Skip to main content
Calico Enterprise 3.19 (latest) documentation

Install from an image path in a private registry

Big picture

Move Calico Enterprise container images to an image path in a private registry and configure Calico Enterprise to pull images from it.

Value

Install Calico Enterprise in clusters where pulling from third party private repos is not an option, and all images are desired to be part of a single directory in the private registry.

Concepts

A container image registry (often referred to as a registry) is a service where container images are pushed to, stored, and pulled from. A registry is said to be "private" if it requires users authenticate before accessing images.

An image path is a directory in the private registry that contains images required to install Calico Enterprise.

An image pull secret is used in Kubernetes to deploy container images from a private container image registry.

Before you begin...

How to

Push Calico Enterprise images to your private registry image path

In order to install images from your private registry, you must first pull the images from Tigera's registry, re-tag them with your own registry, and then push the newly tagged images to your own registry.

  1. Use the following commands to pull the required Calico Enterprise images.

    2. docker pull quay.io/tigera/operator:v1.34.7
    docker pull quay.io/tigera/cnx-manager:v3.19.4
    docker pull quay.io/tigera/voltron:v3.19.4
    docker pull quay.io/tigera/guardian:v3.19.4
    docker pull quay.io/tigera/cnx-apiserver:v3.19.4
    docker pull quay.io/tigera/cnx-queryserver:v3.19.4
    docker pull quay.io/tigera/kube-controllers:v3.19.4
    docker pull quay.io/tigera/calicoq:v3.19.4
    docker pull quay.io/tigera/typha:v3.19.4
    docker pull quay.io/tigera/calicoctl:v3.19.4
    docker pull quay.io/tigera/cnx-node:v3.19.4
    docker pull quay.io/tigera/dikastes:v3.19.4
    docker pull quay.io/tigera/dex:v3.19.4
    docker pull quay.io/tigera/fluentd:v3.19.4
    docker pull quay.io/tigera/es-proxy:v3.19.4
    docker pull quay.io/tigera/kibana:v3.19.4
    docker pull quay.io/tigera/elasticsearch:v3.19.4
    docker pull quay.io/tigera/intrusion-detection-job-installer:v3.19.4
    docker pull quay.io/tigera/intrusion-detection-controller:v3.19.4
    docker pull quay.io/tigera/compliance-controller:v3.19.4
    docker pull quay.io/tigera/compliance-reporter:v3.19.4
    docker pull quay.io/tigera/compliance-snapshotter:v3.19.4
    docker pull quay.io/tigera/compliance-server:v3.19.4
    docker pull quay.io/tigera/compliance-benchmarker:v3.19.4
    docker pull quay.io/tigera/ingress-collector:v3.19.4
    docker pull quay.io/tigera/l7-collector:v3.19.4
    docker pull quay.io/tigera/license-agent:v3.19.4
    docker pull quay.io/tigera/cni:v3.19.4
    docker pull quay.io/tigera/firewall-integration:v3.19.4
    docker pull quay.io/tigera/egress-gateway:v3.19.4
    docker pull quay.io/tigera/honeypod:v3.19.4
    docker pull quay.io/tigera/honeypod-exp-service:v3.19.4
    docker pull quay.io/tigera/honeypod-controller:v3.19.4
    docker pull quay.io/tigera/key-cert-provisioner:v3.19.4
    docker pull quay.io/tigera/elasticsearch-metrics:v3.19.4
    docker pull quay.io/tigera/packetcapture:v3.19.4
    docker pull quay.io/tigera/policy-recommendation:v3.19.4
    docker pull quay.io/tigera/prometheus:v3.19.4
    docker pull quay.io/tigera/prometheus-operator:v3.19.4
    docker pull quay.io/tigera/prometheus-config-reloader:v3.19.4
    docker pull quay.io/tigera/prometheus-service:v3.19.4
    docker pull quay.io/tigera/es-gateway:v3.19.4
    docker pull quay.io/tigera/linseed:v3.19.4
    docker pull quay.io/tigera/deep-packet-inspection:v3.19.4
    docker pull quay.io/tigera/eck-operator:v3.19.4
    docker pull quay.io/tigera/alertmanager:v3.19.4
    docker pull quay.io/tigera/envoy:v3.19.4
    docker pull quay.io/tigera/envoy-init:v3.19.4
    docker pull quay.io/tigera/webhooks-processor:v3.19.4
    docker pull quay.io/tigera/pod2daemon-flexvol:v3.19.4
    docker pull quay.io/tigera/csi:v3.19.4
    docker pull quay.io/tigera/node-driver-registrar:v3.19.4

  2. Retag the images with the name of your private registry $PRIVATE_REGISTRY and $IMAGE_PATH.

    3. docker tag quay.io/tigera/operator:v1.34.7 $PRIVATE_REGISTRY/$IMAGE_PATH/operator:v1.34.7
    docker tag quay.io/tigera/cnx-manager:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-manager:v3.19.4
    docker tag quay.io/tigera/voltron:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/voltron:v3.19.4
    docker tag quay.io/tigera/guardian:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/guardian:v3.19.4
    docker tag quay.io/tigera/cnx-apiserver:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-apiserver:v3.19.4
    docker tag quay.io/tigera/cnx-queryserver:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-queryserver:v3.19.4
    docker tag quay.io/tigera/kube-controllers:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/kube-controllers:v3.19.4
    docker tag quay.io/tigera/calicoq:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/calicoq:v3.19.4
    docker tag quay.io/tigera/typha:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/typha:v3.19.4
    docker tag quay.io/tigera/calicoctl:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/calicoctl:v3.19.4
    docker tag quay.io/tigera/cnx-node:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-node:v3.19.4
    docker tag quay.io/tigera/dikastes:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/dikastes:v3.19.4
    docker tag quay.io/tigera/dex:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/dex:v3.19.4
    docker tag quay.io/tigera/fluentd:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/fluentd:v3.19.4
    docker tag quay.io/tigera/es-proxy:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/es-proxy:v3.19.4
    docker tag quay.io/tigera/kibana:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/kibana:v3.19.4
    docker tag quay.io/tigera/elasticsearch:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/elasticsearch:v3.19.4
    docker tag quay.io/tigera/intrusion-detection-job-installer:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/intrusion-detection-job-installer:v3.19.4
    docker tag quay.io/tigera/intrusion-detection-controller:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/intrusion-detection-controller:v3.19.4
    docker tag quay.io/tigera/compliance-controller:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-controller:v3.19.4
    docker tag quay.io/tigera/compliance-reporter:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-reporter:v3.19.4
    docker tag quay.io/tigera/compliance-snapshotter:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-snapshotter:v3.19.4
    docker tag quay.io/tigera/compliance-server:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-server:v3.19.4
    docker tag quay.io/tigera/compliance-benchmarker:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-benchmarker:v3.19.4
    docker tag quay.io/tigera/ingress-collector:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/ingress-collector:v3.19.4
    docker tag quay.io/tigera/l7-collector:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/l7-collector:v3.19.4
    docker tag quay.io/tigera/license-agent:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/license-agent:v3.19.4
    docker tag quay.io/tigera/cni:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/cni:v3.19.4
    docker tag quay.io/tigera/firewall-integration:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/firewall-integration:v3.19.4
    docker tag quay.io/tigera/egress-gateway:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/egress-gateway:v3.19.4
    docker tag quay.io/tigera/honeypod:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/honeypod:v3.19.4
    docker tag quay.io/tigera/honeypod-exp-service:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/honeypod-exp-service:v3.19.4
    docker tag quay.io/tigera/honeypod-controller:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/honeypod-controller:v3.19.4
    docker tag quay.io/tigera/key-cert-provisioner:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/key-cert-provisioner:v3.19.4
    docker tag quay.io/tigera/elasticsearch-metrics:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/elasticsearch-metrics:v3.19.4
    docker tag quay.io/tigera/packetcapture:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/packetcapture:v3.19.4
    docker tag quay.io/tigera/policy-recommendation:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/policy-recommendation:v3.19.4
    docker tag quay.io/tigera/prometheus:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/prometheus:v3.19.4
    docker tag quay.io/tigera/prometheus-operator:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/prometheus-operator:v3.19.4
    docker tag quay.io/tigera/prometheus-config-reloader:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/prometheus-config-reloader:v3.19.4
    docker tag quay.io/tigera/prometheus-service:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/prometheus-service:v3.19.4
    docker tag quay.io/tigera/es-gateway:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/es-gateway:v3.19.4
    docker tag quay.io/tigera/linseed:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/linseed:v3.19.4
    docker tag quay.io/tigera/deep-packet-inspection:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/deep-packet-inspection:v3.19.4
    docker tag quay.io/tigera/eck-operator:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/eck-operator:v3.19.4
    docker tag quay.io/tigera/alertmanager:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/alertmanager:v3.19.4
    docker tag quay.io/tigera/envoy:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/envoy:v3.19.4
    docker tag quay.io/tigera/envoy-init:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/envoy-init:v3.19.4
    docker tag quay.io/tigera/webhooks-processor:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/webhooks-processor:v3.19.4
    docker tag quay.io/tigera/pod2daemon-flexvol:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/pod2daemon-flexvol:v3.19.4
    docker tag quay.io/tigera/csi:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/csi:v3.19.4
    docker tag quay.io/tigera/node-driver-registrar:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/node-driver-registrar:v3.19.4

  3. Push the images to your private registry.

    4. docker push $PRIVATE_REGISTRY/$IMAGE_PATH/operator:v1.34.7docker push $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-manager:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/voltron:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/guardian:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-apiserver:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-queryserver:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/kube-controllers:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/calicoq:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/typha:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/calicoctl:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-node:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/dikastes:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/dex:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/fluentd:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/es-proxy:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/kibana:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/elasticsearch:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/intrusion-detection-job-installer:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/intrusion-detection-controller:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-controller:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-reporter:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-snapshotter:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-server:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/compliance-benchmarker:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/ingress-collector:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/l7-collector:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/license-agent:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/cni:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/firewall-integration:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/egress-gateway:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/honeypod:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/honeypod-exp-service:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/honeypod-controller:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/key-cert-provisioner:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/elasticsearch-metrics:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/packetcapture:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/policy-recommendation:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/prometheus:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/prometheus-operator:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/prometheus-config-reloader:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/prometheus-service:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/es-gateway:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/linseed:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/deep-packet-inspection:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/eck-operator:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/alertmanager:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/envoy:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/envoy-init:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/webhooks-processor:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/pod2daemon-flexvol:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/csi:v3.19.4
    docker push $PRIVATE_REGISTRY/$IMAGE_PATH/node-driver-registrar:v3.19.4
    caution
    Do not push the private Calico Enterprise images to a public registry.

  4. Use crane cp to copy the Windows images to your private registry.

    5. For hybrid Linux + Windows clusters, use crane cp on the following Windows images to copy them to your private registry.

    crane cp quay.io/tigera/cnx-node-windows:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-node-windows:v3.19.4
    crane cp quay.io/tigera/fluentd-windows:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/fluentd-windows:v3.19.4
    crane cp quay.io/tigera/cni-windows:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/cni-windows:v3.19.4
    caution
    Do not crane cp the private Calico Enterprise for Windows images to a public registry.

Run the operator using images from your private registry image path

Before applying tigera-operator.yaml, modify registry references to use your custom registry:

sed -ie "s?quay.io.*/?$PRIVATE_REGISTRY/$IMAGE_PATH/?" tigera-operator.yaml

Next, ensure that an image pull secret has been configured for your custom registry. Set the enviroment variable PRIVATE_REGISTRY_PULL_SECRET to the secret name. Then add the image pull secret to the operator deployment spec:

sed -ie "/serviceAccountName: tigera-operator/a       imagePullSecrets:\n      - name: $PRIVATE_REGISTRY_PULL_SECRET"  tigera-operator.yaml

If you are installing Prometheus operator as part of Calico Enterprise, then before applying tigera-prometheus-operator.yaml, modify registry references to use your custom registry:

sed -ie "s?quay.io.*/?$PRIVATE_REGISTRY/$IMAGE_PATH/?" tigera-prometheus-operator.yaml
sed -ie "/serviceAccountName: calico-prometheus-operator/a       imagePullSecrets:\n      - name: $PRIVATE_REGISTRY_PULL_SECRET"  tigera-prometheus-operator.yaml

Before applying custom-resources.yaml, modify registry references to use your custom registry:

sed -ie "s?quay.io.*/?$PRIVATE_REGISTRY/$IMAGE_PATH/?" custom-resources.yaml

For Openshift, after downloading all manifests modify the following to use your custom registry:

sed -ie "s?quay.io.*/?$PRIVATE_REGISTRY/$IMAGE_PATH/?" manifests/02-tigera-operator.yaml
note
Add the image pull secret for your registry to the secret tigera-pull-secret

Configure the operator to use images from your private registry image path.

Set the spec.registry and spec.imagePath field of your Installation resource to the name of your custom registry. For example:

apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  variant: TigeraSecureEnterprise
  imagePullSecrets:
    - name: tigera-pull-secret
      registry: myregistry.com
      imagePath: my-image-path
note

See the Installation resource reference page for more information on the imagePullSecrets, registry and imagePath fields.