This document explains how to configure Apigee hybrid to use images from a private container image repository.
Overview
All Apigee hybrid runtime images are hosted in the
Google Cloud Container Registry (GCR). If for any reason you wish to employ a private image container repository,
you can download the images from GCR, push them to your private repository, and override
the default image locations in your overrides.yaml file.
Configuration steps
Follow these steps to use a private image container repository for the Apigee hybrid images. To perform these steps and successfully use the images in your private repository, you must be familiar with the Apigee hybrid installation procedure. In a typical scenario, you would plan to configure the private repository as part of a fresh hybrid installation.
- Push the Apigee hybrid images from GCR to your private repository. We recommend that you use the
apigee-push-pull utility to accomplish this step.
If you prefer to do this step manually, you need to have Docker installed and use the
docker pullcommand as follows. Be sure to append the correct tag to each image name. For example, the tag forapigee-synchronizeris1.10.5, as shown below.- Get an up to date list of all images in your current
project with the
--listoption of theapigee-pull-push.shutility in theapigeectl/tools/directory:apigee-pull-push.sh --list
Your output should look something like:
apigee: gcr.io/apigee-release/hybrid/apigee-mart-server:1.10.5 gcr.io/apigee-release/hybrid/apigee-synchronizer:1.10.5 gcr.io/apigee-release/hybrid/apigee-runtime:1.10.5 gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra-client:1.10.5 gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra:1.10.5 gcr.io/apigee-release/hybrid/apigee-cassandra-backup-utility:1.10.5 gcr.io/apigee-release/hybrid/apigee-udca:1.10.5 gcr.io/apigee-release/hybrid/apigee-connect-agent:1.10.5 gcr.io/apigee-release/hybrid/apigee-watcher:1.10.5 gcr.io/apigee-release/hybrid/apigee-operators:1.10.5 gcr.io/apigee-release/hybrid/apigee-installer:1.10.5 gcr.io/apigee-release/hybrid/apigee-redis:1.10.5 gcr.io/apigee-release/hybrid/apigee-diagnostics-collector:1.10.5 gcr.io/apigee-release/hybrid/apigee-diagnostics-runner:1.10.5 gcr.io/apigee-release/hybrid/apigee-mint-task-scheduler:1.10.5 third party: gcr.io/apigee-release/hybrid/apigee-stackdriver-logging-agent:1.10.1 gcr.io/apigee-release/hybrid/apigee-prom-prometheus:v2.48.0 gcr.io/apigee-release/hybrid/apigee-stackdriver-prometheus-sidecar:0.9.0 gcr.io/apigee-release/hybrid/apigee-kube-rbac-proxy:v0.15.0 gcr.io/apigee-release/hybrid/apigee-envoy:v1.27.0 gcr.io/apigee-release/hybrid/apigee-prometheus-adapter:v0.11.2 gcr.io/apigee-release/hybrid/apigee-asm-ingress:1.17.8-asm.4-distroless gcr.io/apigee-release/hybrid/apigee-asm-istiod:1.17.8-asm.4-distroless gcr.io/apigee-release/hybrid/apigee-fluent-bit:2.2.0 - Pull the images needed for the
apigee-systemandapigeenamespaces with thedocker pullcommand.apigee-systemnamespaceapigee-installerapigee-kube-rbac-proxyapigee-operators
Your
apigeenamespaceapigee-asm-ingressapigee-asm-istiodapigee-cassandra-backup-utilityapigee-connect-agentapigee-diagnostics-collectorapigee-diagnostics-runnerapigee-envoyapigee-fluent-bitapigee-hybrid-cassandra-clientapigee-hybrid-cassandraapigee-mart-serverapigee-prom-prometheusapigee-prometheus-adapterapigee-redisapigee-runtimeapigee-stackdriver-logging-agentapigee-stackdriver-prometheus-sidecarapigee-synchronizerapigee-udcaapigee-watcher
For example:
docker pull gcr.io/apigee-release/hybrid/apigee-installer:1.10.5
- After you pull and tag the images, push them to your private repository. See docker push.
- Get an up to date list of all images in your current
project with the
- Create a Kubernetes Secret in the
apigeeandapigee-systemnamespaces.If these namespaces do not exist in your cluster, you must create them before performing this step.
For steps to create the Secret, see Create a Secret by providing credentials on the command line. For example, to create a secret in the
apigee-systemnamespace:kubectl create secret docker-registry SECRET_NAME -n apigee-system \ --docker-server=YOUR_REGISTRY_SERVER \ --docker-username=YOUR_DOCKER_USERNAME \ --docker-email=YOUR_DOCKER_EMAIL \ --docker-password="YOUR_DOCKER_PASSWORD)"
To create a Secret in the
apigeenamespace:kubectl create secret docker-registry SECRET_NAME -n apigee \ --docker-server=YOUR_REGISTRY_SERVER \ --docker-username=YOUR_DOCKER_USERNAME \ --docker-email=YOUR_DOCKER_EMAIL \ --docker-password="YOUR_DOCKER_PASSWORD)"
- Add the Secret to your
overrides.yamlfile. Creation of the overrides file is described in the hybrid installation steps. See Configure the cluster for details.imagePullSecrets: - name: SECRET_NAME
- Update your
overrides.yamlfile with image URLs for the images stored in your private repository. Each component that is stored in the repository has animage:urlelement. Use this element to specify the URL of each component image. For example:mart: serviceAccountPath: /installdir/hybrid-files/service-accounts/hybrid-apigee-non-prod.json image: url: my-docker.pkg.dev/hybrid-1/registry-name/apigee-mart-serverFollow this pattern to update each top-level hybrid component in your
overrides.yamlfile with its private repository image URL. A complete example overrides file is provided with your hybrid installation in$APIGEECTL_HOME/examples/private-overrides.yamldirectory.
You can now complete a new hybrid installation using the private images, or update your existing installation. See the Apigee hybrid installation steps for more information.
Installing cert-manager from a private repository
To install cert-manager from your private repository, see
Installing with Helm.
It is important that you install the same version of cert-manager as specified
in the Apigee hybrid installation instructions to ensure compatibility.