Enterprise Not open source: This functionality is only available commercially.

Setup Amazon ECR Pull-Through Cache

For production, we recommend mirroring the upstream artifacts into your own registry. This section shows how to create an Amazon ECR pull-through cache for the images referenced in the Installation guide.

AWS Console Steps

  1. Open AWS Console -> Amazon ECR -> Private registry -> Pull through cache rules.
  2. Choose Create rule.
  3. Set ECR repository prefix to vespa-cache.
  4. Set Upstream registry URL to images.ves.pa.
  5. Create or select a Secrets Manager credential with your support-provided upstream username/token.
  6. Create the rule, then optionally pull one tag of each artifact to warm the cache.

AWS CLI Steps

Set the AWS account, region, and ECR registry variables, along with the upstream credentials provided by Vespa support. 

export AWS_ACCOUNT_ID=123456789012
export AWS_REGION=us-east-1
export ECR_REGISTRY=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
export ECR_CACHE_PREFIX=vespa-cache

export VESPAAI_REGISTRY_USER=<support-provided-user>
export VESPAAI_REGISTRY_TOKEN=<support-provided-token>

Create a Secrets Manager secret to store the upstream registry credentials. 

aws secretsmanager create-secret \
  --name vespa-registry-creds \
  --secret-string "{\"username\":\"${VESPAAI_REGISTRY_USER}\",\"password\":\"${VESPAAI_REGISTRY_TOKEN}\"}" \
  --region ${AWS_REGION} || \
aws secretsmanager put-secret-value \
  --secret-id vespa-registry-creds \
  --secret-string "{\"username\":\"${VESPAAI_REGISTRY_USER}\",\"password\":\"${VESPAAI_REGISTRY_TOKEN}\"}" \
  --region ${AWS_REGION}

Create the pull-through cache rule. A single rule covers all repositories under the images.ves.pa host. 

aws ecr create-pull-through-cache-rule \
  --ecr-repository-prefix ${ECR_CACHE_PREFIX} \
  --upstream-registry-url images.ves.pa \
  --credential-arn arn:aws:secretsmanager:${AWS_REGION}:${AWS_ACCOUNT_ID}:secret:vespa-registry-creds \
  --region ${AWS_REGION}

Authenticate your local tooling to the ECR registry. 

aws ecr get-login-password --region ${AWS_REGION} | \
  docker login --username AWS --password-stdin ${ECR_REGISTRY}
aws ecr get-login-password --region ${AWS_REGION} | \
  helm registry login --username AWS --password-stdin ${ECR_REGISTRY}

Warm the cache by pulling the Vespa images and the Helm chart artifact. 

podman pull ${ECR_REGISTRY}/${ECR_CACHE_PREFIX}/kubernetes/vespa:${VESPA_VERSION}
podman pull ${ECR_REGISTRY}/${ECR_CACHE_PREFIX}/kubernetes/operator:${VESPA_VERSION}
helm pull oci://${ECR_REGISTRY}/${ECR_CACHE_PREFIX}/helm/vespa-operator --version ${VESPA_VERSION}

Point the installation variables to ECR. 

export VESPA_IMAGE=${ECR_REGISTRY}/${ECR_CACHE_PREFIX}/kubernetes/vespa
export VESPA_OPERATOR_IMAGE=${ECR_REGISTRY}/${ECR_CACHE_PREFIX}/kubernetes/operator
export HELM_CHART_REF=oci://${ECR_REGISTRY}/${ECR_CACHE_PREFIX}/helm/vespa-operator