Set up a private registry
Big picture
Add Calico Cloud images to a private registry to install new clusters or update existing ones.
Value
In some deployments, installing Calico Cloud in clusters from third-party repos is not an option. Before you can install Calico Cloud from a private registry, you must first add Calico Cloud images to the registry.
Concepts
A container image registry (often known as a registry), is a service where you can push, pull, and store container images. In Kubernetes, a registry is considered private if it is not publicly available.
A private registry is not publicly available. It must be accessible on a private network or with an image pull secret for authenticated access.
An image path is a directory in a registry that contains images required to install Calico Cloud.
Before you begin
Required
- Helm CLI command
- Use the Crane command to follow steps in this guide. (Other tools can be used, but commands be adjusted accordingly.)
- Image registry
- Must be private (accessible only on a private network or using log in credentials)
- Images copied to the registry must not be made publicly available
- Push access to your registry
How to
Add the required Calico Cloud images to a private registry.
Set up registry credentials
- Log into Calico Cloud and navigate to "Managed Clusters".
- Get the "Registry Credentials" by clicking on the icon.
- Apply the credentials so the Calico Cloud images can be accessed.
Create the list of required images
helm repo add calico-cloud https://installer.calicocloud.io/charts
INSTALLER_IMAGE="quay.io/tigera/cc-operator:$(helm show chart calico-cloud/calico-cloud | grep version: | sed -e 's/version: *//' -e 's/+/-g/')"
IMAGES=(
$INSTALLER_IMAGE
quay.io/tigera/cnx-apiserver:v3.20.0-2.0
quay.io/tigera/compliance-benchmarker:v3.20.0-2.0
quay.io/tigera/compliance-controller:v3.20.0-2.0
quay.io/tigera/compliance-reporter:v3.20.0-2.0
quay.io/tigera/compliance-snapshotter:v3.20.0-2.0
quay.io/tigera/key-cert-provisioner:v3.20.0-2.0
quay.io/tigera/deep-packet-inspection:v3.20.0-2.0
quay.io/tigera/fluentd:v3.20.0-2.0
quay.io/tigera/fluentd-windows:v3.20.0-2.0
quay.io/tigera/guardian:v3.20.0-2.0
quay.io/tigera/intrusion-detection-controller:v3.20.0-2.0
quay.io/tigera/webhooks-processor:v3.20.0-2.0
quay.io/tigera/packetcapture:v3.20.0-2.0
quay.io/tigera/policy-recommendation:v3.20.0-2.0
quay.io/tigera/egress-gateway:v3.20.0-2.0
quay.io/tigera/l7-collector:v3.20.0-2.0
quay.io/tigera/envoy:v3.20.0-2.0
quay.io/tigera/prometheus:v3.20.0-2.0
quay.io/tigera/prometheus-service:v3.20.0-2.0
quay.io/tigera/alertmanager:v3.20.0-2.0
quay.io/tigera/cnx-queryserver:v3.20.0-2.0
quay.io/tigera/kube-controllers:v3.20.0-2.0
quay.io/tigera/cnx-node:v3.20.0-2.0
quay.io/tigera/cnx-node-windows:v3.20.0-2.0
quay.io/tigera/typha:v3.20.0-2.0
quay.io/tigera/cni:v3.20.0-2.0
quay.io/tigera/cni-windows:v3.20.0-2.0
quay.io/tigera/es-gateway:v3.20.0-2.0
quay.io/tigera/linseed:v3.20.0-2.0
quay.io/tigera/dikastes:v3.20.0-2.0
quay.io/tigera/l7-admission-controller:v3.20.0-2.0
quay.io/tigera/pod2daemon-flexvol:v3.20.0-2.0
quay.io/tigera/csi:v3.20.0-2.0
quay.io/tigera/node-driver-registrar:v3.20.0-2.0
quay.io/tigera/operator:v1.36.1
quay.io/tigera/image-assurance-admission-controller:v1.22.1
quay.io/tigera/image-assurance-operator:v1.22.1
quay.io/tigera/image-assurance-container-runtime-adaptor:v1.22.1
quay.io/tigera/image-assurance-cluster-scanner:v1.22.1
quay.io/tigera/runtime-security-operator:v1.23.0
quay.io/tigera/skimble:v1.23.0
quay.io/tigera/cc-core:v0.2.13
quay.io/tigera/prometheus-operator:v3.20.0-2.0
quay.io/tigera/prometheus-config-reloader:v3.20.0-2.0
quay.io/tigera/cc-cni-config-scanner:v0.3
)
Set up the private registry
REGISTRY=<replace with your registry and include a trailing slash>
If you want all images to come from the same path in your registry, set this image path value. Otherwise unset this environment variable or set it to the empty string.
IMAGEPATH=""
Image examples
Original image | Image Registry | Image Path | Private registry image |
---|---|---|---|
quay.io/tigera/typha:v1.2.3 | my.registry/ | my.registry/tigera/typha:v1.2.3 | |
quay.io/tigera/typha:v1.2.3 | my.registry/ | custom-path | my.registry/custom-path/typha:v1.2.3 |
quay.io/tigera/cc-operator:v4.5.6 | my.registry/ | my.registry/tigera/cc-operator:v4.5.6 | |
quay.io/tigera/cc-operator:v4.5.6 | my.registry/ | custom-path | my.registry/custom-path/cc-operator:v4.5.6 |
Copy images to your registry
For Calico Cloud to install images from your registry, copy the images from the standard registries into your own registry.
- Registry only
- Registry and ImagePath
for image in ${IMAGES[@]}; do
img_base=$(echo ${image} | sed "s#^.*/\([^/]*/[^/]*$\)#\1#")
crane cp ${image} ${REGISTRY}${img_base} || break
done
for image in ${IMAGES[@]}; do
img_base=$(echo ${image} | sed "s#^.*/##")
crane cp ${image} ${REGISTRY}${IMAGEPATH}/${img_base} || break
done
Install using the private registry
Follow the directions to connect a cluster to Calico Cloud.