Configure container registries

Your service, and the dependencies it needs, are packaged up as container images using tools such as Buildah or the Docker command line interface. You can then push the container image to a container registry to deploy it to Akka Serverless. You’ll need to give Akka Serverless permissions to connect to your registry if the container registry requires authentication.

Adding credentials

To add credentials for your container registry to Akka Serverless, you can use the Akka Serverless CLI or the Akka Serverless Console.

If the container registry you’re using does not require authentication, you don’t have to add any credentials. Akka Serverless will automatically pull the container image using the URL you use to deploy your service.

There are four parameters you need to specify, depending on the registry you want to connect to:

  • Server: The first part of the container image URL. For example, if your image is at us.gcr.io/my-project/my-image, the server is https://us.gcr.io (mandatory).

  • Username: The username (optional).

  • Email: The email address (optional).

  • Password: The password (mandatory).

CLI

Use the akkasls docker add-credentials command.

akkasls docker add-credentials --docker-server <my-server> \ (1)
  --docker-username <my-username> \ (2)
  --docker-email <my-email> \ (3)
  --docker-password <my-password> (4)
1 Server
2 Username
3 Email
4 Password
Console
  1. Sign in to your Akka Serverless account at: https://console.akkaserverless.com/

  2. Select the project for which you want to configure credentials.

  3. Using the left pane or top navigation bar, click Integrations to open the Integrations page.

  4. Go to the Container Registries section.

  5. Click Add (⊕) to the right of the registry type for which you want to add credentials.

  6. Fill in the form with the required information.

  7. Then click Add.

Listing credentials

To list all container registry credentials for your Akka Serverless project, you can use the Akka Serverless CLI or the Akka Serverless Console. For security purposes, neither the CLI nor the Console will show the password of the configured registry.

CLI

Use the akkasls docker list-credentials command:

akkasls docker list-credentials

The results should look something like:

ID                                     SERVER              USERNAME    EMAIL
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx   https://us.gcr.io   _json_key   user@example.com
Console
  1. Sign in to your Akka Serverless account at: https://console.akkaserverless.com/

  2. Click the project for which you want to see the credentials.

  3. Using the left pane or top navigation bar, click Integrations to open the Integrations page.

  4. Go to the Container Registries section.

  5. Find the registry listing you wish to review.

Removing credentials

To remove container registry credentials from your Akka Serverless project, you can use the Akka Serverless CLI or the Akka Serverless Console.

CLI

Use the 'ID' returned from the akkasls docker list-credentials command as the ID in the akkasls docker delete-credentials command:

akkasls docker delete-credentials <credentials-id>
Console
  1. Sign in to your Akka Serverless account at: https://console.akkaserverless.com/

  2. Select the project from which you want to delete credentials.

  3. Using the left pane or top navigation bar, click Integrations to open the Integrations page.

  4. Go to the Container Registries section.

  5. Find the Garbage can symbol, 🗑, adjacent to the registry listing you wish to delete, and click it.

  6. A popup form will appear asking you to confirm the deletion.

  7. Click Delete.

Supported registries

Private container registries

To connect your Akka Serverless project to private or self-hosted container registries, the parameters you need are:

  • Server: The full URL of your container registry, including the API version (like https://mycontainerregistry.example.com/v1/).

  • Username: Your username.

  • Email: Your email address.

  • Password: Your password.

Docker Hub

To connect your Akka Serverless project to Docker Hub, the parameters you need are:

  • Server: https://index.docker.io/v1/.

  • Username: Your Docker Hub username.

  • Email: Your Docker Hub email address.

  • Password: Your Docker Hub password or Personal Access Token.

When you use the Akka Serverless Console, you don’t need to provide the Server URL.

Limits on unauthenticated and free usage

Docker has rate limits new tab for unauthenticated and free Docker Hub usage. For unauthenticated users, pull rates are limited based on IP address (anonymous, or unauthenticated, users have a limit of 100 container image pulls per 6 hours per IP address). Akka Serverless leverages a limited set of IP addresses to connect to Docker Hub. This means that unauthenticated image pulls might be rate limited. The limit for unauthenticated pulls is shared by all users of the Akka Serverless platform.

Google Container Registry

To connect your Akka Serverless project to Google Container Registry (GCR), you’ll need:

  • An active Google Cloud Platform account.

  • The Registry API enabled on your Google Cloud project.

  • The ID that corresponds with your GCP project.

Configuring a private gcr.io registry causes Akka Serverless to fail to deploy the sidecar. Because, the sidecar image is currently hosted in a private gcr.io registry. The host credentials will be overwritten if another gcr.io registry is configured.
  1. Create the service account.

    In the following example the service account is named akkaserverless-docker-reader. Run the create command in your terminal if you have the GCP shell tools installed. Or, run the command from the browser using Cloud Shell Terminal in the Google Cloud Platform (GCP) project.

      gcloud iam service-accounts create akkaserverless-docker-reader
  2. Grant the GCP storage object viewer role to the service account.

    In the following example, replace <gcp-project-id> with the GCP project ID.

      gcloud projects add-iam-policy-binding <gcp-project-id> \
      --member "serviceAccount:akkaserverless-docker-reader@<gcp-project-id>.iam.gserviceaccount.com" \
      --role "roles/storage.objectViewer"
  3. Generate the service account _json_key.

    gcloud iam service-accounts keys create keyfile.json \
      --iam-account akkaserverless-docker-reader@<gcp-project-id>.iam.gserviceaccount.com
  4. Configure your Akka Serverless project to use these credentials, by passing the contents of the key file as the password.

    akkasls docker add-credentials --docker-server https://us.gcr.io \
      --docker-username _json_key \
      --docker-email anyemail@example.com \
      --docker-password "$(cat keyfile.json)"
    Find detailed configuration instructions in the Google documentation new tab.

Azure Container Registry

To connect your Akka Serverless project to Azure Container Registry (ACR), the parameters you need are:

  • Server: <registry name>.azurecr.io.

  • Password: The password is based on the "service principal." To create a service principal (like akkaserverless-docker-reader) run the command below.

    ACR_REGISTRY_ID=$(az acr show —name akkaserverless-registry —query id —output tsv)
    SP_PASSWD=$(az ad sp create-for-rbac --name http://akkaserverless-docker-reader --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
  • Username: The username is the application ID of the "service principal." To retrieve the ID, run the command below.

    SP_APP_ID=$(az ad sp show —id http://akkaserverless-docker-reader —query appId —output tsv)

When you use the Akka Serverless Console, you only need to fill in the registry name for the Server URL.