Configure use of your image registry
Big picture
Configure Calico to pull images from a registry (public or private).
Value
In many deployments, installing Calico in clusters from third-party private repos is not an option. Calico offers these public and private registry options, which can be used in any combination:
- Install from a registry for use cases like airgapped clusters, or clusters with bandwidth or security constraints
- Install from an image path in a registry if you have pulled Calico images to a sub path in your registry
- Install images by registry digest
Concepts
A container image registry (often known as a registry), is a service where you can push, pull, and store container images. In Kubernetes, a registry is considered private if it is not publicly available.
A private registry requires an image pull secret. An image pull secret provides authentication for an image registry; this allows you to control access to certain images or give access to higher pull rate limits (like with DockerHub).
An image path is a directory in a registry that contains images required to install Calico.
Before you begin
Required
- Calico is managed by the operator
- Configure pull access to your registry
- If you are using a private registry that requires user authentication, ensure that an image pull secret is configured for your registry in the tigera-operator namespace. Set the environment variable,
REGISTRY_PULL_SECRET
to the secret name. For help, seeimagePullSecrets
andregistry
fields, in Installation resource reference.
How to
The following examples show the path format for public and private registry, $REGISTRY/
. If you are using an image path, substitute the format: $REGISTRY/$IMAGE_PATH/
.
Push Calico images to your registry
To install images from your registry, you must first pull the images from Tigera’s registry, retag them with your own registry, and then push the newly-tagged images to your own registry.
- Use the following commands to pull the required Calico images.
docker pull quay.io/tigera/operator:v1.30.9
docker pull calico/typha:v3.26.4
docker pull calico/ctl:v3.26.4
docker pull calico/node:v3.26.4
docker pull calico/cni:v3.26.4
docker pull calico/apiserver:v3.26.4
docker pull calico/kube-controllers:v3.26.4
docker pull calico/windows:v3.26.4
docker pull calico/dikastes:v3.26.4
docker pull calico/pod2daemon-flexvol:v3.26.4
docker pull calico/csi:v3.26.4
docker pull calico/node-driver-registrar:v3.26.4
- Retag the images with the name of your registry
$REGISTRY
.
docker tag quay.io/tigera/operator:v1.30.9 $REGISTRY/tigera/operator:v1.30.9
docker tag calico/typha:v3.26.4 $REGISTRY/calico/typha:v3.26.4
docker tag calico/ctl:v3.26.4 $REGISTRY/calico/ctl:v3.26.4
docker tag calico/node:v3.26.4 $REGISTRY/calico/node:v3.26.4
docker tag calico/cni:v3.26.4 $REGISTRY/calico/cni:v3.26.4
docker tag calico/apiserver:v3.26.4 $REGISTRY/calico/apiserver:v3.26.4
docker tag calico/kube-controllers:v3.26.4 $REGISTRY/calico/kube-controllers:v3.26.4
docker tag calico/windows:v3.26.4 $REGISTRY/calico/windows:v3.26.4
docker tag calico/dikastes:v3.26.4 $REGISTRY/calico/dikastes:v3.26.4
docker tag calico/pod2daemon-flexvol:v3.26.4 $REGISTRY/calico/pod2daemon-flexvol:v3.26.4
docker tag calico/csi:v3.26.4 $REGISTRY/calico/csi:v3.26.4
docker tag calico/node-driver-registrar:v3.26.4 $REGISTRY/calico/node-driver-registrar:v3.26.4
- Push the images to your registry.
docker push $REGISTRY/tigera/operator:v1.30.9
docker push $REGISTRY/calico/typha:v3.26.4
docker push $REGISTRY/calico/ctl:v3.26.4
docker push $REGISTRY/calico/node:v3.26.4
docker push $REGISTRY/calico/cni:v3.26.4
docker push $REGISTRY/calico/apiserver:v3.26.4
docker push $REGISTRY/calico/kube-controllers:v3.26.4
docker push $REGISTRY/calico/windows:v3.26.4
docker push $REGISTRY/calico/dikastes:v3.26.4
docker push $REGISTRY/calico/pod2daemon-flexvol:v3.26.4
docker push $REGISTRY/calico/csi:v3.26.4
docker push $REGISTRY/calico/node-driver-registrar:v3.26.4
Run the operator using images from your registry
Before applying tigera-operator.yaml
, modify registry references to use your custom registry:
For OpenShift
Download all manifests first, then modify the following:
sed -ie "s?quay.io?$REGISTRY?g" manifests/02-tigera-operator.yaml
For all other platforms
sed -ie "s?quay.io?$REGISTRY?g" tigera-operator.yaml
Next, if you are implementing user authentication to access a private registry, add the image pull secret for your registry
to the secret tigera-pull-secret
.
sed -ie "/serviceAccountName: tigera-operator/a \ imagePullSecrets:\n\ - name: $REGISTRY_PULL_SECRET" tigera-operator.yaml
Configure the operator to use images
Set the spec.registry
field of your Installation resource to the name of your custom registry. For example:
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
variant: Calico
imagePullSecrets:
- name: tigera-pull-secret
registry: myregistry.com