Discovery & Registry Deployment
Full deployment guide for Discovery & Registry services.
Recommended: Use the Beacon Installer
The Beacon Installer is the easiest way to deploy. It handles TLS, secret management, and service configuration automatically. For Kubernetes, see the Helm chart installation guide.
Prerequisites
- Docker Engine 24+ with Compose v2
- 2 GB RAM available for containers
- Port 8443 available
- GHCR access token (provided by Watchlight AI)
Option A: Beacon Installer (Recommended)
curl -fsSL https://docs.watchlight.ai/install-beacon.sh -o install-beacon.sh
chmod +x install-beacon.sh
./install-beacon.sh --services registry,discover --ghcr-token <token>
See the Beacon Installer docs for full options.
Option B: Bootstrap Script
cd deploy/tier1-discovery/docker-compose
./bootstrap.sh
The bootstrap script will:
- Validate prerequisites (Docker 24+, Compose v2)
- Collect configuration (domain, version, log level)
- Pull container images from GHCR
- Generate secrets (never stored on disk)
- Start all services
- Register discovery scanner
- Export self-signed CA cert (localhost mode)
Access
| Endpoint | Purpose |
|---|---|
https://localhost:8443 | Registry Dashboard |
https://localhost:8443/api/v1/servers | Registry API |
https://localhost:8443/topology | Topology Graph |
Dashboard Authentication
By default, the Registry dashboard is accessible without authentication. Configure OIDC or LDAP through the dashboard's built-in setup UI.
Commands
# Re-run bootstrap (if services are already running, just shows URLs)
./docker-compose/bootstrap.sh
# View logs
docker compose -f docker-compose/docker-compose.yml logs -f
# Stop (preserves data)
docker compose -f docker-compose/docker-compose.yml down
# Full reset (removes all data)
./docker-compose/bootstrap.sh --reset
Upgrade to Authorization
Ready for Cedar authorization policies? See the Authorization Deployment guide.