Skip to main content
Calico Cloud documentation

Set up a private registry

Big picture

Add Calico Cloud images to a private registry to install new clusters or update existing ones.

Value

In some deployments, installing Calico Cloud in clusters from third-party repos is not an option. Before you can install Calico Cloud from a private registry, you must first add Calico Cloud images to the registry.

Concepts

A container image registry (often known as a registry), is a service where you can push, pull, and store container images. In Kubernetes, a registry is considered private if it is not publicly available.

A private registry is not publicly available. It must be accessible on a private network or with an image pull secret for authenticated access.

An image path is a directory in a registry that contains images required to install Calico Cloud.

Before you begin

Required

  • Helm CLI command
  • Use the Crane command to follow steps in this guide. (Other tools can be used, but commands be adjusted accordingly.)
  • Image registry
    • Must be private (accessible only on a private network or using log in credentials)
    • Images copied to the registry must not be made publicly available
    • Push access to your registry

How to

Add the required Calico Cloud images to a private registry.

Set up registry credentials

  1. Log into Calico Cloud and navigate to "Managed Clusters".
  2. Get the "Registry Credentials" by clicking on the icon. registry credentials
  3. Apply the credentials so the Calico Cloud images can be accessed.

Create the list of required images

Helm command to add images for Calico Cloud v20.3.0 (latest)
helm repo add calico-cloud https://installer.calicocloud.io/charts
INSTALLER_IMAGE="quay.io/tigera/cc-operator:$(helm show chart calico-cloud/calico-cloud | grep version: | sed -e 's/version: *//' -e 's/+/-g/')"
IMAGES=(
$INSTALLER_IMAGE
quay.io/tigera/cnx-apiserver:v3.20.0-2.0
quay.io/tigera/compliance-benchmarker:v3.20.0-2.0
quay.io/tigera/compliance-controller:v3.20.0-2.0
quay.io/tigera/compliance-reporter:v3.20.0-2.0
quay.io/tigera/compliance-snapshotter:v3.20.0-2.0
quay.io/tigera/key-cert-provisioner:v3.20.0-2.0
quay.io/tigera/deep-packet-inspection:v3.20.0-2.0
quay.io/tigera/fluentd:v3.20.0-2.0
quay.io/tigera/fluentd-windows:v3.20.0-2.0
quay.io/tigera/guardian:v3.20.0-2.0
quay.io/tigera/intrusion-detection-controller:v3.20.0-2.0
quay.io/tigera/webhooks-processor:v3.20.0-2.0
quay.io/tigera/packetcapture:v3.20.0-2.0
quay.io/tigera/policy-recommendation:v3.20.0-2.0
quay.io/tigera/egress-gateway:v3.20.0-2.0
quay.io/tigera/l7-collector:v3.20.0-2.0
quay.io/tigera/envoy:v3.20.0-2.0
quay.io/tigera/prometheus:v3.20.0-2.0
quay.io/tigera/prometheus-service:v3.20.0-2.0
quay.io/tigera/alertmanager:v3.20.0-2.0
quay.io/tigera/cnx-queryserver:v3.20.0-2.0
quay.io/tigera/kube-controllers:v3.20.0-2.0
quay.io/tigera/cnx-node:v3.20.0-2.0
quay.io/tigera/cnx-node-windows:v3.20.0-2.0
quay.io/tigera/typha:v3.20.0-2.0
quay.io/tigera/cni:v3.20.0-2.0
quay.io/tigera/cni-windows:v3.20.0-2.0
quay.io/tigera/es-gateway:v3.20.0-2.0
quay.io/tigera/linseed:v3.20.0-2.0
quay.io/tigera/dikastes:v3.20.0-2.0
quay.io/tigera/l7-admission-controller:v3.20.0-2.0
quay.io/tigera/pod2daemon-flexvol:v3.20.0-2.0
quay.io/tigera/csi:v3.20.0-2.0
quay.io/tigera/node-driver-registrar:v3.20.0-2.0
quay.io/tigera/operator:v1.36.1
quay.io/tigera/image-assurance-admission-controller:v1.22.1
quay.io/tigera/image-assurance-operator:v1.22.1
quay.io/tigera/image-assurance-container-runtime-adaptor:v1.22.1
quay.io/tigera/image-assurance-cluster-scanner:v1.22.1
quay.io/tigera/runtime-security-operator:v1.23.0
quay.io/tigera/skimble:v1.23.0
quay.io/tigera/cc-core:v0.2.13
quay.io/tigera/prometheus-operator:v3.20.0-2.0
quay.io/tigera/prometheus-config-reloader:v3.20.0-2.0
quay.io/tigera/cc-cni-config-scanner:v0.3
)

Set up the private registry

REGISTRY=<replace with your registry and include a trailing slash>

If you want all images to come from the same path in your registry, set this image path value. Otherwise unset this environment variable or set it to the empty string.

IMAGEPATH=""

Image examples

Original imageImage RegistryImage PathPrivate registry image
quay.io/tigera/typha:v1.2.3my.registry/my.registry/tigera/typha:v1.2.3
quay.io/tigera/typha:v1.2.3my.registry/custom-pathmy.registry/custom-path/typha:v1.2.3
quay.io/tigera/cc-operator:v4.5.6my.registry/my.registry/tigera/cc-operator:v4.5.6
quay.io/tigera/cc-operator:v4.5.6my.registry/custom-pathmy.registry/custom-path/cc-operator:v4.5.6

Copy images to your registry

For Calico Cloud to install images from your registry, copy the images from the standard registries into your own registry.

for image in ${IMAGES[@]}; do
img_base=$(echo ${image} | sed "s#^.*/\([^/]*/[^/]*$\)#\1#")
crane cp ${image} ${REGISTRY}${img_base} || break
done

Install using the private registry

Follow the directions to connect a cluster to Calico Cloud.