There might be reasons to pull the container images only from internal image registries, not directly from external registries like Docker Hub. To do so, follow along with this guide.
How to use your custom image registry
- Copy the Airlock Microgateway images into your custom image registry using CRANE or other tools that retain the original digest.
- Image link-list:
- Microgateway Operator – docker.io/ergon/airlock-microgateway-operator
- Microgateway CNI plugin – docker.io/ergon/airlock-microgateway-cni
- Microgateway Engine – docker.io/ergon/airlock-microgateway-engine
- Microgateway License Guard – docker.io/ergon/airlock-microgateway-license-guard
- Redis – cgr.dev/chainguard/redis
- The digest of the Airlock Microgateway images are verified by the Microgateway Operator and, therefore cannot be modified. Since pulling and pushing the images changes the digest, a tool like CRANE must be used to transfer the images into a custom registry.
- Besides the digest, the Microgateway Operator and the Microgateway Engine image must have the same tags. Identical tags are enforced by a validator. Mixing different versions like Microgateway Operator in version 4.0 and Microgateway Engine in version 4.1 is not supported.
- Adjust the following attributes in the Kubernetes Deployment
airlock-microgateway-operator-controller-manager
: - Configure the Microgateway Operator image in
spec.template.spec.containers['manager'].image
- Configure the Microgateway Engine image in
spec.template.spec.containers['manager'].env['ENGINE_IMAGE']
- Adjust the following attributes in the Kubernetes Deployment
airlock-microgateway-license-guard
: - Configure the License Guard image in
spec.template.spec.containers['ratelimit'].image
- Adjust the following attributes in the Kubernetes Deployment
airlock-microgateway-license-guard-redis
: - Configure the License Guard Redis image in
spec.template.spec.containers['redis'].image
- Adjust configuration values in the
values.yaml
of the CNI Helm chart. See the documentation in thevalues.yaml
file for details. - With the adjustments, the images will be used from the custom image registry.
- Ensure that the replaced Airlock Microgateway images are always specified in the Kubernetes manifest files with a tag and a digest.
- After changing any Microgateway images in the deployment files, the Microgateway Operator must be restarted.
In our case, run the crane
tool to copy a remote image from <SRC>
to <DST>
while retaining the digest value.
The Microgateway Operator will be pulled from the custom image registry. The Operator uses the environment variables and replaces the image in the corresponding container template file (see Microgateway Operator).
The following Kustomize example shows how the mentioned attributes can be patched:
We highly suggest using the original image names to prevent confusion and only changing the image registry and repository.
Further information and links
- Internal links:
- Microgateway Operator
- External links:
- (Kubernetes) Kustomize
- CRANE