Skip to main content
Calico Enterprise 3.19 (latest) documentation

Install from a private registry

Big picture

Move Calico Enterprise container images to a private registry and configure Calico Enterprise to pull images from it.

Value

Install Calico Enterprise in clusters where pulling from third party private repos is not an option, such as air-gapped clusters, or clusters with bandwidth constraints or security constraints.

Concepts

A container image registry (often referred to as a registry) is a service where container images are pushed to, stored, and pulled from. A registry is said to be "private" if it requires users authenticate before accessing images.

An image pull secret is used in Kubernetes to deploy container images from a private container image registry.

Before you begin...

How to

Push Calico Enterprise images to your private registry

In order to install images from your private registry, you must first pull the images from Tigera's registry, re-tag them with your own registry, and then push the newly tagged images to your own registry.

  1. Use the following commands to pull the required Calico Enterprise images.

    2. docker pull quay.io/tigera/operator:v1.34.7
    docker pull quay.io/tigera/cnx-manager:v3.19.4
    docker pull quay.io/tigera/voltron:v3.19.4
    docker pull quay.io/tigera/guardian:v3.19.4
    docker pull quay.io/tigera/cnx-apiserver:v3.19.4
    docker pull quay.io/tigera/cnx-queryserver:v3.19.4
    docker pull quay.io/tigera/kube-controllers:v3.19.4
    docker pull quay.io/tigera/calicoq:v3.19.4
    docker pull quay.io/tigera/typha:v3.19.4
    docker pull quay.io/tigera/calicoctl:v3.19.4
    docker pull quay.io/tigera/cnx-node:v3.19.4
    docker pull quay.io/tigera/dikastes:v3.19.4
    docker pull quay.io/tigera/dex:v3.19.4
    docker pull quay.io/tigera/fluentd:v3.19.4
    docker pull quay.io/tigera/es-proxy:v3.19.4
    docker pull quay.io/tigera/kibana:v3.19.4
    docker pull quay.io/tigera/elasticsearch:v3.19.4
    docker pull quay.io/tigera/intrusion-detection-job-installer:v3.19.4
    docker pull quay.io/tigera/intrusion-detection-controller:v3.19.4
    docker pull quay.io/tigera/compliance-controller:v3.19.4
    docker pull quay.io/tigera/compliance-reporter:v3.19.4
    docker pull quay.io/tigera/compliance-snapshotter:v3.19.4
    docker pull quay.io/tigera/compliance-server:v3.19.4
    docker pull quay.io/tigera/compliance-benchmarker:v3.19.4
    docker pull quay.io/tigera/ingress-collector:v3.19.4
    docker pull quay.io/tigera/l7-collector:v3.19.4
    docker pull quay.io/tigera/license-agent:v3.19.4
    docker pull quay.io/tigera/cni:v3.19.4
    docker pull quay.io/tigera/firewall-integration:v3.19.4
    docker pull quay.io/tigera/egress-gateway:v3.19.4
    docker pull quay.io/tigera/honeypod:v3.19.4
    docker pull quay.io/tigera/honeypod-exp-service:v3.19.4
    docker pull quay.io/tigera/honeypod-controller:v3.19.4
    docker pull quay.io/tigera/key-cert-provisioner:v3.19.4
    docker pull quay.io/tigera/elasticsearch-metrics:v3.19.4
    docker pull quay.io/tigera/packetcapture:v3.19.4
    docker pull quay.io/tigera/policy-recommendation:v3.19.4
    docker pull quay.io/tigera/prometheus:v3.19.4
    docker pull quay.io/tigera/prometheus-operator:v3.19.4
    docker pull quay.io/tigera/prometheus-config-reloader:v3.19.4
    docker pull quay.io/tigera/prometheus-service:v3.19.4
    docker pull quay.io/tigera/es-gateway:v3.19.4
    docker pull quay.io/tigera/linseed:v3.19.4
    docker pull quay.io/tigera/deep-packet-inspection:v3.19.4
    docker pull quay.io/tigera/eck-operator:v3.19.4
    docker pull quay.io/tigera/alertmanager:v3.19.4
    docker pull quay.io/tigera/envoy:v3.19.4
    docker pull quay.io/tigera/envoy-init:v3.19.4
    docker pull quay.io/tigera/webhooks-processor:v3.19.4
    docker pull quay.io/tigera/pod2daemon-flexvol:v3.19.4
    docker pull quay.io/tigera/csi:v3.19.4
    docker pull quay.io/tigera/node-driver-registrar:v3.19.4

  2. Retag the images with the name of your private registry $PRIVATE_REGISTRY.

    docker tag quay.io/tigera/operator:v1.34.7 $PRIVATE_REGISTRY/tigera/operator:v1.34.7
    docker tag quay.io/tigera/cnx-manager:v3.19.4 $PRIVATE_REGISTRY/tigera/cnx-manager:v3.19.4
    docker tag quay.io/tigera/voltron:v3.19.4 $PRIVATE_REGISTRY/tigera/voltron:v3.19.4
    docker tag quay.io/tigera/guardian:v3.19.4 $PRIVATE_REGISTRY/tigera/guardian:v3.19.4
    docker tag quay.io/tigera/cnx-apiserver:v3.19.4 $PRIVATE_REGISTRY/tigera/cnx-apiserver:v3.19.4
    docker tag quay.io/tigera/cnx-queryserver:v3.19.4 $PRIVATE_REGISTRY/tigera/cnx-queryserver:v3.19.4
    docker tag quay.io/tigera/kube-controllers:v3.19.4 $PRIVATE_REGISTRY/tigera/kube-controllers:v3.19.4
    docker tag quay.io/tigera/calicoq:v3.19.4 $PRIVATE_REGISTRY/tigera/calicoq:v3.19.4
    docker tag quay.io/tigera/typha:v3.19.4 $PRIVATE_REGISTRY/tigera/typha:v3.19.4
    docker tag quay.io/tigera/calicoctl:v3.19.4 $PRIVATE_REGISTRY/tigera/calicoctl:v3.19.4
    docker tag quay.io/tigera/cnx-node:v3.19.4 $PRIVATE_REGISTRY/tigera/cnx-node:v3.19.4
    docker tag quay.io/tigera/dikastes:v3.19.4 $PRIVATE_REGISTRY/tigera/dikastes:v3.19.4
    docker tag quay.io/tigera/dex:v3.19.4 $PRIVATE_REGISTRY/tigera/dex:v3.19.4
    docker tag quay.io/tigera/fluentd:v3.19.4 $PRIVATE_REGISTRY/tigera/fluentd:v3.19.4
    docker tag quay.io/tigera/es-proxy:v3.19.4 $PRIVATE_REGISTRY/tigera/es-proxy:v3.19.4
    docker tag quay.io/tigera/kibana:v3.19.4 $PRIVATE_REGISTRY/tigera/kibana:v3.19.4
    docker tag quay.io/tigera/elasticsearch:v3.19.4 $PRIVATE_REGISTRY/tigera/elasticsearch:v3.19.4
    docker tag quay.io/tigera/intrusion-detection-job-installer:v3.19.4 $PRIVATE_REGISTRY/tigera/intrusion-detection-job-installer:v3.19.4
    docker tag quay.io/tigera/intrusion-detection-controller:v3.19.4 $PRIVATE_REGISTRY/tigera/intrusion-detection-controller:v3.19.4
    docker tag quay.io/tigera/compliance-controller:v3.19.4 $PRIVATE_REGISTRY/tigera/compliance-controller:v3.19.4
    docker tag quay.io/tigera/compliance-reporter:v3.19.4 $PRIVATE_REGISTRY/tigera/compliance-reporter:v3.19.4
    docker tag quay.io/tigera/compliance-snapshotter:v3.19.4 $PRIVATE_REGISTRY/tigera/compliance-snapshotter:v3.19.4
    docker tag quay.io/tigera/compliance-server:v3.19.4 $PRIVATE_REGISTRY/tigera/compliance-server:v3.19.4
    docker tag quay.io/tigera/compliance-benchmarker:v3.19.4 $PRIVATE_REGISTRY/tigera/compliance-benchmarker:v3.19.4
    docker tag quay.io/tigera/ingress-collector:v3.19.4 $PRIVATE_REGISTRY/tigera/ingress-collector:v3.19.4
    docker tag quay.io/tigera/l7-collector:v3.19.4 $PRIVATE_REGISTRY/tigera/l7-collector:v3.19.4
    docker tag quay.io/tigera/license-agent:v3.19.4 $PRIVATE_REGISTRY/tigera/license-agent:v3.19.4
    docker tag quay.io/tigera/cni:v3.19.4 $PRIVATE_REGISTRY/tigera/cni:v3.19.4
    docker tag quay.io/tigera/firewall-integration:v3.19.4 $PRIVATE_REGISTRY/tigera/firewall-integration:v3.19.4
    docker tag quay.io/tigera/egress-gateway:v3.19.4 $PRIVATE_REGISTRY/tigera/egress-gateway:v3.19.4
    docker tag quay.io/tigera/honeypod:v3.19.4 $PRIVATE_REGISTRY/tigera/honeypod:v3.19.4
    docker tag quay.io/tigera/honeypod-exp-service:v3.19.4 $PRIVATE_REGISTRY/tigera/honeypod-exp-service:v3.19.4
    docker tag quay.io/tigera/honeypod-controller:v3.19.4 $PRIVATE_REGISTRY/tigera/honeypod-controller:v3.19.4
    docker tag quay.io/tigera/key-cert-provisioner:v3.19.4 $PRIVATE_REGISTRY/tigera/key-cert-provisioner:v3.19.4
    docker tag quay.io/tigera/elasticsearch-metrics:v3.19.4 $PRIVATE_REGISTRY/tigera/elasticsearch-metrics:v3.19.4
    docker tag quay.io/tigera/packetcapture:v3.19.4 $PRIVATE_REGISTRY/tigera/packetcapture:v3.19.4
    docker tag quay.io/tigera/policy-recommendation:v3.19.4 $PRIVATE_REGISTRY/tigera/policy-recommendation:v3.19.4
    docker tag quay.io/tigera/prometheus:v3.19.4 $PRIVATE_REGISTRY/tigera/prometheus:v3.19.4
    docker tag quay.io/tigera/prometheus-operator:v3.19.4 $PRIVATE_REGISTRY/tigera/prometheus-operator:v3.19.4
    docker tag quay.io/tigera/prometheus-config-reloader:v3.19.4 $PRIVATE_REGISTRY/tigera/prometheus-config-reloader:v3.19.4
    docker tag quay.io/tigera/prometheus-service:v3.19.4 $PRIVATE_REGISTRY/tigera/prometheus-service:v3.19.4
    docker tag quay.io/tigera/es-gateway:v3.19.4 $PRIVATE_REGISTRY/tigera/es-gateway:v3.19.4
    docker tag quay.io/tigera/linseed:v3.19.4 $PRIVATE_REGISTRY/tigera/linseed:v3.19.4
    docker tag quay.io/tigera/deep-packet-inspection:v3.19.4 $PRIVATE_REGISTRY/tigera/deep-packet-inspection:v3.19.4
    docker tag quay.io/tigera/eck-operator:v3.19.4 $PRIVATE_REGISTRY/tigera/eck-operator:v3.19.4
    docker tag quay.io/tigera/alertmanager:v3.19.4 $PRIVATE_REGISTRY/tigera/alertmanager:v3.19.4
    docker tag quay.io/tigera/envoy:v3.19.4 $PRIVATE_REGISTRY/tigera/envoy:v3.19.4
    docker tag quay.io/tigera/envoy-init:v3.19.4 $PRIVATE_REGISTRY/tigera/envoy-init:v3.19.4
    docker tag quay.io/tigera/webhooks-processor:v3.19.4 $PRIVATE_REGISTRY/tigera/webhooks-processor:v3.19.4
    docker tag quay.io/tigera/pod2daemon-flexvol:v3.19.4 $PRIVATE_REGISTRY/tigera/pod2daemon-flexvol:v3.19.4
    docker tag quay.io/tigera/csi:v3.19.4 $PRIVATE_REGISTRY/tigera/csi:v3.19.4
    docker tag quay.io/tigera/node-driver-registrar:v3.19.4 $PRIVATE_REGISTRY/tigera/node-driver-registrar:v3.19.4

  3. Push the images to your private registry.

    docker push $PRIVATE_REGISTRY/tigera/operator:v1.34.7
    docker push $PRIVATE_REGISTRY/tigera/cnx-manager:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/voltron:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/guardian:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/cnx-apiserver:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/cnx-queryserver:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/kube-controllers:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/calicoq:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/typha:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/calicoctl:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/cnx-node:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/dikastes:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/dex:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/fluentd:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/es-proxy:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/kibana:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/elasticsearch:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/intrusion-detection-job-installer:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/intrusion-detection-controller:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/compliance-controller:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/compliance-reporter:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/compliance-snapshotter:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/compliance-server:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/compliance-benchmarker:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/ingress-collector:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/l7-collector:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/license-agent:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/cni:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/firewall-integration:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/egress-gateway:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/honeypod:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/honeypod-exp-service:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/honeypod-controller:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/key-cert-provisioner:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/elasticsearch-metrics:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/packetcapture:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/policy-recommendation:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/prometheus:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/prometheus-operator:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/prometheus-config-reloader:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/prometheus-service:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/es-gateway:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/linseed:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/deep-packet-inspection:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/eck-operator:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/alertmanager:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/envoy:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/envoy-init:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/webhooks-processor:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/pod2daemon-flexvol:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/csi:v3.19.4
    docker push $PRIVATE_REGISTRY/tigera/node-driver-registrar:v3.19.4
    caution
    Do not push the private Calico Enterprise images to a public registry.

  4. Use crane cp to copy the Windows images to your private registry.

    For hybrid Linux + Windows clusters, use crane cp on the following Windows images to copy them to your private registry.

    crane cp quay.io/tigera/cnx-node-windows:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/cnx-node-windows:v3.19.4
    crane cp quay.io/tigera/fluentd-windows:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/fluentd-windows:v3.19.4
    crane cp quay.io/tigera/cni-windows:v3.19.4 $PRIVATE_REGISTRY/$IMAGE_PATH/cni-windows:v3.19.4
    caution
    Do not crane cp the private Calico Enterprise for Windows images to a public registry.

Run the operator using images from your private registry

Before applying tigera-operator.yaml, modify registry references to use your custom registry:

sed -ie "s?quay.io?$PRIVATE_REGISTRY?g" tigera-operator.yaml

Next, ensure that an image pull secret has been configured for your custom registry. Set the enviroment variable PRIVATE_REGISTRY_PULL_SECRET to the secret name. Then add the image pull secret to the operator deployment spec:

sed -ie "/serviceAccountName: tigera-operator/a       imagePullSecrets:\n      - name: $PRIVATE_REGISTRY_PULL_SECRET"  tigera-operator.yaml

If you are installing Prometheus operator as part of Calico Enterprise, then before applying tigera-prometheus-operator.yaml, modify registry references to use your custom registry:

sed -ie "s?quay.io?$PRIVATE_REGISTRY?g" tigera-prometheus-operator.yaml
sed -ie "/serviceAccountName: calico-prometheus-operator/a       imagePullSecrets:\n      - name: $PRIVATE_REGISTRY_PULL_SECRET"  tigera-prometheus-operator.yaml

Before applying custom-resources.yaml, modify registry references to use your custom registry:

sed -ie "s?quay.io?$PRIVATE_REGISTRY?g" custom-resources.yaml

Configure the operator to use images from your private registry.

Set the spec.registry field of your Installation resource to the name of your custom registry. For example:

apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  variant: TigeraSecureEnterprise
  imagePullSecrets:
    - name: tigera-pull-secret
      registry: myregistry.com
note

See Install from an image path in a private registry page for more information on installing using a private registry image path.

note

See the Installation resource reference page for more information on the imagePullSecrets and registry fields.