Merge pull request #3366 from replicatedhq/modify-image-refs-in-values-file

paigecalvert · web-flow · commit 87eb215fcaf9 · 2025-07-15T08:40:16.000-06:00
Edit docs on using the proxy registry
diff --git a/docs/partials/helm/_helm-install-prereqs.mdx b/docs/partials/helm/_helm-install-prereqs.mdx
@@ -2,6 +2,6 @@
 
 * The customer used to install must have the **Existing Cluster (Helm CLI)** install type enabled. If installing into an air gap environment, additionally enable the **Helm CLI Air Gap Instructions** option for the customer. For more information about enabling install types for customers in the Vendor Portal, see [Manage Install Types for a License](licenses-install-types).
 
-* To ensure that the Replicated proxy registry can be used to grant proxy access to your application images during Helm installations, you must create an image pull secret for the proxy registry and add it to your Helm chart. To do so, follow the steps in [Using the Proxy Registry with Helm Installations](/vendor/helm-image-registry).
+* To ensure that the Replicated proxy registry can be used to grant proxy access to your application images during Helm installations, you must create an image pull secret for the proxy registry and add it to your Helm chart. To do so, follow the steps in [Use the Proxy Registry with Helm CLI Installations](/vendor/helm-image-registry).
 
 * Declare the SDK as a dependency in your Helm chart. For more information, see [Install the SDK as a Subchart](replicated-sdk-installing#install-the-sdk-as-a-subchart) in _Installing the Replicated SDK_.
diff --git a/docs/partials/proxy-service/_step-additional-ns.mdx b/docs/partials/proxy-service/_step-additional-ns.mdx
@@ -0,0 +1 @@
+If you are deploying Pods to namespaces other than the application namespace, add the namespace to the `additionalNamespaces` attribute of the KOTS Application custom resource. This ensures that KOTS can provision the `imagePullSecret` in the namespace to allow the Pod to pull the image. For instructions, see [Define Additional Namespaces](operator-defining-additional-namespaces).
diff --git a/docs/vendor/helm-image-registry.mdx b/docs/vendor/helm-image-registry.mdx
@@ -1,64 +1,32 @@
 import StepCreds from "../partials/proxy-service/_step-creds.mdx"
 import StepCustomDomain from "../partials/proxy-service/_step-custom-domain.mdx"
+import RewriteHelmValues from "../partials/proxy-service/_step-rewrite-helm-values.mdx"
 
-# Use the Proxy Registry with Helm Installations
+# Use the Proxy Registry with Helm CLI Installations
 
-This topic describes how to use the Replicated proxy registry to proxy images for installations with the Helm CLI. For more information about the proxy registry, see [About the Replicated Proxy Registry](private-images-about).
+This topic describes how to configure your application to use the Replicated proxy registry with Helm CLI installations. For more information about the proxy registry, see [About the Replicated Proxy Registry](private-images-about). For more information about installing applications distributed with Replicated using Helm, see [About Helm Installations with Replicated](/vendor/helm-install-overview).
 
 ## Overview
 
-With the Replicated proxy registry, each customer's unique license can grant proxy access to images in an external private registry.
+During Helm CLI installations with Replicated, after customers provide their unique license ID, a `global.replicated.dockerconfigjson` field that contains a base64 encoded Docker configuration file is automatically injected in the Helm chart values.
 
-During Helm installations, after customers provide their license ID, a `global.replicated.dockerconfigjson` field that contains a base64 encoded Docker configuration file is automatically injected in the Helm chart values. You can use this `global.replicated.dockerconfigjson` field to create the pull secret required to authenticate with the proxy registry, allowing you to use the proxy registry for images in your Helm charts.
+You can use this `global.replicated.dockerconfigjson` field to create the pull secret required to authenticate with the proxy registry. For more information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to provide authentication for a private registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation.
 
-Additionally, if you include the Replicated SDK as a dependency in your Helm chart, the image used by the Replicated SDK is automatically proxied through the proxy registry.
+:::note
+For Helm charts that include the Replicated SDK as a dependency, the image used by the Replicated SDK is automatically proxied through the proxy registry. No additional configuration is required. For more information, see [About the Replicated SDK](/vendor/replicated-sdk-overview).
+:::
 
-## Pull Private Images Through the Proxy Registry in Helm Installations
+## Configure Your Application to Use the Proxy Registry
 
-To use the Replicated proxy registry for applications installed with Helm:
+To configure your application to use the proxy registry with Helm CLI installations:
 
 1. <StepCreds/>
 
 1. <StepCustomDomain/>
 
-1. In your Helm chart values file, set your image repository URL to the location of the image on the proxy registry. If you added a custom domain, use your custom domain. Otherwise, use `proxy.replicated.com`.
+1. <RewriteHelmValues/>
 
-      The proxy registry URL has the following format: `DOMAIN/proxy/APP_SLUG/EXTERNAL_REGISTRY_IMAGE_URL`
-      
-      Where:
-      * `DOMAIN` is either `proxy.replicated.com` or your custom domain.
-      * `APP_SLUG` is the unique slug of your application.
-      * `EXTERNAL_REGISTRY_IMAGE_URL` is the path to the private image on your external registry.
-      
-      **Example:**
-
-      ```yaml
-      # values.yaml
-      api:
-        image:
-          # proxy.replicated.com or your custom domain
-          registry: proxy.replicated.com
-          repository: proxy/your-app/ghcr.io/cloudnative-pg/cloudnative-pg
-          tag: catalog-1.24.0
-      ```
-
-1. Ensure that any references to the image in your Helm chart access the field from your values file.  
-
-   **Example**:
-
-    ```yaml
-    apiVersion: v1
-    kind: Pod
-    spec:
-      containers:
-        - name: api 
-            # Access the registry, repository, and tag fields from the values file
-            image: {{ .Values.images.api.registry }}/{{ .Values.images.api.repository }}:{{ .Values.images.api.tag }}
-    ```
-
-1. In your Helm chart templates, create a Kubernetes Secret to evaluate if the `global.replicated.dockerconfigjson` value is set and then write the rendered value into a Secret on the cluster, as shown below.
-
-   This Secret is used to authenticate with the proxy registry. For information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to provide authentication for a private registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation. 
+1. In your Helm chart templates, add a YAML file that evaluates if the `global.replicated.dockerconfigjson` value is set, and then writes the rendered value into a Secret on the cluster, as shown below.
 
    :::note
    Do not use `replicated` for the name of the image pull secret because the Replicated SDK automatically creates a Secret named `replicated`. Using the same name causes an error.
@@ -79,8 +47,7 @@ To use the Replicated proxy registry for applications installed with Helm:
    {{ end }}
    ```
    
-
-1. Add the image pull secret that you created to any manifests that reference the image:
+1. Add the image pull secret that you created to any manifests that reference the image.
 
    **Example:**
 
diff --git a/docs/vendor/packaging-public-images.mdx b/docs/vendor/packaging-public-images.mdx
@@ -6,7 +6,7 @@ For more information about the Replicated proxy registry, see [About the Replica
 
 ## Pull Public Images Through the Replicated Proxy Registry
 
-You can use the Replicated proxy registry to pull both public and private images. Using the Replicated proxy registry for public images can simplify network access requirements for your customers, as they only need to whitelist a single domain (either `proxy.replicated.com` or your custom domain) instead of multiple registry domains. These are authenticated requests to avoid the proxy from hitting rate limits and preventing pulls. For more information about how to reference these in your values, see [Use the Proxy Registry with Helm Installations](/vendor/helm-image-registry).
+You can use the Replicated proxy registry to pull both public and private images. Using the Replicated proxy registry for public images can simplify network access requirements for your customers, as they only need to whitelist a single domain (either `proxy.replicated.com` or your custom domain) instead of multiple registry domains. These are authenticated requests to avoid the proxy from hitting rate limits and preventing pulls. For more information about how to reference these in your values, see [Use the Proxy Registry with Helm CLI Installations](/vendor/helm-image-registry).
 
 > [!IMPORTANT]  
 > For public images, you need to first configure registry credentials.
diff --git a/docs/vendor/private-images-about.md b/docs/vendor/private-images-about.md
@@ -19,8 +19,8 @@ The following diagram demonstrates how the proxy registry pulls images from your
 The proxy registry requires read-only credentials to your private registry to access your application images. See [Connect to an External Registry](/vendor/packaging-private-images).
 
 After connecting your registry, the steps the enable the proxy registry vary depending on your application deployment method. For more information, see:
-* [Using the Proxy Registry with KOTS Installations](/vendor/private-images-kots)
-* [Using the Proxy Registry with Helm Installations](/vendor/helm-image-registry)
+* [Use the Proxy Registry with Replicated Installers](/vendor/private-images-kots)
+* [Use the Proxy Registry with Helm CLI Installations](/vendor/helm-image-registry)
 
 ## About Allowing Pull-Through Access of Public Images
 
diff --git a/docs/vendor/private-images-kots.mdx b/docs/vendor/private-images-kots.mdx
@@ -1,24 +1,67 @@
 import Deprecated from "../partials/helm/_replicated-deprecated.mdx"
 import StepCreds from "../partials/proxy-service/_step-creds.mdx"
 import StepCustomDomain from "../partials/proxy-service/_step-custom-domain.mdx"
+import RewriteHelmValues from "../partials/proxy-service/_step-rewrite-helm-values.mdx"
+import AdditionalNs from "../partials/proxy-service/_step-additional-ns.mdx"
+import InjectPullSecret from "../partials/proxy-service/_step-inject-pull-secret.mdx"
 
-# Use the Proxy Registry with KOTS Installations
+# Use the Proxy Registry with Replicated Installers
 
-This topic describes how to use the Replicated proxy registry with applications deployed with Replicated KOTS.
+This topic describes how to use the Replicated proxy registry for applications deployed with Replicated installers (Embedded Cluster, KOTS existing cluster, or kURL). For more information about the proxy registry, see [About the Replicated Proxy Registry](private-images-about).
 
-## Overview
+## Configure Your Application to Use the Proxy Registry
 
-Replicated KOTS automatically creates the required image pull secret for accessing the Replicated proxy registry during application deployment. When possible, KOTS also automatically rewrites image names in the application manifests to the location of the image at `proxy.replicated.com` or your custom domain.  
+These steps assume that you package your application with Helm and that you install with the KOTS [HelmChart v2](/reference/custom-resource-helmchart-v2) custom resource.
 
-### Image Pull Secret
+If you are installing with the HelmChart v1 custom resource, or if your application is not packaged with Helm, there are different steps for configuring your application to use the proxy registry. See [Configure Other Application Types](#other) below.
 
-During application deployment, KOTS automatically creates an `imagePullSecret` with `type: kubernetes.io/dockerconfigjson` that is based on the customer license. This secret is used to authenticate with the proxy registry and grant proxy access to private images.
+To configure your application to use the proxy registry for installations with a Replicated installer:
 
-For information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to authenticate to a private image registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation.
+1. <StepCreds/>
+
+1. <StepCustomDomain/>
+
+1. <RewriteHelmValues/>
+
+1. <InjectPullSecret/>
+
+1. Repeat steps 3 and 4 for each Helm chart used by your application.
+
+1. <AdditionalNs/>
 
-### Image Location Patching (Standard Manifests and HelmChart v1)
+1. Create a new release with your changes. Promote the release to a development channel. See [Managing Releases with Vendor Portal](releases-creating-releases).
 
-For applications packaged with standard Kubernetes manifests (or Helm charts deployed with the [HelmChart v1](/reference/custom-resource-helmchart) custom resource), KOTS automatically patches image names to the location of the image at at `proxy.replicated.com` or your custom domain during deployment. If KOTS receives a 401 response when attempting to load image manifests using the image reference from the PodSpec, it assumes that this is a private image that must be proxied through the proxy registry.
+1. Install in a development environment to test your changes.
+
+## Configure Other Application Types {#other}
+
+If you are installing with the HelmChart v1 custom resource, or if your application is not packaged with Helm, there are different steps for configuring your application to use the proxy registry.
+
+### HelmChart v1 or Standard Manifests
+
+:::note
+<Deprecated/>
+:::
+
+To use the proxy registry with HelmChart v1 or applications packaged with standard manifests:
+
+1. <StepCreds/>
+
+1. <StepCustomDomain/>
+
+1. <AdditionalNs/>
+
+1. Create a new release with your changes. Promote the release to a development channel. See [Managing Releases with Vendor Portal](releases-creating-releases).
+
+1. Install in a development environment to test your changes.
+
+For applications packed with Kubernetes manifests and for Helm charts deployed with the [HelmChart v1](/reference/custom-resource-helmchart) custom resource, KOTS automatically rewrites image names and injects image pull secrets during deployment for these application types. No additional configuration is required to rewrite image names.
+
+<details>
+
+<summary>How does KOTS patch image names?</summary>
+
+KOTS automatically patches image names to the location of the image at at `proxy.replicated.com` or your custom domain during deployment. If KOTS receives a 401 response when attempting to load image manifests using the image reference from the PodSpec, it assumes that this is a private image that must be proxied through the proxy registry.
 
 KOTS uses Kustomize to patch the `midstream/kustomization.yaml` file to change the image name during deployment to reference the proxy registry. For example, a PodSpec for a Deployment references a private image hosted at `quay.io/my-org/api:v1.0.1`:
 
@@ -47,29 +90,20 @@ images:
 - name: quay.io/my-org/api:v1.0.1
   newName: proxy.replicated.com/proxy/my-kots-app/quay.io/my-org/api
 ```
+</details> 
 
-## Enable the Proxy Registry
-
-This section describes how to enable the proxy registry for applications deployed with KOTS, including how to ensure that image names are rewritten and that the required image pull secret is provided.
+### Kubernetes Operators
 
-To enable the proxy registry:
+To use the proxy registry with applications packaged as Kubernetes Operators:
 
 1. <StepCreds/>
 
 1. <StepCustomDomain/>
 
-1. Rewrite images names to the location of the image at `proxy.replicated.com` or your custom domain. Also, ensure that the correct image pull secret is provided for all private images. The steps required to configure image names and add the image pull secret vary depending on your application type:
-
-    * **HelmChart v2**: For Helm charts deployed with the[ HelmChart v2](/reference/custom-resource-helmchart-v2) custom resource, configure the HelmChart v2 custom resource to dynamically update image names in your Helm chart and to inject the image pull secret that is automatically created by KOTS. For instructions, see [Configure the HelmChart Custom Resource v2](/vendor/helm-native-v2-using).
-
-    * **Standard Manifests or HelmChart v1**: For standard manifest-based applications or Helm charts deployed with the [HelmChart v1](/reference/custom-resource-helmchart) custom resource, no additional configuration is required. KOTS automatically rewrites image names and injects image pull secrets during deployment for these application types.
-
-        :::note
-        <Deprecated/>
-        :::
+1. <AdditionalNs/>
 
-    * **Kubernetes Operators**: For applications packaged with Kubernetes Operators, KOTS cannot modify pods that are created at runtime by the Operator. To support the use of private images in all environments, the Operator code should use KOTS functionality to determine the image name and image pull secrets for all pods when they are created. For instructions, see [Reference Images](/vendor/operator-referencing-images) in the _Packaging Kubernetes Operators_ section.
+1. For applications packaged with Kubernetes Operators, KOTS cannot modify pods that are created at runtime by the Operator. To support the use of private images in all environments, the Operator code should use KOTS functionality to determine the image name and image pull secrets for all pods when they are created. For instructions, see [Reference Images](/vendor/operator-referencing-images) in the _Packaging Kubernetes Operators_ section.
 
-1. If you are deploying Pods to namespaces other than the application namespace, add the namespace to the `additionalNamespaces` attribute of the KOTS Application custom resource. This ensures that KOTS can provision the `imagePullSecret` in the namespace to allow the Pod to pull the image. For instructions, see [Define Additional Namespaces](operator-defining-additional-namespaces).
+1. Create a new release with your changes. Promote the release to a development channel. See [Managing Releases with Vendor Portal](releases-creating-releases).
 
-1. (Optional) Add a custom domain for the proxy registry instead of `proxy.replicated.com`. See [Use Custom Domains](custom-domains-using).
+1. Install in a development environment to test your changes.
diff --git a/docs/vendor/replicated-onboarding.mdx b/docs/vendor/replicated-onboarding.mdx
@@ -458,7 +458,7 @@ Before you test Helm installations for your application, you can complete the [D
 
 To support and test Helm installations:
 
-1. Follow the steps in [Using the Proxy Registry with Helm Installations](/vendor/helm-image-registry) to authenticate with the Replicated proxy registry by creating a Secret with `type: kubernetes.io/dockerconfigjson` in your Helm chart.
+1. Follow the steps in [Use the Proxy Registry with Helm CLI Installations](/vendor/helm-image-registry) to authenticate with the Replicated proxy registry by creating a Secret with `type: kubernetes.io/dockerconfigjson` in your Helm chart.
 
 1. Update dependencies and package the chart as a `.tgz` file:
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+If you are deploying Pods to namespaces other than the application namespace, add the namespace to the `additionalNamespaces` attribute of the KOTS Application custom resource. This ensures that KOTS can provision the `imagePullSecret` in the namespace to allow the Pod to pull the image. For instructions, see [Define Additional Namespaces](operator-defining-additional-namespaces).