Configure use of your image registry
Big picture
Configure Calico to pull images from a registry (public or private).
Value
In many deployments, installing Calico in clusters from third-party private repos is not an option. Calico offers these public and private registry options, which can be used in any combination:
- Install from a registry for use cases like air-gapped clusters, or clusters with bandwidth or security constraints
- Install from an image path in a registry if you have pulled Calico images to a sub path in your registry
- Install images by registry digest
Concepts
A container image registry (often known as a registry), is a service where you can push, pull, and store container images. In Kubernetes, a registry is considered private if it is not publicly available.
A private registry requires an image pull secret. An image pull secret provides authentication for an image registry; this allows you to control access to certain images or give access to higher pull rate limits (like with DockerHub).
An image path is a directory in a registry that contains images required to install Calico.
Before you begin
Required
- Calico is managed by the operator
- Configure pull access to your registry
- If you are using a private registry that requires user authentication, ensure that an image pull secret is configured for your registry in the tigera-operator namespace. Set the environment variable,
REGISTRY_PULL_SECRET
to the secret name. For help, seeimagePullSecrets
andregistry
fields, in Installation resource reference. - Use the Crane command to manage the Calico for Windows images, as using
docker pull
commands for these images may not work depending on the operating system and version in which the commands are run.
How to
The following examples show the path format for public and private registry, $REGISTRY/
. If you are using an image path, substitute the format: $REGISTRY/$IMAGE_PATH/
.
Push Calico images to your registry
To install images from your registry, you must first pull the images from Tigera's registry, retag them with your own registry, and then push the newly-tagged images to your own registry. Use the crane cp
command instead of pulling+retagging+pushing on the Calico for Windows images (node-windows
and cni-windows
).
Use the following commands to pull the required Calico images.
Retag the images with the name of your registry
$REGISTRY
.Push the images to your registry.
Use
crane cp
to copy the Windows images to your private registry.
docker pull quay.io/tigera/operator:v1.36.2
docker pull calico/typha:v3.29.1
docker pull calico/ctl:v3.29.1
docker pull calico/node:v3.29.1
docker pull calico/cni:v3.29.1
docker pull calico/apiserver:v3.29.1
docker pull calico/kube-controllers:v3.29.1
docker pull calico/dikastes:v3.29.1
docker pull calico/pod2daemon-flexvol:v3.29.1
docker pull calico/csi:v3.29.1
docker pull calico/node-driver-registrar:v3.29.1
docker tag quay.io/tigera/operator:v1.36.2 $REGISTRY/tigera/operator:v1.36.2
docker tag calico/typha:v3.29.1 $REGISTRY/calico/typha:v3.29.1
docker tag calico/ctl:v3.29.1 $REGISTRY/calico/ctl:v3.29.1
docker tag calico/node:v3.29.1 $REGISTRY/calico/node:v3.29.1
docker tag calico/cni:v3.29.1 $REGISTRY/calico/cni:v3.29.1
docker tag calico/apiserver:v3.29.1 $REGISTRY/calico/apiserver:v3.29.1
docker tag calico/kube-controllers:v3.29.1 $REGISTRY/calico/kube-controllers:v3.29.1
docker tag calico/dikastes:v3.29.1 $REGISTRY/calico/dikastes:v3.29.1
docker tag calico/pod2daemon-flexvol:v3.29.1 $REGISTRY/calico/pod2daemon-flexvol:v3.29.1
docker tag calico/csi:v3.29.1 $REGISTRY/calico/csi:v3.29.1
docker tag calico/node-driver-registrar:v3.29.1 $REGISTRY/calico/node-driver-registrar:v3.29.1
docker push $REGISTRY/tigera/operator:v1.36.2
docker push $REGISTRY/calico/typha:v3.29.1
docker push $REGISTRY/calico/ctl:v3.29.1
docker push $REGISTRY/calico/node:v3.29.1
docker push $REGISTRY/calico/cni:v3.29.1
docker push $REGISTRY/calico/apiserver:v3.29.1
docker push $REGISTRY/calico/kube-controllers:v3.29.1
docker push $REGISTRY/calico/dikastes:v3.29.1
docker push $REGISTRY/calico/pod2daemon-flexvol:v3.29.1
docker push $REGISTRY/calico/csi:v3.29.1
docker push $REGISTRY/calico/node-driver-registrar:v3.29.1
For hybrid Linux + Windows clusters, use crane cp
on the following Windows images to copy them to your private registry.
Run the operator using images from your registry
Before applying tigera-operator.yaml
, modify registry references to use your custom registry:
For OpenShift
Download all manifests first, then modify the following:
sed -ie "s?quay.io?$REGISTRY?g" manifests/02-tigera-operator.yaml
For all other platforms
sed -ie "s?quay.io?$REGISTRY?g" tigera-operator.yaml
Next, if you are implementing user authentication to access a private registry, add the image pull secret for your registry
to the secret tigera-pull-secret
.
sed -ie "/serviceAccountName: tigera-operator/a \ imagePullSecrets:\n\ - name: $REGISTRY_PULL_SECRET" tigera-operator.yaml
Configure the operator to use images
Set the spec.registry
field of your Installation resource to the name of your custom registry. For example:
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
variant: Calico
imagePullSecrets:
- name: tigera-pull-secret
registry: myregistry.com