You are currently viewing version 1.9 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This document explains how to configure Apigee hybrid to use images from a private container image repository.

Overview

All Apigee hybrid runtime images are hosted in the Google Cloud Container Registry (GCR). If for any reason you wish to employ a private image container repository, you can download the images from GCR, push them to your private repository, and override the default image locations in youroverrides.yaml file.

Configuration steps

Follow these steps to use a private image container repository for the Apigee hybrid images. To perform these steps and successfully use the images in your private repository, you must be familiar with theApigee hybrid installation procedure. In a typical scenario, you would plan to configure the private repository as part of a fresh hybrid installation.

1. Push the Apigee hybrid images from GCR to your private repository. We recommend that you use theapigee-push-pull utility to accomplish this step.

   If you prefer to do this step manually, you need to haveDocker installed and use thedocker pull command as follows. Be sure to append the correct tag to each image name. For example, the tag forapigee-synchronizer is1.9.4, as shown below.

   Note: You can get an up to date list of all images in your current project with the--list option of theapigee-pull-push.sh utility in theapigeectl/tools/ directory:

   apigee-pull-push.sh --list

   Here are the images for theapigee-system andapigee namespaces:

   Namespace:apigee-system

   docker pull gcr.io/apigee-release/hybrid/apigee-installer:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-kube-rbac-proxy:v0.14.0docker pull gcr.io/apigee-release/hybrid/apigee-operators:1.9.4

   Namespace:apigee

   docker pull gcr.io/apigee-release/hybrid/apigee-cassandra-backup-utility:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-connect-agent:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-diagnostics-collector:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-envoy:v1.25.1docker pull gcr.io/apigee-release/hybrid/apigee-fluent-bit:2.1.3docker pull gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra-client:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-mart-server:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-mint-task-scheduler:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-prom-prometheus:v2.39.1docker pull gcr.io/apigee-release/hybrid/apigee-prometheus-adapter:v0.10.0docker pull gcr.io/apigee-release/hybrid/apigee-redis:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-runtime:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-stackdriver-logging-agent:1.9.12-2docker pull gcr.io/apigee-release/hybrid/apigee-stackdriver-prometheus-sidecar:0.9.0docker pull gcr.io/apigee-release/hybrid/apigee-synchronizer:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-udca:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-watcher:1.9.4docker pull gcr.io/apigee-release/hybrid/apigee-asm-ingress:1.17.2-asm.8-distrolessdocker pull gcr.io/apigee-release/hybrid/apigee-asm-istiod:1.17.2-asm.8-distroless

   After you pull and tag the images, you must push them to your private repository. Seedocker push.

2. Create a Kubernetes Secret in theapigee andapigee-system namespaces.

   If these namespaces do not exist in your cluster, you must create them before performing this step.

   For steps to create the Secret, seeCreate a Secret by providing credentials on the command line. For example, to create a secret in theapigee-system namespace:

   kubectl create secret docker-registrySECRET_NAME -n apigee-system \  --docker-server=YOUR_REGISTRY_SERVER \  --docker-username=YOUR_DOCKER_USERNAME \  --docker-email=YOUR_DOCKER_EMAIL \  --docker-password="YOUR_DOCKER_PASSWORD)"

   To create a Secret in theapigee namespace:

   kubectl create secret docker-registrySECRET_NAME -n apigee \  --docker-server=YOUR_REGISTRY_SERVER \  --docker-username=YOUR_DOCKER_USERNAME \  --docker-email=YOUR_DOCKER_EMAIL \  --docker-password="YOUR_DOCKER_PASSWORD)"

3. Add the Secret to youroverrides.yaml file. Creation of the overrides file is described in the hybrid installation steps. SeeConfigure the cluster for details.

   imagePullSecrets:  - name:SECRET_NAME

4. Update youroverrides.yaml file with image URLs for the images stored in your private repository. Each component that is stored in the repository has animage:url element. Use this element to specify the URL of each component image. For example:

   mart:  serviceAccountPath: /installdir/hybrid-files/service-accounts/hybrid-apigee-non-prod.jsonimage:    url: my-docker.pkg.dev/hybrid-1/registry-name/apigee-mart-server

   Follow this pattern to update each top-level hybrid component in youroverrides.yaml file with its private repository image URL. A complete example overrides file is provided with your hybrid installation in$APIGEECTL_HOME/examples/private-overrides.yaml directory.

   Note: You only need to update theurl property. You can accept the default values for thetag andpullPolicy properties. For a complete list of components and their configuration properties, see alsoConfiguration property reference.

You can now complete a new hybrid installation using the private images, or update your existing installation. See theApigee hybrid installation steps for more information.

Installing cert-manager from a private repository

To installcert-manager from your private repository, seeInstalling with Helm. It is important that you install the same version ofcert-manager as specified in theApigee hybrid installation instructions to ensure compatibility.