Container registry¶
AKKO ships a CNCF-graduated OCI registry as its image distribution layer. It hosts the 16 custom container images and the AKKO umbrella Helm chart (also packaged as an OCI artefact since Sprint 46 A4), provides built-in vulnerability scanning, and verifies cosign signatures before any image leaves the registry.
The registry runs in its own Helm release (separate namespace, separate lifecycle) so the platform application can be uninstalled and redeployed from the same pinned tags. This separation is intentional : the registry is long-lived infrastructure, AKKO is the application that runs on top.
What ships there¶
| Artefact | Tag | Source |
|---|---|---|
| 16 custom container images | 2026.04 |
helm/scripts/build-images.sh |
| AKKO umbrella Helm chart | oci://<registry-host>/akko/akko-chart |
helm/scripts/push-chart-harbor.sh |
| Trivy vulnerability scans | per-image | registry built-in |
| Cosign signatures | per-image | Sprint 46 A1 pipeline |
The 16 custom images are : akko-postgres, akko-spark,
akko-notebook-slim, akko-notebook-full, akko-cockpit, akko-trino,
akko-ai-service, akko-aden, akko-akko-rag, akko-mlflow,
akko-airflow, akko-dbt, akko-mcp-trino, akko-mcp-openmetadata,
akko-catalog-manager, akko-docs.
Quick reference¶
# Login (admin)
docker login <registry-host> -u admin -p '<from secret>'
# Pull an image
docker pull <registry-host>/akko/cockpit:2026.04
# Pull the umbrella chart (OCI)
helm pull oci://<registry-host>/akko/akko-chart --version 2026.04.7
# Verify a signature
cosign verify --key cosign.pub <registry-host>/akko/cockpit:2026.04
The cosign public key sits in helm/akko/charts/akko-cockpit/files/cosign.pub
and is also published next to each artefact in the registry.
Where to read more¶
This page is the services-tier landing page ; the full operator- facing documentation lives under Administration :
- Registry admin guide — independent deployment, internal database, scanning, project RBAC, robot accounts.
- Registry — getting images — endpoint URL, credentials, default demo users, push / pull flows.
- Deploy from the registry — pulling the AKKO chart and images straight from the registry for client deployments.
Related¶
- Image signing & SBOMs — how Sigstore cosign and CycloneDX SBOMs are wired into the registry.
- Compliance matrix — DORA Art. 6 (supply-chain integrity) + NIS2 Annex II SBOM requirements.
- Object storage — does NOT back this registry (the registry uses its own local-path PVC by design — see admin guide for rationale).