Alauda Container Platform

Registry v2: Exposing the Registry

By default, use the internal Registry service for workloads inside the cluster. Expose Registry v2 only when developer machines, CI systems, or other external clients must push or pull images.

TOC

Expose the Default RegistryExpose a Custom Secure Registry HostConfigure Client TrustVerify External AccessTroubleshooting

Expose the Default Registry

Enable the default route behavior in Config/cluster:

kubectl patch configs.imageregistry.operator.alauda.io cluster \
  --type=merge \
  -p '{"spec":{"defaultRoute":true}}'

The Operator renders a Kubernetes Ingress named default-route in image-registry-system.

Check the generated Ingress:

kubectl -n image-registry-system get ingress default-route

Expose a Custom Secure Registry Host

Create or provide a TLS Secret in image-registry-system, then configure Config.spec.routes[]:

apiVersion: imageregistry.operator.alauda.io/v1
kind: Config
metadata:
  name: cluster
spec:
  managementState: Managed
  defaultRoute: false
  routes:
    - name: public-registry
      hostname: registry.example.com
      secretName: registry-tls

The TLS Secret must exist in image-registry-system when secretName is set.

The generated Ingress uses the Registry service as the backend and sets the backend protocol to HTTPS.

Configure Client Trust

If the Ingress certificate is signed by a private CA, add the CA to each external client's trust store before login and push/pull operations.

For a test client that uses an insecure registry option, scope the insecure setting to the Registry host only:

nerdctl --insecure-registry login registry.example.com \
  -u <ACP-USERNAME> \
  -p <ACP-PASSWORD>

Verify External Access

Check the Ingress:

kubectl -n image-registry-system get ingress
kubectl -n image-registry-system describe ingress public-registry

Log in from an external client:

nerdctl login registry.example.com \
  -u <ACP-USERNAME> \
  -p <ACP-PASSWORD>

Push and pull a test image:

nerdctl tag my-app:latest registry.example.com/team-a/my-app:external-test
nerdctl push registry.example.com/team-a/my-app:external-test
nerdctl pull registry.example.com/team-a/my-app:external-test

Troubleshooting

SymptomCheck
Ingress is missingConfig.spec.defaultRoute, Config.spec.routes[], and Operator logs.
Ingress has no addressIngress controller status, ALB project label, and Ingress events.
TLS handshake failsTLS Secret, client trust store, certificate SAN, and private CA configuration.
Login failsACP credentials, namespace RoleBinding, OIDC runtime discovery, and Registry logs.
Push or pull fails after loginImage namespace permissions, repository path, storage backend, and Registry readiness.