Deploy Rok Registry

To declaratively configure and deploy Rok Registry we use Kustomize, a tool that is also natively built into kubectl. In a nutshell, the final manifests are generated by combining maintainer’s kustomization directories (bases) and end-user’s variants (overlays). Since the built-in version is old, we opt to use a newer version to build the final Kubernetes manifests and apply them afterwards with kubectl apply.

What You’ll Need

Option 1: Deploy with the Rok Deployment CLI (preferred)

The standard way to set up Rok Registry on Kubernetes is to use rok-deploy, an interactive CLI utility that helps you declaratively configure and deploy a Rok Registry cluster on Kubernetes using GitOps, with minimal effort.

Assuming you have prepared your management environment, e.g., you are inside a rok-tools Pod (or Docker container), you can simply run:

root@rok-tools:/# rok-deploy

You will be prompted with a graphical interface that will ask you a series of questions to tailor your installation based on your platform, environment and preferences.


The Rok deployment CLI assumes access to both AWS and Kubernetes, e.g., via ~/.kube/config and ~/.aws/{config, credentials} or the environment.

During this process rok-deploy will:

  1. Clone the GitOps repository locally, either with SSH or username/token authentication, and checkout the appropriate branch. The Rok Registry installation will track this branch and will use it on upgrades, to fetch the changed manifests.
  2. Validate that needed utilities (e.g., git, kubectl, aws) are installed in your system.
  3. Validate access to both your cloud provider (e.g., AWS) and the Kubernetes cluster that is about to host your Rok Registry installation.
  4. Automatically generate YAML patches for Rok Registry based on user input.
  5. Commit all changes locally.
  6. Ask for confirmation and deploy Rok Registry and its external services on Kubernetes, including etcd and PostgreSQL.

You can always view the auto-generated commits that rok-deploy creates in the GitOps repository, under ~/ops/deployments by default. For example:

commit f99e865ede6c677b230d43bf82c25baaca53948e
Author: Rok Deploy v0.15-pre-1303-gab1b01db9 <>
Date:   Mon May 25 18:09:06 2020 +0300

   Update Rok Registry manifests


Make sure you mirror the GitOps repo to a private remote to be able to recover it in any case.

Once rok-deploy completes successfully, your Rok Registry cluster will be up-and-running shortly.

Option 2: Deploy Manually

Clone the GitOps Repository

You need to clone a deployment repository provided by Arrikto. In the following we assume you have cloned it under ~/ops. Here are example commands:

root@rok-tools:/# mkdir -p ~/ops
root@rok-tools:/# cd ~/ops
root@rok-tools:/# git clone <ARRIKTO_PROVIDED_REPOSITORY> deployments
root@rok-tools:/# cd deployments

Create Rok Registry Namespaces

Create the rok-registry and rok-registry-system namespaces needed to host Rok Registry and its system components:

root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-registry-namespaces/overlays/deploy

Deploy Istio

Deploy Istio:

root@rok-tools:~/ops/deployments# rok-deploy --apply install/istio

Expose the Istio mesh to ingress traffic:

root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-istio-ingress/overlays/registry

Give Private Docker Registry Access

In order to pull container images for Rok Registry and its components, you need to copy the Arrikto provided dockerconfig.json file that contains a token with pull access to the arrikto-deploy GCP Container Registry in certain locations under the kustomization tree of the GitOps repo. See the Configure Access to Arrikto’s Private Registry section for more details.

Assuming you have dockerconfig.json under /root/dockerconfig.json:

root@rok-tools:~/ops/deployments# cp /root/dockerconfig.json rok/rok-registry-cluster/overlays/deploy/secrets/dockerconfig.json
root@rok-tools:~/ops/deployments# cp /root/dockerconfig.json rok/rok-operator/overlays/registry-deploy/secrets/dockerconfig.json

Deploy Rok Registry Operator

Deploy the Rok Registry Operator:

root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-operator/overlays/registry-deploy

Deploy Internally Managed Services

Deploy Rok etcd and postgresql:

root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/etcd/overlays/registry-deploy
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/postgresql/overlays/registry-deploy

Deploy Rok Registry Cluster

Create a default-user file in rok/rok-registry-cluster/overlays/deploy/secrets and add your custom password for the default user.

Deploy the Rok Registry Cluster:

root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-registry-cluster/overlays/deploy

After a while, the Rok Registry cluster should be up and running:

root@rok-tools:/# kubectl get rokregistrycluster -n rok-registry
NAME           VERSION                            HEALTH   TOTAL MEMBERS   READY MEMBERS   PHASE     AGE
rok-registry   l0-release-v1.1-pre-2-g6b0b76380   OK       1               1               Running   42m

You can also view events related to the newly deployed Rok Registry cluster with:

root@rok-tools:/# kubectl describe rokregistrycluster -n rok-registry rok-registry

What’s Next

Congratulations, you have deployed Rok Registry on Kubernetes!

You can continue to the Test Rok Registry section to test your installation or the Expose Services section to expose Rok Registry to the outside world.

Alternatively, you can continue to Configure OIDC Providers to enable authentication via external OIDC providers.