.example.com/v1/).

  • Username: Your username.

  • Email: Your email address.

  • Password: Your password.

Docker Hub

To connect your Kalix project to Docker Hub, the parameters you need are:

  • Server: https://index.docker.io/v1/.

  • Username: Your Docker Hub username.

  • Email: Your Docker Hub email address.

  • Password: Your Docker Hub password or Personal Access Token.

When you use the Kalix Console, you don’t need to provide the Server URL.

Limits on unauthenticated and free usage

Docker has rate limits new tab for unauthenticated and free Docker Hub usage. For unauthenticated users, pull rates are limited based on IP address (anonymous, or unauthenticated, users have a limit of 100 container image pulls per 6 hours per IP address). Kalix leverages a limited set of IP addresses to connect to Docker Hub. This means that unauthenticated image pulls might be rate limited. The limit for unauthenticated pulls is shared by all users of the Kalix platform.

Google Container Registry

To connect your Kalix project to Google Container Registry (GCR), you’ll need:

  • An active Google Cloud Platform account.

  • The Registry API enabled on your Google Cloud project.

  • The ID that corresponds with your GCP project.

    1. Create the service account.

      In the following example the service account is named kalix-docker-reader. Run the create command in your terminal if you have the GCP shell tools installed. Or, run the command from the browser using Cloud Shell Terminal in the Google Cloud Platform (GCP) project.

      gcloud iam service-accounts create kalix-docker-reader
    2. Grant the GCP storage object viewer role to the service account.

      In the following example, replace <gcp-project-id> with the GCP project ID.

      gcloud projects add-iam-policy-binding <gcp-project-id> \
        --member "serviceAccount:kalix-docker-reader@<gcp-project-id>.iam.gserviceaccount.com" \
        --role "roles/storage.objectViewer"
    3. Generate the service account _json_key.

      gcloud iam service-accounts keys create keyfile.json \
        --iam-account kalix-docker-reader@<gcp-project-id>.iam.gserviceaccount.com
    4. Configure your Kalix project to use these credentials, by passing the contents of the key file as the password.

      kalix docker add-credentials --docker-server https://us.gcr.io \
        --docker-username _json_key \
        --docker-email anyemail@example.com \
        --docker-password "$(cat keyfile.json)"
      Find detailed configuration instructions in the Google documentation new tab.

Azure Container Registry

To connect your Kalix project to Azure Container Registry (ACR), the parameters you need are:

  • Server: <registry name>.azurecr.io.

  • Password: The password is based on the "service principal." To create a service principal (like kalix-docker-reader) run the command below.

    ACR_REGISTRY_ID=$(az acr show —name kalix-registry —query id —output tsv)
    SP_PASSWD=$(az ad sp create-for-rbac --name http://kalix-docker-reader --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
  • Username: The username is the application ID of the "service principal." To retrieve the ID, run the command below.

    SP_APP_ID=$(az ad sp show —id http://kalix-docker-reader —query appId —output tsv)

When you use the Kalix Console, you only need to fill in the registry name for the Server URL.