docs/configuration/docker-registry.md
The default registry is Docker Hub, but you can change it using registry/server.
If the registry server starts with localhost, Kamal will start a local Docker registry
on that port and push the app image to it.
registry:
server: localhost:5555
By default, Docker Hub creates public repositories. To avoid making your images public, set up a private repository before deploying, or change the default repository privacy settings to private in your Docker Hub settings.
A reference to a secret (in this case, KAMAL_REGISTRY_PASSWORD) will look up the secret
in the local environment:
registry:
username:
- <your docker hub username>
password:
- KAMAL_REGISTRY_PASSWORD
You will need to have the AWS CLI installed locally for this to work.
AWS ECR’s access token is only valid for 12 hours. In order to avoid having to manually regenerate the token every time, you can use ERB in the deploy.yml file to shell out to the AWS CLI command and obtain the token:
registry:
server: <your aws account id>.dkr.ecr.<your aws region id>.amazonaws.com
username: AWS
password: <%= %x(aws ecr get-login-password) %>
To sign into Artifact Registry, you need to
create a service account
and set up roles and permissions.
Normally, assigning the roles/artifactregistry.writer role should be sufficient.
Once the service account is ready, you need to generate and download a JSON key and base64 encode it:
base64 -i /path/to/key.json | tr -d "\\n"
You'll then need to set the KAMAL_REGISTRY_PASSWORD secret to that value.
Use the environment variable as the password along with _json_key_base64 as the username.
Here’s the final configuration:
registry:
server: <your registry region>-docker.pkg.dev
username: _json_key_base64
password:
- KAMAL_REGISTRY_PASSWORD
You can validate the configuration by running:
kamal registry login