Container image repositories and registries

• Image link-list:
• Microgateway Operator – quay.io/airlock/microgateway-operator
• Microgateway CNI plugin – quay.io/airlock/microgateway-cni
• Microgateway Engine – quay.io/airlock/microgateway-engine
• Microgateway Session Agent – quay.io/airlock/microgateway-session-agent

Visit the Airlock Microgateway repositories online to see all available tags.

The Airlock Microgateway images are signed using Cosign, which can be verified easily by running the following command.

copy

cosign verify --key https://raw.githubusercontent.com/airlock/microgateway/main/cosign/cosign.pub <image-reference>

List of images:

Verifying the image signature with the cosign.pub key can be automated by a policy controller such as sigstore policy-controller, Kyverno, or Connaisseur.

• For more information, see:
• Sigstore policy-controller setup documentation
• Kyverno policy controller setup documentation for Cosign-generated signatures
• Connaisseur policy controller setup documentation for Cosign-generated signatures

There might be reasons to pull the container images only from internal image registries, not directly from external registries like Quay.io or GitHub. To do so, follow along with this guide.

1. Copy the Airlock Microgateway images into your custom image registry.

For example, copy a remote image from <SRC> to <DST> while retaining the digest value running:

copy



crane copy <SRC> <DST>

2. Adjust the Airlock Microgateway CNI helm chart values, i.e. with a pullsecret (if required) and the repository information, for example:
copy



imagePullSecrets: # in case of a private registry 
- name: <pullsecret for custom-registry:8080> 
 
image:  
  repository: custom-registry:8080/custom-namespace/microgateway-cni 

3. Adjust the Airlock Microgateway Operator helm chart values, i.e. with a pullsecret (if required) and the repository information, for example:
copy



imagePullSecrets: # in case of a private registry 
- name: <pullsecret for custom-registry:8080>
 
operator:  
  image:  
    repository: custom-registry:8080/custom-namespace/microgateway-operator
 
engine:  
  image:  
    repository: custom-registry:8080/custom-namespace/microgateway-engine
 
sessionAgent:  
  image:  
    repository: custom-registry:8080/custom-namespace/microgateway-session-agent

4. With the adjustments, the images will be pulled from the custom image registries. The pull secret for the custom registry containing the Engine image must be added to application Pods with injected Airlock Microgateway Engines. Subsequently, the Pods must be restarted to be updated.