This command pushes imgpkg bundles, plain Docker images, or Helm charts (for VMware Telco Cloud Automation based product deployments) to the associated registry.

Some important prerequisites:
  • It is not recommended to provide registry credentials at the command line. Alternatively, docker login can be executed prior to invoking tcxctl for better security.
  • For using ECR:
    • The AWS credentials must be set in the ~/.aws/config and ~/.aws/credentials files. The relevant AWS profile must be exported as an environment variable named AWS_PROFILE. You can get more details from AWS.
    • The ecr:CreateRepository and ecr:DeleteRepository permissions must be assigned to the AWS_PROFILE provided to tcxctl.
    • You do not have to provide --registry-username and --registry-password to tcxctl, it is set automatically from the AWS_PROFILE.
    • The registry URI or URL must have a single sub-path in the suffix. For example:
      • Valid: <your-profile-ID>.dkr.ecr.<aws-region><project-name>
      • Invalid: <your-profile-ID>.dkr.ecr.<aws-region><project-name>/deployment

Support for Non-OCI/OCI registry

PUSH_TO_CHART_REPO variable must set to true for Chartrepo based registry or else it must be set to false.
  • Harbor 2.4 and above only supports OCI complaint artifacts.
  • Harbor <= 2.3 and >= 2.x supports both chartrepo and OCI.


  • Push artifacts to Harbor:
    tcxctl push --artifacts-path /root/tcx-deployer --registry <harbor-registry-fqdn>/<project-name> --registry-password <your-registry-password> --registry-username <your-registry-username> --registry-cert <path-to-your-registry-ca-certificate-file>
    • Certificate signed by known authority:
      tcxctl push --artifacts-path /Users/tcx-deployer/ --registry <HarborIP>/tcx --registry-password <password> --registry-username <username>
    • Self-signed certificate:
      • Copy the cert file in /etc/ssl/certs directory.
      • If you do not have permission to directory /etc/ssl/certs, then put the cert in any other location where you have access and then follow the procedure:
        • Check if trust command is available by running trust list. If not, then install package p11-kit-trust.
        • Run trust anchor <path-to-cert>:
          tcxctl push --artifacts-path /Users/tcx-deployer/ --registry <HarborIP>/tcx --registry-password <password> --registry-username <username> --registry-cert <cert_location>
    • Push chart to chartrepo in Harbor:
      • Harbor 2.4.0 version support chart-repo. If you want to publish chart to chartrepo then set PUSH_TO_CHART_REPO=true before running tcxctl command:
        export PUSH_TO_CHART_REPO=true
        tcxctl push --artifacts-path /Users/tcx-deployer/ --registry <registry_url> --registry-password <password> --registry-username <username> --registry-cert <cert_location>
  • Push artifacts to ECR:
    tcxctl push --artifacts-path /root/tcx-deployer --registry <your-profile-ID>.dkr.ecr.<aws-region><project-name>