Skip to main content
The internal registry is not recommended as a primary registry. It’s recommended to use an external container registry (AWS ECR, Azure ACR, Google Artifact Registry, Harbor, etc.) for production deployments.
internalRegistry.enabled
boolean
default:"false"
Enable or disable the internal container registry deployment.Use Cases:
  • Air-gapped deployments without external registry access
  • Development/testing environments
  • Pull-through cache for external registries
  • Storing custom crew container images
internalRegistry.replicaCount
integer
default:"1"
Number of registry replicas to deploy.High Availability: For production-like environments, deploy 2+ replicas with shared storage (S3 backend).

internalRegistry.image.*

Registry container image configuration.
internalRegistry.image.host
string
default:""
Container registry hosting the registry image.Default: "" (empty) - Automatically uses global.imageRegistry valueFallback Behavior:When internalRegistry.image.host is empty or not set, the chart uses global.imageRegistry via the crewai-platform.internalRegistryImageRegistry template helper.When imageNamePrefixOverride is Set:The image name is automatically simplified:
  • Original: proxy/crewai/dockerhub/library/registry
  • With imageNamePrefixOverride: "crewai/" becomes: crewai/registry
See global.imageNamePrefixOverride for details.Example:
global:
  imageRegistry: "registry.company.com"

internalRegistry:
  enabled: true
  image:
    host: "" # Automatically uses registry.company.com
    name: "proxy/crewai/dockerhub/library/registry"
    tag: "2"
internalRegistry.image.name
string
default:"proxy/crewai/dockerhub/library/registry"
Registry container image name.Default: "proxy/crewai/dockerhub/library/registry" - Matches Replicated proxy path structurePath Transformation:When global.imageNamePrefixOverride is set, only the final component (registry) is used with the override prefix.
internalRegistry.image.tag
string
default:"2"
Registry image version tag.
internalRegistry.image.pullPolicy
string
default:"IfNotPresent"
Image pull policy for registry container.
internalRegistry.image.pullSecret
string
default:""
Image pull secret for registry image. If empty, uses the global image.pullSecret.
internalRegistry.storage.type
string
default:"s3"
Backend storage type for registry images.Valid Values:
  • "s3" - Use S3-compatible object storage (recommended)
  • "filesystem" - Use persistent volume storage
Recommendation: Use "s3" for production-like deployments to enable multiple registry replicas and better reliability.

internalRegistry.storage.s3.*

S3 backend configuration (when storage.type: "s3").
internalRegistry.storage.s3.bucket
string
default:""
S3 bucket name for storing registry images.Example: "crewai-registry-images"Required: When using S3 storage
internalRegistry.storage.s3.endpoint
string
default:""
S3 endpoint URL. Leave empty for AWS S3, or specify for S3-compatible services.Examples:
  • MinIO: "http://crewai-minio:9000"
  • Wasabi: "https://s3.wasabisys.com"
  • DigitalOcean Spaces: "https://nyc3.digitaloceanspaces.com"
internalRegistry.storage.s3.pathStyle
boolean
default:"true"
Enable path-style S3 URLs (endpoint/bucket/key vs bucket.endpoint/key).Values:
  • true - Required for MinIO and most S3-compatible services
  • false - AWS S3 virtual-hosted style
internalRegistry.storage.s3.encrypt
boolean
default:"false"
Enable server-side encryption for stored objects.Production Recommendation: Enable for compliance and security.
internalRegistry.storage.s3.secure
boolean
default:"true"
Use HTTPS for S3 endpoint connections.Values:
  • true - HTTPS (recommended)
  • false - HTTP (only for internal/development MinIO)
internalRegistry.storage.s3.rootdirectory
string
default:"/docker/registry/v2"
Root directory prefix for all registry blobs in the S3 bucket.

internalRegistry.persistence.*

Filesystem storage configuration (when storage.type: "filesystem").
internalRegistry.persistence.enabled
boolean
default:"true"
Enable persistent volume for filesystem storage.
internalRegistry.persistence.size
string
default:"10Gi"
Size of persistent volume.Sizing Guidelines:
  • Consider container image sizes (typically 500MB - 2GB per image)
  • Account for multiple image versions
  • Add buffer for growth
Example Calculation:
  • 50 different images × 1GB each = 50Gi
  • 5 versions per image = 250Gi
  • Add 50% buffer = 375Gi
internalRegistry.persistence.storageClassName
string
default:""
StorageClass for registry volume.
internalRegistry.persistence.reclaimPolicy
string
default:"keep"
Volume reclaim policy.

internalRegistry.service.*

Service configuration for the registry.
internalRegistry.service.type
string
default:"ClusterIP"
Kubernetes service type.Valid Values:
  • "ClusterIP" - Internal cluster access only (default)
  • "NodePort" - Expose on node ports
  • "LoadBalancer" - Expose via cloud load balancer
internalRegistry.service.port
integer
default:"5000"
Service port for registry API.
internalRegistry.service.nodePort
string
default:""
Specific NodePort to use (when type: NodePort).

internalRegistry.ingress.*

Ingress configuration for external registry access.
internalRegistry.ingress.enabled
boolean
default:"false"
Enable ingress for the registry.Recommendation: Enable for external access, especially in air-gapped scenarios where clients need to push images.
internalRegistry.ingress.className
string
default:""
Ingress class name (nginx, alb, etc.).
internalRegistry.ingress.annotations
object
default:"{}"
Ingress annotations.Important for Registry:
internalRegistry:
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/proxy-body-size: "0" # Disable body size limit
      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
internalRegistry.ingress.host
string
default:""
Hostname for registry ingress.Example: "registry.company.com"
internalRegistry.ingress.path
string
default:"/"
Ingress path prefix.
internalRegistry.ingress.pathType
string
default:"Prefix"
Path matching type (Prefix, Exact, ImplementationSpecific).
internalRegistry.ingress.tls
array
default:"[]"
TLS configuration for ingress.Example:
internalRegistry:
  ingress:
    tls:
      - secretName: registry-tls
        hosts:
          - registry.company.com

internalRegistry.auth.*

Authentication configuration for the registry.
internalRegistry.auth.enabled
boolean
default:"false"
Enable HTTP Basic Auth for registry access.Production Recommendation: Always enable authentication for registries with external access.
internalRegistry.auth.htpasswd
string
default:""
Htpasswd-formatted credential string.Generate htpasswd:
htpasswd -Bbn username password
Example Output:
admin:$2y$05$T4qhOlL.l4eJkELzvnqbNuPxjGqkj6lA9Y12345

internalRegistry.tls.*

TLS configuration for registry connections.
internalRegistry.tls.enabled
boolean
default:"false"
Enable TLS for registry connections.
internalRegistry.tls.secretName
string
default:""
Name of Kubernetes secret containing TLS certificate and key.Secret Format:
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
data:
  tls.crt: <base64-cert>
  tls.key: <base64-key>

internalRegistry.proxy.*

Pull-through cache configuration.
internalRegistry.proxy.enabled
boolean
default:"false"
Enable pull-through proxy/cache functionality.Use Case: Cache images from remote registries to reduce external bandwidth and improve pull performance.
internalRegistry.proxy.remoteurl
string
default:""
Remote registry URL to proxy.Examples:
  • "https://registry-1.docker.io"
  • "https://ghcr.io"
  • "https://quay.io"
internalRegistry.proxy.username
string
default:""
Username for remote registry authentication.
internalRegistry.proxy.password
string
default:""
Password for remote registry authentication.

internalRegistry.healthcheck.*

Health check configuration for registry pods.
internalRegistry.healthcheck.enabled
boolean
default:"true"
Enable liveness and readiness probes.
internalRegistry.healthcheck.initialDelaySeconds
integer
default:"30"
Seconds to wait before first probe.
internalRegistry.healthcheck.periodSeconds
integer
default:"10"
Seconds between health checks.
internalRegistry.healthcheck.timeoutSeconds
integer
default:"5"
Probe timeout.
internalRegistry.healthcheck.successThreshold
integer
default:"1"
Consecutive successes required.
internalRegistry.healthcheck.failureThreshold
integer
default:"3"
Consecutive failures before restart.

internalRegistry.resources.*

Resource limits and requests for registry container.
internalRegistry.resources.limits.cpu
string
default:"1"
CPU limit for registry pod.Sizing Guidelines: Increase for high-throughput environments.
internalRegistry.resources.limits.memory
string
default:"1Gi"
Memory limit for registry pod.
internalRegistry.resources.requests.cpu
string
default:"100m"
Guaranteed CPU allocation for registry pod.Tuning: Conservative for registry with S3 backend.
internalRegistry.resources.requests.memory
string
default:"128Mi"
Guaranteed memory allocation for registry pod.
internalRegistry.nodeSelector
object
default:"{}"
Node selector for registry pod placement.Example:
internalRegistry:
  nodeSelector:
    node-role.kubernetes.io/worker: "true"
Use Cases:
  • Ensure registry runs on nodes with specific capabilities
  • Separate registry workload from application workload