From 2135920c54dd9311366984d9019ff03bacb2b88b Mon Sep 17 00:00:00 2001 From: Grant Miller Date: Thu, 19 Sep 2024 13:15:38 -0500 Subject: [PATCH 1/2] we should call this the "proxy registry" instead of "proxy service" to be more accurate and specific about what this proxy is doing --- docs/vendor/private-images-about.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/vendor/private-images-about.md b/docs/vendor/private-images-about.md index 71a816d8e0..aac9fbf30c 100644 --- a/docs/vendor/private-images-about.md +++ b/docs/vendor/private-images-about.md @@ -1,23 +1,23 @@ -# About the Replicated Proxy Service +# About the Replicated Proxy Registry -This topic describes how the Replicated proxy service can be used to grant proxy access to your application's private images. +This topic describes how the Replicated proxy registry can be used to grant proxy access to your application's private images. ## Overview -If your application images are available in a private image registry exposed to the internet such as Docker Hub or Amazon Elastic Container Registry (ECR), then the Replicated proxy service can grant proxy, or _pull-through_, access to the images without exposing registry credentials to your customers. When you use the proxy service, you do not have to modify the process that you already use to build and push images to deploy your application. +If your application images are available in a private image registry exposed to the internet such as Docker Hub or Amazon Elastic Container Registry (ECR), then the Replicated proxy registry can grant proxy, or _pull-through_, access to the images without exposing registry credentials to your customers. When you use the proxy registry, you do not have to modify the process that you already use to build and push images to deploy your application. -To grant proxy access, the proxy service uses the customer licenses that you create in the Replicated vendor portal. This allows you to revoke a customer’s ability to pull private images by editing their license, rather than having to manage image access through separate identity or authentication systems. For example, when a trial license expires, the customer's ability to pull private images is automatically revoked. +To grant proxy access, the proxy registry uses the customer licenses that you create in the Replicated vendor portal. This allows you to revoke a customer’s ability to pull private images by editing their license, rather than having to manage image access through separate identity or authentication systems. For example, when a trial license expires, the customer's ability to pull private images is automatically revoked. -The following diagram demonstrates how the proxy service pulls images from your external registry, and how deployed instances of your application pull images from the proxy service: +The following diagram demonstrates how the proxy registry pulls images from your external registry, and how deployed instances of your application pull images from the proxy registry: -![Proxy service workflow diagram](/images/private-registry-diagram.png) +![Proxy registry workflow diagram](/images/private-registry-diagram.png) [View a larger version of this image](/images/private-registry-diagram-large.png) -## About Enabling the Proxy Service +## About Enabling the Proxy Registry -The proxy service requires read-only credentials to your private registry to access your application images. See [Connecting to an External Registry](/vendor/packaging-private-images). +The proxy registry requires read-only credentials to your private registry to access your application images. See [Connecting to an External Registry](/vendor/packaging-private-images). -After connecting your registry, the steps the enable the proxy service vary depending on your application deployment method. For more information, see: -* [Using the Proxy Service with KOTS Installations](/vendor/private-images-kots) -* [Using the Proxy Service with Helm Installations](/vendor/helm-image-registry) \ No newline at end of file +After connecting your registry, the steps the enable the proxy registry vary depending on your application deployment method. For more information, see: +* [Using the Proxy Registry with KOTS Installations](/vendor/private-images-kots) +* [Using the Proxy Registry with Helm Installations](/vendor/helm-image-registry) From e65ba5285fc5ba4fd5c0cf33fde5d82861fef630 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Thu, 19 Sep 2024 12:41:37 -0600 Subject: [PATCH 2/2] change proxy service to registry --- .../installing-general-requirements.mdx | 2 +- docs/intro-replicated.md | 2 +- docs/partials/proxy-service/_step-creds.mdx | 2 +- .../proxy-service/_step-custom-domain.mdx | 2 +- .../reference/custom-resource-application.mdx | 2 +- .../template-functions-config-context.md | 4 ++-- docs/release-notes/rn-app-manager.md | 2 +- docs/release-notes/rn-vendor-platform.md | 2 +- docs/vendor/custom-domains-using.md | 4 ++-- docs/vendor/custom-domains.md | 4 ++-- docs/vendor/distributing-overview.mdx | 2 +- docs/vendor/helm-image-registry.mdx | 16 +++++++-------- docs/vendor/helm-native-about.mdx | 2 +- docs/vendor/helm-native-v2-using.md | 6 +++--- docs/vendor/helm-packaging-airgap-bundles.mdx | 2 +- docs/vendor/install-with-helm.md | 2 +- docs/vendor/licenses-about.mdx | 2 +- .../operator-defining-additional-images.mdx | 2 +- docs/vendor/packaging-private-images.md | 2 +- docs/vendor/private-images-kots.mdx | 20 +++++++++---------- docs/vendor/releases-about.mdx | 2 +- docs/vendor/replicated-onboarding.mdx | 6 +++--- docusaurus.config.js | 6 +++--- 23 files changed, 48 insertions(+), 48 deletions(-) diff --git a/docs/enterprise/installing-general-requirements.mdx b/docs/enterprise/installing-general-requirements.mdx index a2eadf13c6..186d3fba8a 100644 --- a/docs/enterprise/installing-general-requirements.mdx +++ b/docs/enterprise/installing-general-requirements.mdx @@ -333,6 +333,6 @@ For third-party services hosted at domains not owned by Replicated, the table be | `k8s.kurl.sh`
`s3.kurl.sh` | Not Required | Not Required | Required |

kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub.

The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.

| | `amazonaws.com` | Not Required | Not Required | Required | `tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.| -* Required only if the application uses the Replicated proxy service. Contact your software vendor for more information. +* Required only if the application uses the Replicated proxy registry. Contact your software vendor for more information. ** Required only if the application uses the Replicated registry. Contact your software vendor for more information. diff --git a/docs/intro-replicated.md b/docs/intro-replicated.md index c93a877be0..4cc3883ce8 100644 --- a/docs/intro-replicated.md +++ b/docs/intro-replicated.md @@ -49,7 +49,7 @@ Release channels in the Replicated Vendor Portal allow ISVs to make different ap For more information about working with channels, see [About Channels and Releases](/vendor/releases-about). -Additionally, the Replicated proxy service grants proxy access to private application images using the customers' license. This ensures that customers have the right access to images based on the channel they are assigned. For more information about using the proxy registry, see [About the Replicated Proxy Service](/vendor/private-images-about). +Additionally, the Replicated proxy registry grants proxy access to private application images using the customers' license. This ensures that customers have the right access to images based on the channel they are assigned. For more information about using the proxy registry, see [About the Replicated Proxy Registry](/vendor/private-images-about). ### License diff --git a/docs/partials/proxy-service/_step-creds.mdx b/docs/partials/proxy-service/_step-creds.mdx index 300b96a8cb..096d978db8 100644 --- a/docs/partials/proxy-service/_step-creds.mdx +++ b/docs/partials/proxy-service/_step-creds.mdx @@ -1 +1 @@ -Provide read-only credentials for the external private registry in your Replicated account. This allows Replicated to access the images through the proxy service. See [Add Credentials for an External Registry](packaging-private-images#add-credentials-for-an-external-registry) in _Connecting to an External Registry_. \ No newline at end of file +Provide read-only credentials for the external private registry in your Replicated account. This allows Replicated to access the images through the proxy registry. See [Add Credentials for an External Registry](packaging-private-images#add-credentials-for-an-external-registry) in _Connecting to an External Registry_. \ No newline at end of file diff --git a/docs/partials/proxy-service/_step-custom-domain.mdx b/docs/partials/proxy-service/_step-custom-domain.mdx index a273e5f90d..a903aae747 100644 --- a/docs/partials/proxy-service/_step-custom-domain.mdx +++ b/docs/partials/proxy-service/_step-custom-domain.mdx @@ -1 +1 @@ -(Optional) Add a custom domain for the proxy service instead of `proxy.replicated.com`. See [Using Custom Domains](custom-domains-using). \ No newline at end of file +(Optional) Add a custom domain for the proxy registry instead of `proxy.replicated.com`. See [Using Custom Domains](custom-domains-using). \ No newline at end of file diff --git a/docs/reference/custom-resource-application.mdx b/docs/reference/custom-resource-application.mdx index 7aae15f9f5..5ed15c20e6 100644 --- a/docs/reference/custom-resource-application.mdx +++ b/docs/reference/custom-resource-application.mdx @@ -333,7 +333,7 @@ spec: ## proxyRegistryDomain :::important -`proxyRegistryDomain` is deprecated. For information about how to use a custom domain for the Replicated proxy service, see [Using Custom Domains](/vendor/custom-domains-using). +`proxyRegistryDomain` is deprecated. For information about how to use a custom domain for the Replicated proxy registry, see [Using Custom Domains](/vendor/custom-domains-using). ::: diff --git a/docs/reference/template-functions-config-context.md b/docs/reference/template-functions-config-context.md index 3b18589293..53ec2f55df 100644 --- a/docs/reference/template-functions-config-context.md +++ b/docs/reference/template-functions-config-context.md @@ -189,11 +189,11 @@ A common use case for the `LocalImageName` function is to ensure that a Kubernet * If there is a private registry configured in the customer's environment, such as in air gapped environments, rewrite `remoteImageName` to reference the private registry locally. For example, rewrite `elasticsearch:7.6.0` as `registry.somebigbank.com/my-app/elasticsearch:7.6.0`. -* If there is no private registry configured in the customer's environment, but the image must be proxied, rewrite `remoteImageName` so that the image can be pulled through the proxy service. For example, rewrite `"quay.io/orgname/private-image:v1.2.3"` as `proxy.replicated.com/proxy/app-name/quay.io/orgname/private-image:v1.2.3`. +* If there is no private registry configured in the customer's environment, but the image must be proxied, rewrite `remoteImageName` so that the image can be pulled through the proxy registry. For example, rewrite `"quay.io/orgname/private-image:v1.2.3"` as `proxy.replicated.com/proxy/app-name/quay.io/orgname/private-image:v1.2.3`. * If there is no private registry configured in the customer's environment and the image does not need to be proxied, return `remoteImageName` without changes. -For more information about the Replicated proxy service, see [About the Proxy Service](/vendor/private-images-about). +For more information about the Replicated proxy registry, see [About the Proxy Registry](/vendor/private-images-about). ## LocalRegistryImagePullSecret diff --git a/docs/release-notes/rn-app-manager.md b/docs/release-notes/rn-app-manager.md index c5137caded..1f8ead6ce4 100644 --- a/docs/release-notes/rn-app-manager.md +++ b/docs/release-notes/rn-app-manager.md @@ -909,7 +909,7 @@ Released on June 2, 2023 Support for Kubernetes: 1.24, 1.25, 1.26 and 1.27 ### Improvements {#improvements-1-100-1} -* Updates the way custom domains for the Replicated registry and proxy service are used. If a default or channel-specific custom domain is configured, that custom domain is associated with a release when it is promoted to a channel. KOTS will rewrite images using that custom domain. The `replicatedRegistryDomain` and `proxyRegistryDomain` fields in the Application custom resource are deprecated but continue to work to give time to migrate to the new mechanism. +* Updates the way custom domains for the Replicated registry and proxy registry are used. If a default or channel-specific custom domain is configured, that custom domain is associated with a release when it is promoted to a channel. KOTS will rewrite images using that custom domain. The `replicatedRegistryDomain` and `proxyRegistryDomain` fields in the Application custom resource are deprecated but continue to work to give time to migrate to the new mechanism. * Updates the rqlite/rqlite image to 7.19.0 to resolve CVE-2023-1255 with medium severity. ## 1.100.0 diff --git a/docs/release-notes/rn-vendor-platform.md b/docs/release-notes/rn-vendor-platform.md index 47c9031c0b..98447b1f77 100644 --- a/docs/release-notes/rn-vendor-platform.md +++ b/docs/release-notes/rn-vendor-platform.md @@ -269,7 +269,7 @@ Released on June 25, 2024 Released on June 24, 2024 ### Bug Fixes {#bug-fixes-v2024-06-24-1} -* Proxy Service no longer requires access to proxy-auth.replicated.com. +* Replicated proxy registry no longer requires access to proxy-auth.replicated.com. ## v2024.06.24-0 diff --git a/docs/vendor/custom-domains-using.md b/docs/vendor/custom-domains-using.md index e9c88fcca4..98292be9f1 100644 --- a/docs/vendor/custom-domains-using.md +++ b/docs/vendor/custom-domains-using.md @@ -1,6 +1,6 @@ # Using Custom Domains -This topic describes how to use the Replicated Vendor Portal to add and manage custom domains to alias the Replicated registry, the Replicated proxy service, the Replicated app service, and the download portal. +This topic describes how to use the Replicated Vendor Portal to add and manage custom domains to alias the Replicated registry, the Replicated proxy registry, the Replicated app service, and the download portal. For information about adding and managing custom domains with the Vendor API v3, see the [customHostnames](https://replicated-vendor-api.readme.io/reference/createcustomhostname) section in the Vendor API v3 documentation. @@ -113,7 +113,7 @@ To reuse a custom domain for another application: You can remove a custom domain at any time, but you should plan the transition so that you do not break any existing installations or documentation. -Removing a custom domain for the Replicated registry, proxy service, or Replicated app service will break existing installations that use the custom domain. Existing installations need to be upgraded to a version that does not use the custom domain before it can be removed safely. +Removing a custom domain for the Replicated registry, proxy registry, or Replicated app service will break existing installations that use the custom domain. Existing installations need to be upgraded to a version that does not use the custom domain before it can be removed safely. If you remove a custom domain for the download portal, it is no longer accessible using the custom URL. You will need to point customers to an updated URL. diff --git a/docs/vendor/custom-domains.md b/docs/vendor/custom-domains.md index efcd157ebe..b92c8ce31d 100644 --- a/docs/vendor/custom-domains.md +++ b/docs/vendor/custom-domains.md @@ -1,6 +1,6 @@ # About Custom Domains -This topic provides an overview and the limitations of using custom domains to alias the Replicated private registry, Replicated proxy service, Replicated app service, and the Download Portal. +This topic provides an overview and the limitations of using custom domains to alias the Replicated private registry, Replicated proxy registry, Replicated app service, and the Download Portal. For information about configuring and managing custom domains, see [Using Custom Domains](custom-domains-using). @@ -21,7 +21,7 @@ You can configure custom domains for the following services, so that customer-fa - **Replicated registry:** Images and Helm charts can be pulled from the Replicated registry. By default, this registry uses the domain `registry.replicated.com`. -- **Proxy service:** Images can be proxied from external private registries using the Replicated proxy service. By default, the proxy service uses the domain `proxy.replicated.com`. +- **Proxy registry:** Images can be proxied from external private registries using the Replicated proxy registry. By default, the proxy registry uses the domain `proxy.replicated.com`. - **Replicated app service:** Upstream application YAML and metadata, including a license ID, are pulled from replicated.app. By default, this service uses the domain `replicated.app`. diff --git a/docs/vendor/distributing-overview.mdx b/docs/vendor/distributing-overview.mdx index a50662d0a3..0e44d267a3 100644 --- a/docs/vendor/distributing-overview.mdx +++ b/docs/vendor/distributing-overview.mdx @@ -38,7 +38,7 @@ As shown in the diagram above: * Replicated Compatibility Matrix can be used to quickly generate Kubernetes clusters for running application tests as part of continuous integration and continuous delivery (CI/CD) workflows. * After testing, application releases can be promoted to a channel in the Replicated Vendor Portal to be shared with customers or internal teams. * Customers can be assigned to channels in order to control which application releases they are able to access and install. -* Customers' unique licenses grant proxy access to private application images through the Replicated proxy service. +* Customers' unique licenses grant proxy access to private application images through the Replicated proxy registry. * Before installation, customers can run preflight checks to verify that their environment meets installation requirements. * Customers can install using any method, including the Helm CLI, Replicated KOTS, or any proprietary installation method already used by the ISV. * Instance data is automatically sent to the Vendor Portal by the Replicated SDK. If the application was installed using KOTS, then KOTS also sends instance data. diff --git a/docs/vendor/helm-image-registry.mdx b/docs/vendor/helm-image-registry.mdx index 09fc32e79e..866dea5ac7 100644 --- a/docs/vendor/helm-image-registry.mdx +++ b/docs/vendor/helm-image-registry.mdx @@ -1,23 +1,23 @@ import StepCreds from "../partials/proxy-service/_step-creds.mdx" import StepCustomDomain from "../partials/proxy-service/_step-custom-domain.mdx" -# Using the Proxy Service with Helm Installations +# Using the Proxy Registry with Helm Installations -This topic describes how to use the Replicated proxy service to proxy images for installations with the Helm CLI. For more information about the proxy service, see [About the Replicated Proxy Service](private-images-about). +This topic describes how to use the Replicated proxy registry to proxy images for installations with the Helm CLI. For more information about the proxy registry, see [About the Replicated Proxy Registry](private-images-about). ## Overview -With the Replicated proxy service, each customer's unique license can grant proxy access to images in an external private registry. To enable the proxy service for Helm installations, you must create a Secret with `type: kubernetes.io/dockerconfigjson` to authenticate with the proxy service. +With the Replicated proxy registry, each customer's unique license can grant proxy access to images in an external private registry. To enable the proxy registry for Helm installations, you must create a Secret with `type: kubernetes.io/dockerconfigjson` to authenticate with the proxy registry. During Helm installations, after customers provide their license ID, a `global.replicated.dockerconfigjson` field that contains a base64 encoded Docker configuration file is automatically injected in the Helm chart values. You can use this `global.replicated.dockerconfigjson` field to create the required pull secret. For information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to authenticate to a private image registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation. -## Enable the Proxy Service +## Enable the Proxy Registry -This section describes how to enable the proxy service for applications deployed with Helm, including how to use the `global.replicated.dockerconfigjson` field that is injected during application deployment to create the required pull secret. +This section describes how to enable the proxy registry for applications deployed with Helm, including how to use the `global.replicated.dockerconfigjson` field that is injected during application deployment to create the required pull secret. -To enable the proxy service: +To enable the proxy registry: 1. @@ -105,7 +105,7 @@ To enable the proxy service: 1. Create a local `values.yaml` file to override the default external registry image URL with the URL for the image on `proxy.replicated.com`. - The proxy service URL has the following format: `proxy.replicated.com/proxy/APP_SLUG/EXTERNAL_REGISTRY_IMAGE_URL` + The proxy registry URL has the following format: `proxy.replicated.com/proxy/APP_SLUG/EXTERNAL_REGISTRY_IMAGE_URL` Where: * `APP_SLUG` is the slug of your Replicated application. @@ -123,7 +123,7 @@ To enable the proxy service: ``` :::note - If you configured a custom domain for the proxy service, use the custom domain instead of `proxy.replicated.com`. For more information, see [Using Custom Domains](custom-domains-using). + If you configured a custom domain for the proxy registry, use the custom domain instead of `proxy.replicated.com`. For more information, see [Using Custom Domains](custom-domains-using). ::: 1. Log in to the Replicated registry and install the chart, passing the local `values.yaml` file you created with the `--values` flag. See [Installing with Helm](install-with-helm). diff --git a/docs/vendor/helm-native-about.mdx b/docs/vendor/helm-native-about.mdx index 9b23a117b1..7d78cff11b 100644 --- a/docs/vendor/helm-native-about.mdx +++ b/docs/vendor/helm-native-about.mdx @@ -165,7 +165,7 @@ To deploy Helm charts with version `kots.io/v1beta1` of the HelmChart custom res ![Midstream directory in the Admin Console UI](/images/native-helm-midstream.png) - As shown in the screenshot above, the midstream directory also contains a Kustomization file with instructions from KOTS for all deployed resources, such as image pull secrets, image rewrites, and backup labels. For example, in the midstream Kustomization file, KOTS rewrites any private images to pull from the Replicated proxy service. + As shown in the screenshot above, the midstream directory also contains a Kustomization file with instructions from KOTS for all deployed resources, such as image pull secrets, image rewrites, and backup labels. For example, in the midstream Kustomization file, KOTS rewrites any private images to pull from the Replicated proxy registry. The following shows an example of a midstream Kustomization file for the postgresql Helm chart: diff --git a/docs/vendor/helm-native-v2-using.md b/docs/vendor/helm-native-v2-using.md index 63c6c397ca..d9e7af0dcf 100644 --- a/docs/vendor/helm-native-v2-using.md +++ b/docs/vendor/helm-native-v2-using.md @@ -55,14 +55,14 @@ To support installations with the `kots.io/v1beta2` HelmChart custom resource, d ### Rewrite Image Names -During installation or upgrade with KOTS, any application images in the software vendor's private registry are accessed through the [Replicated proxy service](private-images-about) at `proxy.replicated.com`. Additionally, KOTS allows enterprise users to push images to their own registry. +During installation or upgrade with KOTS, any application images in the software vendor's private registry are accessed through the [Replicated proxy registry](private-images-about) at `proxy.replicated.com`. Additionally, KOTS allows enterprise users to push images to their own registry. To ensure that images are discovered in either your registry or in the enterprise user's local registry, you must configure the HelmChart custom resource so that image names are rewritten in your Helm chart during deployment. You can do this using the KOTS [HasLocalRegistry](/reference/template-functions-config-context#haslocalregistry), [LocalRegistryHost](/reference/template-functions-config-context#localregistryhost), and [LocalRegistryNamespace](/reference/template-functions-config-context#localregistrynamespace) template functions: * **HasLocalRegistry**: Returns true if the environment is configured to rewrite images to a local registry. HasLocalRegistry is always true for air gapped installations and optionally true for online installations. * **LocalRegistryHost**: Returns the host of the local registry that the user configured. * **LocalRegistryNamespace**: Returns the namespace of the local registry that the user configured. -These template functions can be used to conditionally rewrite images names so that KOTS uses the host and namespace of the enterprise user's local registry _only_ when a local registry is configured. For example, if the user configured a local registry and used the namespace `example-namespace`, then the template function `'{{repl HasLocalRegistry | ternary LocalRegistryNamespace "my-org" }}/mariadb'` evaluates to `example-namespace/mariadb`. If the user did _not_ configure a local registry, then the template function evaluates to `my-org/maridb`. For examples, see [Example: Rewrite image names to a local registry or the proxy service](#local-proxy-example) or [Example: Rewrite images names to a local registry or the vendor's public registry](#local-public-example) below. +These template functions can be used to conditionally rewrite images names so that KOTS uses the host and namespace of the enterprise user's local registry _only_ when a local registry is configured. For example, if the user configured a local registry and used the namespace `example-namespace`, then the template function `'{{repl HasLocalRegistry | ternary LocalRegistryNamespace "my-org" }}/mariadb'` evaluates to `example-namespace/mariadb`. If the user did _not_ configure a local registry, then the template function evaluates to `my-org/maridb`. For examples, see [Example: Rewrite private image names](#local-proxy-example) or [Example: Rewrite public images names](#local-public-example) below. #### Example: Rewrite private image names {#local-proxy-example} @@ -156,7 +156,7 @@ spec: Kubernetes requires a Secret of type `kubernetes.io/dockerconfigjson` to authenticate with a registry and pull a private image. When you reference a private image in a Pod definition, you also provide the name of the Secret in a `imagePullSecrets` key in the Pod definition. For more information, see [Specifying imagePullSecrets on a Pod](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) in the Kubernetes documentation. -During installation, KOTS creates a `kubernetes.io/dockerconfigjson` type Secret that is based on the customer license. This pull secret grants access to the private image through the Replicated proxy service or in the Replicated registry. Additionally, if the user configured a local image registry, then the pull secret contains the credentials for the local registry. You must provide the name of this KOTS-generated pull secret in any Pod definitions that reference the private image. +During installation, KOTS creates a `kubernetes.io/dockerconfigjson` type Secret that is based on the customer license. This pull secret grants access to the private image through the Replicated proxy registry or in the Replicated registry. Additionally, if the user configured a local image registry, then the pull secret contains the credentials for the local registry. You must provide the name of this KOTS-generated pull secret in any Pod definitions that reference the private image. You can inject the name of this pull secret into a field in the HelmChart custom resource using the Replicated ImagePullSecretName template function. During installation, KOTS sets the value of the corresponding field in your Helm chart `values.yaml` file with the rendered value of the ImagePullSecretName template function. diff --git a/docs/vendor/helm-packaging-airgap-bundles.mdx b/docs/vendor/helm-packaging-airgap-bundles.mdx index a781dead5e..b0e055f4f2 100644 --- a/docs/vendor/helm-packaging-airgap-bundles.mdx +++ b/docs/vendor/helm-packaging-airgap-bundles.mdx @@ -43,7 +43,7 @@ For requirements, recommendations, and examples of common use cases for the `bui ### Example: Set the Image Registry for Air Gap Installations -For air gap installations, if the [Replicated proxy service](/vendor/private-images-about) domain `proxy.replicated.com` is used as the default image name for any images, you need to rewrite the image to the upstream image name so that it can be processed and included in the air gap bundle. You can use the `builder` key to do this by hardcoding the upstream location of the image (image registry, repository, and tag), as shown in the example below: +For air gap installations, if the [Replicated proxy registry](/vendor/private-images-about) domain `proxy.replicated.com` is used as the default image name for any images, you need to rewrite the image to the upstream image name so that it can be processed and included in the air gap bundle. You can use the `builder` key to do this by hardcoding the upstream location of the image (image registry, repository, and tag), as shown in the example below: ```yaml apiVersion: kots.io/v1beta2 diff --git a/docs/vendor/install-with-helm.md b/docs/vendor/install-with-helm.md index 8d7951ec10..059052ff96 100644 --- a/docs/vendor/install-with-helm.md +++ b/docs/vendor/install-with-helm.md @@ -43,7 +43,7 @@ global: The values in the `global.replicated` field provide information about the following: * Details about the fields in the customer's license, such as the field name, description, signature, value, and any custom license fields that you define. You can use this license information to check license entitlments before the application is installed. For more information, see [Checking Entitlements in Helm Charts Before Deployment](/vendor/licenses-reference-helm). -* A base64 encoded Docker configuration file. To proxy images from an external private registry with the Replicated proxy service, you can use the `global.replicated.dockerconfigjson` field to create an image pull secret for the proxy service. For more information, see [Proxying Images for Helm Installations](/vendor/helm-image-registry). +* A base64 encoded Docker configuration file. To proxy images from an external private registry with the Replicated proxy registry, you can use the `global.replicated.dockerconfigjson` field to create an image pull secret for the proxy registry. For more information, see [Proxying Images for Helm Installations](/vendor/helm-image-registry). ### Limitations diff --git a/docs/vendor/licenses-about.mdx b/docs/vendor/licenses-about.mdx index a694c6bcec..f37cddba2d 100644 --- a/docs/vendor/licenses-about.mdx +++ b/docs/vendor/licenses-about.mdx @@ -63,7 +63,7 @@ Replicated enforces the following logic when a license expires: * By default, instances with expired licenses continue to run. To change the behavior of your application when a license expires, you can can add custom logic in your application that queries the `expires_at` field using the Replicated SDK in-cluster API. For more information, see [Querying Entitlements with the Replicated SDK API](/vendor/licenses-reference-sdk). * Expired licenses cannot log in to the Replicated registry to pull a Helm chart for installation or upgrade. -* Expired licenses cannot pull application images through the proxy service or from the Replicated registry. +* Expired licenses cannot pull application images through the Replicated proxy registry or from the Replicated registry. * (KOTS Only) KOTS prevents instances with expired licenses from receiving updates. ### Synchronizing Licenses with KOTS diff --git a/docs/vendor/operator-defining-additional-images.mdx b/docs/vendor/operator-defining-additional-images.mdx index 1b161155f8..73db12f374 100644 --- a/docs/vendor/operator-defining-additional-images.mdx +++ b/docs/vendor/operator-defining-additional-images.mdx @@ -19,7 +19,7 @@ KOTS supports including the following types of images in the `additionalImages` * Public images referenced by the docker pullable image name. * Images pushed to a private registry that was configured in the Vendor Portal, referenced by the docker-pullable, upstream image name. For more information about configuring private registries, see [Connecting to an External Registry](/vendor/packaging-private-images). :::note - If you use the [Replicated proxy service](/vendor/private-images-about) for online (internet-connected) installations, be sure to use the _upstream_ image name in the `additionalImages` field, rather than referencing the location of the image at `proxy.replicated.com`. + If you use the [Replicated proxy registry](/vendor/private-images-about) for online (internet-connected) installations, be sure to use the _upstream_ image name in the `additionalImages` field, rather than referencing the location of the image at `proxy.replicated.com`. ::: * Images pushed to the Replicated registry referenced by the `registry.replicated.com` name. diff --git a/docs/vendor/packaging-private-images.md b/docs/vendor/packaging-private-images.md index ce18828e87..d29532edc7 100644 --- a/docs/vendor/packaging-private-images.md +++ b/docs/vendor/packaging-private-images.md @@ -1,6 +1,6 @@ # Connecting to an External Registry -This topic describes how to add credentials for an external private registry using the Replicated Vendor Portal or Replicated CLI. Adding an external registry allows you to grant proxy access to private images using the Replicated proxy service. For more information, see [About the Replicated Proxy Service](private-images-about). +This topic describes how to add credentials for an external private registry using the Replicated Vendor Portal or Replicated CLI. Adding an external registry allows you to grant proxy access to private images using the Replicated proxy registry. For more information, see [About the Replicated Proxy Registry](private-images-about). For information about adding a registry with the Vendor API v3, see [Create an external registry with the specified parameters](https://replicated-vendor-api.readme.io/reference/createexternalregistry) in the Vendor API v3 documentation. diff --git a/docs/vendor/private-images-kots.mdx b/docs/vendor/private-images-kots.mdx index f4ddd4e66f..0309a21549 100644 --- a/docs/vendor/private-images-kots.mdx +++ b/docs/vendor/private-images-kots.mdx @@ -2,25 +2,25 @@ import Deprecated from "../partials/helm/_replicated-deprecated.mdx" import StepCreds from "../partials/proxy-service/_step-creds.mdx" import StepCustomDomain from "../partials/proxy-service/_step-custom-domain.mdx" -# Using the Proxy Service with KOTS Installations +# Using the Proxy Registry with KOTS Installations -This topic describes how to use the Replicated proxy service with applications deployed with Replicated KOTS. +This topic describes how to use the Replicated proxy registry with applications deployed with Replicated KOTS. ## Overview -Replicated KOTS automatically creates the required image pull secret for accessing the Replicated proxy service during application deployment. When possible, KOTS also automatically rewrites image names in the application manifests to the location of the image at `proxy.replicated.com` or your custom domain. +Replicated KOTS automatically creates the required image pull secret for accessing the Replicated proxy registry during application deployment. When possible, KOTS also automatically rewrites image names in the application manifests to the location of the image at `proxy.replicated.com` or your custom domain. ### Image Pull Secret -During application deployment, KOTS automatically creates an `imagePullSecret` with `type: kubernetes.io/dockerconfigjson` that is based on the customer license. This secret is used to authenticate with the proxy service and grant proxy access to private images. +During application deployment, KOTS automatically creates an `imagePullSecret` with `type: kubernetes.io/dockerconfigjson` that is based on the customer license. This secret is used to authenticate with the proxy registry and grant proxy access to private images. For information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to authenticate to a private image registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation. ### Image Location Patching (Standard Manifests and HelmChart v1) -For applications packaged with standard Kubernetes manifests (or Helm charts deployed with the [HelmChart v1](/reference/custom-resource-helmchart) custom resource), KOTS automatically patches image names to the location of the image at at `proxy.replicated.com` or your custom domain during deployment. If KOTS receives a 401 response when attempting to load image manifests using the image reference from the PodSpec, it assumes that this is a private image that must be proxied through the proxy service. +For applications packaged with standard Kubernetes manifests (or Helm charts deployed with the [HelmChart v1](/reference/custom-resource-helmchart) custom resource), KOTS automatically patches image names to the location of the image at at `proxy.replicated.com` or your custom domain during deployment. If KOTS receives a 401 response when attempting to load image manifests using the image reference from the PodSpec, it assumes that this is a private image that must be proxied through the proxy registry. -KOTS uses Kustomize to patch the `midstream/kustomization.yaml` file to change the image name during deployment to reference the proxy service. For example, a PodSpec for a Deployment references a private image hosted at `quay.io/my-org/api:v1.0.1`: +KOTS uses Kustomize to patch the `midstream/kustomization.yaml` file to change the image name during deployment to reference the proxy registry. For example, a PodSpec for a Deployment references a private image hosted at `quay.io/my-org/api:v1.0.1`: ```yaml apiVersion: apps/v1 @@ -37,7 +37,7 @@ spec: When this application is deployed, KOTS detects that it cannot access the image at quay.io. So, it creates a patch in the `midstream/kustomization.yaml` -file that changes the image name in all manifest files for the application. This causes the container runtime in the cluster to use the proxy service to pull the images, using the license information provided to KOTS for authentication. +file that changes the image name in all manifest files for the application. This causes the container runtime in the cluster to use the proxy registry to pull the images, using the license information provided to KOTS for authentication. ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 @@ -48,11 +48,11 @@ images: newName: proxy.replicated.com/proxy/my-kots-app/quay.io/my-org/api ``` -## Enable the Proxy Service +## Enable the Proxy Registry -This section describes how to enable the proxy service for applications deployed with KOTS, including how to ensure that image names are rewritten and that the required image pull secret is provided. +This section describes how to enable the proxy registry for applications deployed with KOTS, including how to ensure that image names are rewritten and that the required image pull secret is provided. -To enable the proxy service: +To enable the proxy registry: 1. diff --git a/docs/vendor/releases-about.mdx b/docs/vendor/releases-about.mdx index 49fca3d441..bc5be6537e 100644 --- a/docs/vendor/releases-about.mdx +++ b/docs/vendor/releases-about.mdx @@ -47,7 +47,7 @@ The following describes each of the channel settings: * **Channel name**: The name of the channel. You can change the channel name at any time. Each channel also has a unique ID listed below the channel name. * **Description**: Optionally, add a description of the channel. * **Set this channel to default**: When enabled, sets the channel as the default channel. The default channel cannot be archived. -* **Custom domains**: Select the customer-facing domains that releases promoted to this channel use for the Replicated registry, proxy service, Replicated app service, or download portal endpoints. If a default custom domain exists for any of these endpoints, choosing a different domain in the channel settings overrides the default. If no custom domains are configured for an endpoint, the drop-down for the endpoint is disabled. +* **Custom domains**: Select the customer-facing domains that releases promoted to this channel use for the Replicated registry, Replicated proxy registry, Replicated app service, or Replicated Download Portal endpoints. If a default custom domain exists for any of these endpoints, choosing a different domain in the channel settings overrides the default. If no custom domains are configured for an endpoint, the drop-down for the endpoint is disabled. For more information about configuring custom domains and assigning default domains, see [Using Custom Domains](custom-domains-using). * The following channel settings apply only to applications that support KOTS: diff --git a/docs/vendor/replicated-onboarding.mdx b/docs/vendor/replicated-onboarding.mdx index 43bc7ac6ef..ed46f3fe5a 100644 --- a/docs/vendor/replicated-onboarding.mdx +++ b/docs/vendor/replicated-onboarding.mdx @@ -216,10 +216,10 @@ This section provides a checklist of key Replicated features to integrate with y - +
How to
Proxy serviceProxy registry -

Allow customer licenses to grant proxy access to your application's private images. Configuring the proxy service allows you to pull your images so that you can test your deployment.

-

Estimated time: 1 to 2 hours to connect your external registry and update your Helm chart to deliver image pull secrets for the proxy service

+

Allow customer licenses to grant proxy access to your application's private images. Configuring the proxy registry allows you to pull your images so that you can test your deployment.

+

Estimated time: 1 to 2 hours to connect your external registry and update your Helm chart to deliver image pull secrets for the proxy registry

 Proxying Images for Helm Installations diff --git a/docusaurus.config.js b/docusaurus.config.js index 9e64f80ee0..8d03563578 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -128,7 +128,7 @@ const config = { { type: 'doc', docId: 'vendor/private-images-about', - label: 'Replicated Proxy Service', + label: 'Replicated Proxy Registry', }, { type: 'doc', @@ -150,12 +150,12 @@ const config = { { type: 'doc', docId: 'reference/kots-cli-getting-started', - label: 'kots CLI', + label: 'KOTS CLI', }, { type: 'doc', docId: 'reference/replicated-cli-installing', - label: 'replicated CLI', + label: 'Replicated CLI', }, { type: 'doc',