Skip to content

Configuration Guide

This document provides a comprehensive overview of all configuration options available in the UDS Registry Helm chart.

ParameterDefaultDescription
replicaCount1Number of registry replicas to deploy
ParameterDefaultDescription
image.repositoryghcr.io/defenseunicorns/uds-registryContainer image repository
image.tag0.20.1Container image tag
image.pullPolicyIfNotPresentImage pull policy
ParameterDefaultDescription
package.gatewaytenantGateway configuration for the package
package.hostregistryHostname for the registry service
package.domain###ZARF_VAR_DOMAIN###Domain name (uses Zarf variable)
package.useRootDomainfalseUse root domain instead of subdomain
package.serviceMeshModeambientService mesh mode configuration

Default resource values are suitable for uds-core only. Increase for production workloads.

ParameterDefaultDescription
resources.requests.memory128MiMemory request
resources.requests.cpu250mCPU request
resources.limits.memory1GiMemory limit
resources.limits.cpu750mCPU limit

Two storage backends are available:

  • filesystem - Uses persistent volumes for storage
  • s3 - Uses S3-compatible object storage

When haDatabase is enabled:

  • ociStorage must be set to s3
  • Database PVC creation is disabled
  • External database must be configured via database.connectionString
ParameterDefaultOptionsDescription
ociStoragefilesystemfilesystem, s3Storage backend for OCI artifacts
haDatabasefalse-Enable HA database (requires S3 storage)
ParameterDefaultOptionsDescription
registry.logging.levelINFODEBUG, INFO, WARN, ERRORLog level
ParameterDefaultDescription
registry.auth.access.admins["admin"]List of initial admin usernames
registry.auth.publicOrgs.metadataAccess["public"]Organizations with UI access (no OCI access)
registry.auth.publicOrgs.readAccess["library"]Organizations with UI access (auth required for OCI)
registry.auth.webSession.duration8hUser session duration
registry.auth.personalTokens.defaultExpiry720hDefault token expiry (30 days)
registry.auth.personalTokens.maxExpiry4320hMaximum token expiry (180 days)
registry.auth.serviceTokens.defaultExpiry1440hDefault token expiry (60 days)
registry.auth.serviceTokens.maxExpiry8760hMaximum token expiry (365 days)
ParameterDefaultDescription
registry.scanner.enabledtrueEnable vulnerability scanning
registry.scanner.updateInterval12hScanner database update interval
registry.scanner.scanInterval24hImage scanning interval
ParameterDefaultDescription
registry.features.registryAnalyticsfalseEnable registry analytics
registry.features.servePrivatetrueServe private repositories
ParameterDefaultDescription
persistence.database.pv.storageClassName""Storage class (empty = default)
persistence.database.pv.accessModes["ReadWriteOnce"]Access modes
persistence.database.pv.size256MiStorage size
persistence.database.pv.annotations{}Persistent volume annotations
persistence.database.pv.finalizers["kubernetes.io/pvc-protection"]Persistent volume finalizers
persistence.database.pv.existingClaim""Use existing PVC
persistence.database.pv.extraPvcLabels{}Extra PVC labels
ParameterDefaultDescription
persistence.registry.pv.storageClassName""Storage class (empty = default)
persistence.registry.pv.accessModes["ReadWriteOnce"]Access modes
persistence.registry.pv.size10GiStorage size
persistence.registry.pv.annotations{}Persistent volume annotations
persistence.registry.pv.finalizers["kubernetes.io/pvc-protection"]Persistent volume finalizers
persistence.registry.pv.existingClaim""Use existing PVC
persistence.registry.pv.extraPvcLabels{}Extra PVC labels

Set a secure random string for production deployments to ensure consistency across replicas.

ParameterDefaultDescription
distribution.http.secret""HTTP secret for upload resumption
distribution.storage.filesystem.rootDirectory/app/data/registryRoot directory for registry data
ParameterDefaultRequiredDescription
distribution.storage.s3.regionus-west-1YesAWS region
distribution.storage.s3.regionEndpoint""NoCustom S3 endpoint
distribution.storage.s3.bucketuds-registryYesS3 bucket name
distribution.storage.s3.rootDirectoryregistryNoRoot directory in bucket
distribution.storage.s3.securefalseNoUse HTTPS
distribution.storage.s3.v4AuthtrueNoUse AWS Signature Version 4
distribution.storage.s3.chunkSize5242880NoChunk size for multipart uploads
distribution.storage.s3.multipartCopyChunkSize33554432NoChunk size for multipart copy
distribution.storage.s3.multipartCopyMaxConcurrency100NoMax concurrency for multipart copy
distribution.storage.s3.multipartCopyThresholdSize33554432NoThreshold for multipart copy
distribution.storage.s3.storageClassSTANDARDNoS3 storage class
distribution.storage.s3.keyId""NoAWS access key ID
distribution.storage.s3.accessKey""NoAWS secret access key
distribution.storage.s3.sessionToken""NoAWS session token
ParameterDefaultOptionsDescription
database.typesqlite3sqlite3, postgresDatabase type
database.connectionStringfile:./db/registry.sqlite?_pragma=foreign_keys(1)-Database connection string
ParameterDefaultDescription
serviceAccount.annotations""Service account annotations
podSecurityContext.runAsUser65532User ID to run pods
podSecurityContext.runAsGroup65532Group ID to run pods
podSecurityContext.fsGroup65532Filesystem group ID
containerSecurityContext.runAsUser65532User ID for containers
containerSecurityContext.runAsGroup65532Group ID for containers
replicaCount: 1
ociStorage: "filesystem"
haDatabase: false
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "750m"

SQLite (Default):

database:
type: sqlite3
connectionString: "file:./db/registry.sqlite?_pragma=foreign_keys(1)"

PostgreSQL for Production:

database:
type: postgres
connectionString: "postgres://user:password@host:5432/dbname?sslmode=require"
# Basic filesystem storage with logging
distribution:
version: "0.1"
storage:
filesystem:
rootdirectory: "./data/registry"
http:
secret: "my-cool-secret"
logging:
level: "INFO"
# S3 storage with comprehensive settings
distribution:
version: "0.1"
storage:
s3:
region: "us-east-1"
bucket: "uds-registry"
accesskey: "${AWS_ACCESS_KEY}"
secretkey: "${AWS_SECRET_KEY}"
# Optional: Custom S3 endpoint for S3-compatible storage
# regionendpoint: "https://custom.s3.endpoint"
# forcepathstyle: true
# encrypt: true
# rootdirectory: "/registry"
# storageclass: "STANDARD"
# secure: true
cache:
blobdescriptor: "inmemory"
# OIDC authentication configuration
auth:
sso:
issuer: "https://sso.uds.dev/realms/uds"
clientId: "uds-registry"
clientSecret: "your-client-secret"
callbackUrl: "https://registry.example.com/uds/auth/callback"
# Optional: Custom scopes and claims
# scopes:
# - "openid"
# - "profile"
# - "email"
# claims:
# username: "preferred_username"
# email: "email"
# name: "name"
# groups: "groups"
# Authentication, token management, and session settings
auth:
webSession:
duration: "8h"
cookieDomain: "example.com"
publicOrgs:
# Organizations with UI access (no OCI access)
metadataAccess:
- "public"
# Organizations with UI access (auth required for OCI)
readAccess:
- "defenseunicorns"
access:
admins:
- "admin@example.com"
personalTokens:
defaultExpiry: "168h" # 7 days
maxExpiry: "4320h" # 180 days
serviceTokens:
defaultExpiry: "168h" # 7 days
maxExpiry: "4320h" # 180 days
# Vulnerability scanner settings
scanner:
enabled: true
updateInterval: "6h"
scanInterval: "1h" # More frequent for dev/test (default: 24h)
# Enable/disable registry features
features:
servePrivate: true
registryAnalytics: false
strictPackageValidation: true
replicaCount: 3
ociStorage: "s3"
haDatabase: true
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "1000m"
distribution:
http:
secret: "your-secure-random-string"
storage:
s3:
region: "us-east-1"
bucket: "my-registry-bucket"
accessKey: "your-access-key"
secretKey: "your-secret-key"
database:
type: "postgres"
connectionString: "postgres://user:password@db-host:5432/registry"
# Comprehensive configuration combining multiple aspects
distribution:
version: "0.1"
storage:
s3:
region: "us-east-1"
bucket: "production-registry"
accesskey: "${AWS_ACCESS_KEY}"
secretkey: "${AWS_SECRET_KEY}"
encrypt: true
storageclass: "STANDARD"
cache:
blobdescriptor: "inmemory"
http:
secret: "production-secret-key"
auth:
sso:
issuer: "https://sso.company.com/realms/production"
clientId: "uds-registry-prod"
clientSecret: "${OIDC_CLIENT_SECRET}"
callbackUrl: "https://registry.company.com/uds/auth/callback"
webSession:
duration: "8h"
cookieDomain: "company.com"
publicOrgs:
metadataAccess:
- "public"
readAccess:
- "shared"
access:
admins:
- "registry-admin@company.com"
personalTokens:
defaultExpiry: "720h" # 30 days
maxExpiry: "4320h" # 180 days
scanner:
enabled: true
updateInterval: "12h"
scanInterval: "24h"
features:
servePrivate: true
registryAnalytics: true
logging:
level: "INFO"
database:
type: "postgres"
connectionString: "postgres://registry:${DB_PASSWORD}@db.company.com:5432/registry?sslmode=require"