Skip to main content
Version: v1.0.x

Configure ECR Instead of Zot

An Open Container Initiative (OCI) registry is required to store OCI artifacts. Instead of the default in-cluster Zot registry, you can configure the PaletteAI Helm chart to use Amazon Elastic Container Registry (ECR). Amazon ECR works on both Amazon EKS and self-managed Kubernetes on AWS (IaaS), and you can configure it during installation or afterward.

Prerequisites

  • An existing self-managed Kubernetes cluster that uses AWS EC2 instances.

  • Access to the cluster kubeconfig file.

  • Downloaded PaletteAI Helm values file.

    curl --output values.yaml --silent https://docs.palette-ai.com/resources/assets/hosted/helm/values.yaml

  • Install the following tools on the machine you use to install or upgrade PaletteAI:

    • kubectl version >= 1.31.0

      Set the KUBECONFIG environment variable to the path of the hub cluster kubeconfig file.

      export KUBECONFIG=<kubeconfig-location>

    • Helm version >= 3.17.0 if you plan to use the manual Helm workflow instead of the recommended Flux-managed workflow.

    • AWS CLI

    • A text editor, such as vi

  • An AWS IAM role with the following ECR permissions for either a private or public ECR:

    Minimal inline policy example for private ECR
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ecr:CompleteLayerUpload",
            "ecr:UploadLayerPart",
            "ecr:InitiateLayerUpload",
            "ecr:BatchCheckLayerAvailability",
            "ecr:PutImage",
            "ecr:BatchGetImage",
            "ecr:GetDownloadUrlForLayer"
          ],
          "Resource": "arn:aws:ecr:<region>:<account-id>:repository/<ecr-namespace>/<ecr-repo-name>"
        },
        {
          "Effect": "Allow",
          "Action": "ecr:GetAuthorizationToken",
          "Resource": "*"
        }
      ]
    }

  • The IAM role is attached to an AWS instance profile, and that instance profile is attached to each EC2 node in the cluster.

Enablement

  1. Open the Helm values file in a text editor. This example uses vi.

    vi values.yaml

  2. Configure Hue to push OCI artifacts to ECR. Set hue.ociRegistry.provider to aws and hue.ociRegistry.endpoint to your ECR registry URI. The registry URI syntax depends on whether you use a private or public ECR.

    hue:
      ociRegistry:
        enabled: true
        endpoint: 'oci://<account-id>.dkr.ecr.<region>.amazonaws.com/<ecr-namespace>'
        repository: '<ecr-repo-name>'
        insecure: false
        interval: 5m
        timeout: 60s
        provider: 'aws'

  3. Update each entry under fleetConfig.spokes[i].ociRegistry so every spoke cluster references the same ECR registry. Set provider to aws.

    fleetConfig:
      spokes:
        - name: spoke-1
          ociRegistry:
            endpoint: 'oci://<account-id>.dkr.ecr.<region>.amazonaws.com/<ecr-namespace>'
            repository: 'mural-workloads'
            insecure: false
            provider: 'aws'

    Repeat this step for every spoke cluster you plan to use.

  4. Configure AWS authentication for the hue service account.

    Skip this step. On AWS IaaS, Hue uses the IAM permissions attached to the EC2 node instance profile.

  5. Configure AWS authentication for the Flux source-controller service account.

    Skip this step. On AWS IaaS, source-controller uses the IAM permissions attached to the EC2 node instance profile.

  6. If you already installed PaletteAI with the default Zot registry, remove the basicAuth section from both the hue and fleetConfig sections in your Helm values. When you use ECR, AWS handles authentication through the node instance profile or IRSA.

    hue:
      ociRegistry:
        basicAuth:
          username: '<username>'
          password: '<password>'
    fleetConfig:
      spokes:
        - name: spoke-1
          ociRegistry:
            basicAuth:
              username: '<username>'
              password: '<password>'

  7. Apply the updated configuration. If you have not installed PaletteAI yet, continue with Install PaletteAI on AWS IaaS or Install PaletteAI on EKS and use the updated values.yaml file.

    For Flux-managed installations, update the values block in the HelmRelease manifest for your mural release and apply the changes to the cluster.

    kubectl apply --filename <path-to-your-mural-helmrelease>.yaml

    If you manage the release manually, use the workflow below.

    warning

    If you do not use Flux, manage the mural-crds chart separately from the mural chart. Apply or upgrade Custom Resource Definitions (CRDs) out of band before you install or upgrade the mural chart. For the manual Helm workflow, refer to Upgrade Manually.

    helm upgrade mural oci://public.ecr.aws/mural/mural --version 1.0.7 \
      --namespace mural-system --values values.yaml --wait

Validate

  1. If you use Flux, confirm that the OCIRepository resources are ready.

    kubectl get ocirepository --namespace mural-system

  2. Check the Hue controller logs for successful OCI pushes.

    kubectl logs --namespace mural-system deployment/hue | grep --ignore-case "push\|oci"

  3. Verify that artifacts exist in ECR.

    aws ecr describe-images \
      --repository-name <ecr-namespace>/<ecr-repo-name> \
      --region <region>

Next Steps

  1. After you confirm that ECR is working, open the PaletteAI values.yaml file and disable Zot.

    vi values.yaml
    zot:
      enabled: false

  2. Update your PaletteAI installation to remove Zot.

    For Flux-managed installations, update the values block in the HelmRelease manifest for your mural release and apply the changes to the cluster.

    kubectl apply --filename <path-to-your-mural-helmrelease>.yaml

    If you manage the release manually, use the workflow below.

    warning

    If you do not use Flux, manage the mural-crds chart separately from the mural chart. Apply or upgrade Custom Resource Definitions (CRDs) out of band before you install or upgrade the mural chart. For the manual Helm workflow, refer to Upgrade Manually.

    helm upgrade mural oci://public.ecr.aws/mural/mural --version 1.0.7 \
      --namespace mural-system --values values.yaml --wait