Using a custom image registry

There might be reasons to pull the container images only from internal image registries and not directly external registries like Docker Hub. In order to do so, follow along with this guide.

How to use your custom image registry

  1. Copy the Airlock Microgateway images into your custom image registry by using Crane or similar tools that retain the original digest.
  2. Run the crane tool to copy a remote image from <SRC> to <DST> while retaining the digest value.

    crane copy <SRC> <DST>
    • The digest of the Airlock Microgateway images are verified by the Microgateway Operator and therefore cannot be modified. Since pulling and pushing the images changes the digest, a tool like crane must be used to transfer the images into a custom registry.
    • Besides the digest, the Microgateway Operator, Microgateway Network Manager and the Microgateway Engine image must have the same tags. Identical tags are enforced by a validator. Mixing different versions of Microgateway like Microgateway Operator in version 4.0 but Microgateway Engine in version 4.1 is not supported.
  3. Adjust the following attributes in the Kubernetes Deployment airlock-microgateway-operator-controller-manager:
    • Configure the Microgateway Operator image in spec.template.spec.containers['manager'].image
    • Configure the Microgateway Network Manager image in spec.template.spec.containers['manager'].env['NETWORK_MANAGER_IMAGE']
    • Configure the Microgateway Engine image in spec.template.spec.containers['manager'].env['ENGINE_IMAGE']

    The Microgateway Operator will be pulled from the custom image registry. The Operator uses the environment variables and replaces the image in the corresponding container template file (see Microgateway Operator).

  4. Adjust the following attributes in the Kubernetes Deployment airlock-microgateway-license-guard:
    • Configure the License Guard image in spec.template.spec.containers['ratelimit'].image
    • Configure the License Guard StatsD Exporter image in spec.template.spec.containers['statsd-exporter'].image
  5. Adjust the following attributes in the Kubernetes Deployment airlock-microgateway-license-guard-redis:
    • Configure the License Guard Redis image in spec.template.spec.containers['redis'].image
  6. With the adjustments, the images will be used from the custom image registry
  7. The following Kustomize example shows, how the mentioned attributes can be patched:

    cat <<EOF > custom_image_registry.yaml
    apiVersion: apps/v1
    kind: Deployment
      namespace: airlock-microgateway-system 
      name: airlock-microgateway-operator-controller-manager
            - name: manager
                - name: NETWORK_MANAGER_IMAGE 
                  value: custom.image.registry/my-repository/airlock-microgateway-network-manager:<TAG>@sha256:<SHA256_DIGEST> 
                - name: ENGINE_IMAGE 
                  value: custom.image.registry/my-repository/airlock-microgateway-engine:<TAG>@sha256:<SHA256_DIGEST>
    cat <<EOF >./kustomization.yaml
    kind: Kustomization 
      - path: custom_image_registry.yaml
      - name:
        newName: custom.image.registry/my-repository/airlock-microgateway-operator
      - name:
        newName: custom.image.registry/my-repository/airlock-microgateway-statsd-exporter
      - name:
        newName: custom.image.registry/my-repository/airlock-microgateway-license-guard 
      - name:
        newName: custom.image.registry/my-repository/airlock-microgateway-redis 

    To prevent confusion, we highly suggest using the original image names and only changing the image registry and repository.

    • Please ensure that the replaced Airlock Microgateway images always are specified in the Kubernetes manifest files with a tag and a digest.
    • After changing any Microgateway images in the deployment files, the Microgateway Operator must be restarted.