Ownkube
BlogStatusChangelogLog inConnect your cloud

Registries

Connect Amazon ECR or build straight from a GitHub repository so Ownkube has an image to deploy.

A registry is where Ownkube pulls container images from when you deploy. Registries are connected at the organization level. Connect once, use across every cluster and deployment. Manage them under Settings.

You have three ways to give Ownkube an image:

Amazon ECR

Available now. Role-based: Ownkube uses the IAM role you connected during onboarding to pull from your private ECR repositories. No access keys to store or rotate.

GitHub repository

Available now. Connect the GitHub App so Ownkube can build an image from your source and push it to your ECR, then redeploy on every push.

Public image

Available now. Any publicly pullable image reference works with no connection at all.

More registries are coming. Docker Hub, GitHub Container Registry, Google Artifact Registry, and Azure Container Registry are on the roadmap. Track progress on the changelog. Until then, ECR and GitHub-built images cover the common cases.

Amazon ECR

ECR is the private registry wired today. It reuses the same IAM role you set up during AWS onboarding, so there are no registry credentials to manage separately.

Connect AWS

If you haven't already, finish AWS onboarding. The least-privilege role Ownkube assumes includes scoped pull access to ECR.

Open Settings

Go to Settings and open the registries section. Your connected AWS account's ECR is available to every cluster in the organization.

Pick a repository and tag at deploy time

When you create a deployment, Ownkube autocompletes your ECR repositories and their tags. Pick the image, pick the tag, deploy.

Build from a GitHub repository

If your code is on GitHub, you don't need to build and push images yourself. Connect the GitHub App and Ownkube builds the image for you and pushes it to your ECR.

The GitHub App install gives Ownkube scoped access to the repositories you choose. Benefits:

  • No expiring tokens: rotation happens automatically
  • Scoped per repository: revoke access to individual repos without touching anything else
  • Repository picker at deploy time: Ownkube can list your installed repos when you create a deployment
  • Auto-generated build workflows: Ownkube can open a PR adding a build-and-push workflow to your repo so each push ships a new image

You can connect more than one GitHub App installation per organization, for example your personal account plus one or more GitHub organizations. Each deployment remembers which connection it builds from.

How to connect

Open Settings

Go to Settings and open the registries section.

Start the GitHub App install

Click Connect GitHub App.

Pick your target

GitHub asks whether to install on a personal account or an organization. Pick the owner of the repositories you want to deploy.

Choose repositories

Either All repositories or Select repositories. You can change this later on GitHub at any time.

Finish

You're redirected back to Ownkube with the connection in the active state.

A classic GitHub PAT works too. Useful if you can't install a GitHub App on the target account.

Token requirements

The token must have the repo scope so Ownkube can read your source and open the build-workflow PR.

  • Classic PATs start with ghp_
  • Fine-grained PATs start with github_pat_

PATs expire. If your PAT is revoked or expires, Ownkube marks the connection as failed on the next build. Re-verify in the dashboard with a fresh token.

Using an image in a deployment

When you create a deployment, pick where the image comes from: an ECR repository, a GitHub repository to build, or a public image reference. Ownkube autocompletes repositories and tags from whatever you've connected.

Tip

Pin image tags explicitly. latest is accepted, but a specific tag (like v1.4.2 or a short git SHA) makes every deploy traceable to a known image.

Verifying a connection

If a token expires or a GitHub App install is removed, Ownkube marks the connection as failed. Click Verify on the connection card to re-test it without deleting anything. Re-verification:

  • For PATs: checks the token is still valid and has the right scopes
  • For GitHub App: checks the install is still present and hasn't been revoked

If verification fails, reconnect with a fresh token or reinstall the GitHub App.

Removing a connection

The Remove action is a soft-delete. The row stays in the database but is marked revoked, and any stored credentials are cleared. Existing deployments keep running from cached images, but new pulls or builds will fail. Reconnect to restore access.

Deploy your first app

Use your registry to ship a deployment.

Environment variables

Configure secrets your app needs at runtime.

Don't see a feature you need? Email support@ownkube.io. Ownkube is shaped by the teams using it and we ship what our users ask for.

Environments

Group deployments into stages (development, staging, production) with isolated configuration and shared infrastructure.

Deployments

Web apps, background workers, one-off jobs. Pick a resource type, point at an image, deploy.

On this page

Amazon ECRBuild from a GitHub repositoryHow to connectToken requirementsUsing an image in a deploymentVerifying a connectionRemoving a connection