Deploy the Registry Server
The Registry Server can be deployed in Kubernetes using three methods. Choose the one that fits your environment:
| Method | Description |
|---|---|
| ToolHive Operator | Manage the Registry Server lifecycle through MCPRegistry CRDs |
| Helm | Deploy a standalone Registry Server using its dedicated Helm chart |
| Manual manifests | Deploy directly using raw Kubernetes manifests |
ToolHive Operator
Deploy and manage the Registry Server using MCPRegistry custom resources. The
ToolHive Operator watches for these resources and creates the necessary
infrastructure automatically.
See Deploy with the ToolHive Operator for a complete guide.
Helm
Deploy the Registry Server directly with the official Helm chart from the toolhive-registry-server repository. Use this method when you want to manage the Registry Server like any other Helm release without installing the ToolHive Operator.
Install from the OCI registry:
helm upgrade --install registry-server \
oci://ghcr.io/stacklok/toolhive-registry-server \
-n toolhive-system --create-namespace \
-f values.yaml
The chart's config block maps directly to the Registry Server's
configuration file. Any valid configuration field can be
set under config in your values file:
config:
sources:
- name: toolhive
git:
repository: https://github.com/stacklok/toolhive-catalog.git
branch: main
path: pkg/catalog/toolhive/data/registry-upstream.json
syncPolicy:
interval: '30m'
registries:
- name: default
sources: ['toolhive']
auth:
mode: anonymous
database:
host: postgres
port: 5432
user: registry
database: registry
sslMode: require
Database credentials use the pgpass file pattern. Create a Kubernetes Secret
with a
pgpass-formatted
entry, then mount it into the Registry Server pod using the chart's
extraVolumes, extraVolumeMounts, and initContainers values. The init
container copies the Secret into a shared emptyDir, sets the ownership to the
non-root UID the Registry Server container runs as (65532), and applies 0600
permissions so the server can read the file:
initContainers:
- name: pgpass-init
image: alpine:3
command:
- sh
- -c
- cp /pgpass/.pgpass /home/appuser/.pgpass && chown 65532:65532 /home/appuser/.pgpass && chmod 600 /home/appuser/.pgpass
volumeMounts:
- name: pgpass-secret
mountPath: /pgpass
- name: pgpass
mountPath: /home/appuser
extraVolumes:
- name: pgpass-secret
secret:
secretName: registry-pgpass
- name: pgpass
emptyDir: {}
extraVolumeMounts:
- name: pgpass
mountPath: /home/appuser
See Database configuration for the pgpass format and user privileges, and the toolhive-registry-server repository for the full set of chart values and their defaults.
For a hands-on walkthrough that gets a Registry Server running end-to-end in a local cluster, see Quickstart: Registry Server.
Manual Kubernetes manifests
Deploy the Registry Server directly using raw Kubernetes manifests. This approach gives you full control over the deployment configuration.
See Deploy manually for instructions.
Next steps
- Configure sources and registries to set up your data sources and sync policies
- Set up authentication to secure access to your registry
- Set up authorization to control access with roles and claims
- Configure telemetry to monitor your deployment