Skip to content

Edit onboarding flow to rewite image names in helm chart #3357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Jul 9, 2025
Merged

Edit onboarding flow to rewite image names in helm chart #3357

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
440679c
Edit onboarding flow to rewite image names in helm chart
paigecalvert Jul 3, 2025
832b8fd
edits
paigecalvert Jul 3, 2025
c535b39
edits to air gap steps in onboarding flow
paigecalvert Jul 3, 2025
11a8ca3
edits
paigecalvert Jul 8, 2025
4f3698d
edit rewrite image names language
paigecalvert Jul 8, 2025
91021b6
edits
paigecalvert Jul 8, 2025
2a586d9
minor copy edit
paigecalvert Jul 8, 2025
5c3c5c4
Update docs/partials/proxy-service/_step-rewrite-helm-values.mdx
paigecalvert Jul 9, 2025
5523d22
language edit
paigecalvert Jul 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions docs/partials/proxy-service/_step-inject-pull-secret.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
In the HelmChart v2 custom resource, configure the `values` key to inject the Replicated image pull secret into your Helm values. This provides authentication for the proxy registry. Use the KOTS [ImagePullSecretName](/reference/template-functions-config-context#imagepullsecretname) template function to get the pull secret name.

<details>
<summary>What is the Replicated image pull secret?</summary>
<p>During application deployment, KOTS automatically creates an `imagePullSecret` with `type: kubernetes.io/dockerconfigjson` that is based on the customer license. This secret is used to authenticate with the proxy registry and grant proxy access to private images. For information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to authenticate to a private image registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation.</p>
</details>

**Example**:

```yaml
# kots.io/v1beta2 HelmChart custom resource

apiVersion: kots.io/v1beta2
kind: HelmChart
metadata:
name: samplechart
spec:
values:
image:
# Get the pull secret name with ImagePullSecretName
pullSecrets:
- name: '{{repl ImagePullSecretName }}'
```
Ensure that you provide this pull secret in any Pod definitions that reference images to be pulled through the proxy registry.

**Example**:

```yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: {{ .Values.image.registry }}/{{ .Values.image.repository }}
# Access the value to provide the KOTS pull secret
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
```
33 changes: 33 additions & 0 deletions docs/partials/proxy-service/_step-rewrite-helm-values.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
In your Helm chart values file, set your image repository URL to the location of the image on the proxy registry. If you added a custom domain, use your custom domain. Otherwise, use `proxy.replicated.com`.

The proxy registry URL has the following format: `DOMAIN/proxy/APP_SLUG/EXTERNAL_REGISTRY_IMAGE_URL`

Where:
* `DOMAIN` is either `proxy.replicated.com` or your custom domain.
* `APP_SLUG` is the unique slug of your application.
* `EXTERNAL_REGISTRY_IMAGE_URL` is the path to the private image on your external registry.

**Example:**

```yaml
# values.yaml
api:
image:
# proxy.replicated.com or your custom domain
registry: proxy.replicated.com
repository: proxy/your-app/ghcr.io/cloudnative-pg/cloudnative-pg
tag: catalog-1.24.0
```

Ensure that any references to the image in your Helm chart access the field from your values file.

**Example**:

```yaml
apiVersion: v1
kind: Pod
spec:
containers:
- name: api
# Access the registry, repository, and tag fields from the values file
image: {{ .Values.images.api.registry }}/{{ .Values.images.api.repository }}:{{ .Values.images.api.tag }}
56 changes: 45 additions & 11 deletions docs/vendor/replicated-onboarding.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ import Requirements from "../partials/embedded-cluster/_requirements.mdx"
import SDKOverview from "../partials/replicated-sdk/_overview.mdx"
import TestYourChanges from "../partials/getting-started/_test-your-changes.mdx"
import UnauthorizedError from "../partials/replicated-sdk/_401-unauthorized.mdx"
import StepCreds from "../partials/proxy-service/_step-creds.mdx"
import RewriteHelmValues from "../partials/proxy-service/_step-rewrite-helm-values.mdx"
import InjectPullSecret from "../partials/proxy-service/_step-inject-pull-secret.mdx"

# Onboard to the Replicated Platform

Expand Down Expand Up @@ -83,11 +86,25 @@ To create an application:
export REPLICATED_APP=my-app
```

### Task 2: Connect Your Image Registry
### Task 2: Rewrite Image Names in Helm Values to Use the Proxy Registry

Add credentials for your image registry to the Vendor Portal. This will allow you to use the Replicated proxy registry in a later step so that you can grant proxy access to application images without exposing registry credentials to your customers.
Update your Helm values to rewrite image names to use the Replicated proxy registry. The proxy regsitry allows you can grant proxy access to application images without exposing registry credentials to your customers.

For more information, see [Connect to an External Registry](/vendor/packaging-private-images).
:::note
You will add a custom domain for the proxy registry as part of [Task 9: Alias Replicated Endpoints with Your Own Domains](#task-9-alias-replicated-endpoints-with-your-own-domains).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's a little weird to do this later, because then you have to come back and amend these edits again. but that's okay if that's what makes sense.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah that's a good point...For this pass, I'll probably just want to confirm that the adding custom domains task actually does correctly remind people to go back and edit these.

I'll want to give a little more time to considering if custom domains is perhaps something that should come earlier in the onboarding flow...onboarding is one of those things where it can be hard to pick a "step one" since there are several possible entry points

:::

To rewrite image names to use the proxy registry:

1. <StepCreds/>

1. <RewriteHelmValues/>

1. If your application is deployed as multiple Helm charts, repeat the previous step to rewrite image names in the Helm values for each of your charts.

1. Continue to the next task.

As part of [Task 4: Create the Initial Release with KOTS HelmChart and Embedded Cluster Config](#first-release), you will inject a Replicated-generated pull secret into your Helm values that grants authentication to pull your private images through the proxy registry.

### Task 3: Add the Replicated SDK and Package your Chart

Expand Down Expand Up @@ -146,15 +163,32 @@ To create the first release for your application:

For more information, see [Use Embedded Cluster](/vendor/embedded-overview).

1. Create a new YAML file. In this file, configure the KOTS HelmChart custom resource by completing the workflow in [Configuring the HelmChart Custom Resource](helm-native-v2-using).
1. Create a new YAML file named `YOUR_CHART_NAME.yaml`. For example, `samplechart.yaml`. In the file, add the following to create the KOTS HelmChart v2 custom resource for your primary Helm chart, updating the fields as needed to match the name and version of the chart:

```yaml
# KOTS HelmChart custom resource
apiVersion: kots.io/v1beta2
kind: HelmChart
metadata:
name: samplechart
spec:
chart:
# name must match the chart name from the .tgz chart archive
name: samplechart
# chartVersion must match the chart version from the .tgz chart archive
chartVersion: 1.2.3
```
For more information about configuring these fields, see [HelmChart v2](custom-resource-helmchart-v2).

<details>
<summary>What is the KOTS HelmChart custom resource?</summary>

The KOTS HelmChart custom resource is required to install Helm charts with KOTS and Embedded Cluster. As part of configuring the KOTS HelmChart custom resource, you will rewrite image names and add image pull secrets to allow your application images to be accessed through the Replicated proxy registry.
The KOTS HelmChart custom resource is required to install Helm charts with KOTS and Embedded Cluster.
</details>

1. If your application is deployed as multiple Helm charts, repeat the step above to add a separate HelmChart custom resource for each Helm chart archive in the release.
1. <InjectPullSecret/>

1. If your application is deployed as multiple Helm charts, repeat the previous steps to add and configure a separate HelmChart custom resource for each Helm chart archive in the release.

1. If there are values in any of your Helm charts that need to be set for the installation to succeed, you can set those values using the `values` key in the corresponding HelmChart custom resource. See [Set Helm Values with KOTS](/vendor/helm-optional-value-keys).

Expand Down Expand Up @@ -450,7 +484,11 @@ To add support for air gap installations:

1. If there are any images for your application that are not listed in your Helm chart, list these images in the `additionalImages` attribute of the KOTS Application custom resource. This ensures that the images are included in the air gap bundle for the release. One common use case for this is applications that use Kubernetes Operators. See [Define Additional Images](/vendor/operator-defining-additional-images).

1. In the KOTS HelmChart custom resource `builder` key, pass any values that are required in order for `helm template` to yield all the images needed to successfully install your application. See [Package Air Gap Bundles for Helm Charts](/vendor/helm-packaging-airgap-bundles).
1. For each Helm chart in your release, update the KOTS HelmChart custom resource `optionalValues` key to conditionally rewrite image names for air gap installations. This is done using the KOTS HasLocalRegistry, LocalRegistryHost, and LocalRegistryNamespace template functions to render the location of the given image in the user's own local registry.

For more information, see [Rewrite Image Names with HelmChart v2 for Local Registries](/vendor/helmchart-local-registries).

1. For each Helm chart in your release, in the KOTS HelmChart custom resource `builder` key, pass any values that are required in order for `helm template` to yield all the images needed to successfully install your application. See [Package Air Gap Bundles for Helm Charts](/vendor/helm-packaging-airgap-bundles).

:::note
If the default values in your Helm chart already enable all the images needed to successfully deploy, then you do not need to configure the `builder` key.
Expand All @@ -464,10 +502,6 @@ To add support for air gap installations:
For many applications, running `helm template` with the default values would not yield all the images required to install. In these cases, vendors can pass the additional values in the `builder` key to ensure that the air gap bundle includes all the necessary images.
</details>

1. If you have not done so already as part of [Task 4: Create and Install the Initial Release](#first-release), ensure that the `values` key in the KOTS HelmChart custom resource correctly rewrites image names for air gap installations. This is done using the KOTS HasLocalRegistry, LocalRegistryHost, and LocalRegistryNamespace template functions to render the location of the given image in the user's own local registry.

For more information, see [Rewrite Image Names](/vendor/helm-native-v2-using#rewrite-image-names) in _Configuring the HelmChart Custom Resource v2_.

1. Create and promote a new release with your changes. For more information, see [Manage Releases with the Vendor Portal](releases-creating-releases) or [Managing Releases with the CLI](releases-creating-cli).

1. In the [Vendor Portal](https://vendor.replicated.com), go the channel where the release was promoted to build the air gap bundle. Do one of the following:
Expand Down