Private Registry Configuration

Configure authentication for private container registries

The Apollo GraphOS Operator supports authentication with private container registries to fetch GraphQL schemas stored as OCI artifacts.

Configuration Methods

1. Docker Helper

The operator comes bundled with credential helpers for Amazon ECR and Google Artifact Registry.

YAML

1# For Amazon ECR with static credentials
2container:
3  envFrom:
4    - secretRef:
5        name: aws-credentials
6dockerConfig:
7  credHelpers:
8    '<account-id>.dkr.ecr.<region>.amazonaws.com': ecr-login

Text

1# For Google Artifact Registry
2podTemplate:
3  volumes:
4    - name: gcp-credentials
5      secret:
6        secretName: gcp-credentials
7container:
8  volumeMounts:
9    - name: gcp-credentials
10      mountPath: /.config/gcloud
11      readOnly: true
12dockerConfig:
13  credHelpers:
14    '<region>-docker.pkg.dev': gcr

Amazon ECR with IAM Roles for Service Accounts (IRSA)

IRSA allows you to authenticate with AWS services using IAM roles instead of static credentials. When configured, the ECR credential helper automatically uses the IAM role associated with your Kubernetes service account to obtain temporary credentials for pulling images from ECR.

The dockerConfig section maps your ECR registry URLs to the ecr-login credential helper. It does not contain any credentials - the credential helper retrieves them automatically using your IRSA configuration.

YAML

1# For Amazon ECR with IRSA
2operator-chart:
3  serviceAccount:
4    annotations:
5      eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<role-name>
6  container:
7    env:
8      - name: AWS_STS_REGIONAL_ENDPOINTS
9        value: regional
10      - name: AWS_DEFAULT_REGION
11        value: <region>
12      - name: AWS_REGION
13        value: <region>
14      - name: AWS_ROLE_ARN
15        value: arn:aws:iam::<account-id>:role/<role-name>
16      - name: AWS_WEB_IDENTITY_TOKEN_FILE
17        value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
18      - name: DOCKER_CONFIG
19        value: /.docker
20    volumeMounts:
21      - name: aws-iam-token
22        mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
23        readOnly: true
24  podTemplate:
25    volumes:
26      - name: aws-iam-token
27        projected:
28          defaultMode: 420
29          sources:
30            - serviceAccountToken:
31                audience: sts.amazonaws.com
32                expirationSeconds: 86400
33                path: token
34  dockerConfig:
35    credHelpers:
36      '<account-id>.dkr.ecr.<region>.amazonaws.com': ecr-login

2. Mount Docker Config Secret

For sensitive credentials or other registries, mount a Kubernetes secret at /.docker:

YAML

1# Create the secret
2apiVersion: v1
3kind: Secret
4metadata:
5  name: docker-config
6type: kubernetes.io/dockerconfigjson
7data:
8  config.json: <base64-encoded-docker-config>

YAML

1# Mount in Helm values
2podTemplate:
3  volumes:
4    - name: docker-config
5      secret:
6        secretName: docker-config
7  volumeMounts:
8    - name: docker-config
9      mountPath: /.docker
10      readOnly: true

Subgraph Reference

Development and Tooling

From Federation 1 to 2

Server-Driven UI

Publishing

Contracts

SAML

OIDC

Authentication

Router Telemetry

Log Exporters

Metrics Exporters

Trace Exporters

Instrumentation

Subgraph Observability

Client Observability

OpenTelemetry

GraphQL Subscriptions

Coprocessors

Rhai Scripts

Custom Builds

Dedicated

AWS Lattice

Private Registry Configuration

Configuration Methods

1. Docker Helper

Amazon ECR with IAM Roles for Service Accounts (IRSA)

2. Mount Docker Config Secret