Private Registries

PGO, the open source Postgres Operator, can use containers that are stored in private registries. There are a variety of techniques that are used to load containers from private registries, including image pull secrets. This guide will demonstrate how to install PGO and deploy a Postgres cluster using the Crunchy Data Customer Portal registry as an example.

Create an Image Pull Secret

The Kubernetes documentation provides several methods for creating image pull secrets. You can choose the method that is most appropriate for your installation. You will need to create image pull secrets in the namespace that PGO is deployed and in each namespace where you plan to deploy Postgres clusters.

For example, to create an image pull secret for accessing the Crunchy Data Customer Portal image registry in the postgres-operator namespace, you can execute the following commands:

kubectl create ns postgres-operator

kubectl create secret docker-registry crunchy-regcred -n postgres-operator \
  --docker-server=registry.crunchydata.com \
  --docker-username=<YOUR USERNAME> \
  --docker-email=<YOUR EMAIL> \
  --docker-password=<YOUR PASSWORD>

This creates an image pull secret named crunchy-regcred in the postgres-operator namespace.

Install PGO from a Private Registry

To install PGO from a private registry, you will need to set an image pull secret on the installation manifest.

For example, to set up an image pull secret using the Kustomize install method to install PGO from the Crunchy Data Customer Portal, you can set the following in the kustomize/install/default/kustomization.yaml manifest:

images:
- name: postgres-operator
  newName: registry.crunchydata.com/crunchydata/postgres-operator
  newTag: ubi8-5.1.1-0

patchesJson6902:
  - target:
      group: apps
      version: v1
      kind: Deployment
      name: pgo
    patch: |-
      - op: remove
        path: /spec/selector/matchLabels/app.kubernetes.io~1name
      - op: remove
        path: /spec/selector/matchLabels/app.kubernetes.io~1version
      - op: add
        path: /spec/template/spec/imagePullSecrets
        value:
          - name: crunchy-regcred

If you are using a version of kubectl prior to v1.21.0, you will have to create an explicit patch file named install-ops.yaml:

- op: remove
  path: /spec/selector/matchLabels/app.kubernetes.io~1name
- op: remove
  path: /spec/selector/matchLabels/app.kubernetes.io~1version
- op: add
  path: /spec/template/spec/imagePullSecrets
  value:
    - name: crunchy-regcred

and modify the manifest to be the following:

images:
- name: postgres-operator
  newName: registry.crunchydata.com/crunchydata/postgres-operator
  newTag: ubi8-5.1.1-0

patchesJson6902:
  - target:
      group: apps
      version: v1
      kind: Deployment
      name: pgo
    path: install-ops.yaml

You can then install PGO from the private registry using the standard installation procedure, e.g.:

kubectl apply --server-side -k kustomize/install/default

Deploy a Postgres cluster from a Private Registry

To deploy a Postgres cluster using images from a private registry, you will need to set the value of spec.imagePullSecrets on a PostgresCluster custom resource.

For example, to deploy a Postgres cluster using images from the Crunchy Data Customer Portal with an image pull secret in the postgres-operator namespace, you can use the following manifest:

apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
  name: hippo
spec:
  imagePullSecrets:
    - name: crunchy-regcred
  image: registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.3-0
  postgresVersion: 14
  instances:
    - name: instance1
      dataVolumeClaimSpec:
        accessModes:
        - "ReadWriteOnce"
        resources:
          requests:
            storage: 1Gi
  backups:
    pgbackrest:
      image: registry.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-1
      repos:
      - name: repo1
        volume:
          volumeClaimSpec:
            accessModes:
            - "ReadWriteOnce"
            resources:
              requests:
                storage: 1Gi