Private Registries
PGO, the open source Postgres Operator, can use containers that are stored in private registries. There are a variety of techniques that are used to load containers from private registries, including image pull secrets. This guide will demonstrate how to install PGO and deploy a Postgres cluster using the Crunchy Data Customer Portal registry as an example.
Create an Image Pull Secret
The Kubernetes documentation provides several methods for creating image pull secrets. You can choose the method that is most appropriate for your installation. You will need to create image pull secrets in the namespace that PGO is deployed and in each namespace where you plan to deploy Postgres clusters.
For example, to create an image pull secret for accessing the Crunchy Data Customer Portal image
registry in the postgres-operator
namespace, you can execute the following commands:
kubectl create ns postgres-operator
kubectl create secret docker-registry crunchy-regcred -n postgres-operator \
--docker-server=registry.crunchydata.com \
--docker-username=<YOUR USERNAME> \
--docker-email=<YOUR EMAIL> \
--docker-password=<YOUR PASSWORD>
This creates an image pull secret named crunchy-regcred
in the postgres-operator
namespace.
Install PGO from a Private Registry
To install PGO from a private registry, you will need to set an image pull secret on the installation manifest.
For example, to set up an image pull secret using the Kustomize install method
to install PGO from the Crunchy Data Customer Portal, you can set
the following in the kustomize/install/default/kustomization.yaml
manifest:
images:
- name: postgres-operator
newName: registry.crunchydata.com/crunchydata/postgres-operator
newTag: ubi8-5.1.1-0
patchesJson6902:
- target:
group: apps
version: v1
kind: Deployment
name: pgo
patch: |-
- op: remove
path: /spec/selector/matchLabels/app.kubernetes.io~1name
- op: remove
path: /spec/selector/matchLabels/app.kubernetes.io~1version
- op: add
path: /spec/template/spec/imagePullSecrets
value:
- name: crunchy-regcred
If you are using a version of kubectl
prior to v1.21.0
, you will have to create an explicit
patch file named install-ops.yaml
:
- op: remove
path: /spec/selector/matchLabels/app.kubernetes.io~1name
- op: remove
path: /spec/selector/matchLabels/app.kubernetes.io~1version
- op: add
path: /spec/template/spec/imagePullSecrets
value:
- name: crunchy-regcred
and modify the manifest to be the following:
images:
- name: postgres-operator
newName: registry.crunchydata.com/crunchydata/postgres-operator
newTag: ubi8-5.1.1-0
patchesJson6902:
- target:
group: apps
version: v1
kind: Deployment
name: pgo
path: install-ops.yaml
You can then install PGO from the private registry using the standard installation procedure, e.g.:
kubectl apply --server-side -k kustomize/install/default
Deploy a Postgres cluster from a Private Registry
To deploy a Postgres cluster using images from a private registry, you will need to set the value of
spec.imagePullSecrets
on a PostgresCluster
custom resource.
For example, to deploy a Postgres cluster using images from the Crunchy Data Customer Portal
with an image pull secret in the postgres-operator
namespace, you can use the following manifest:
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
name: hippo
spec:
imagePullSecrets:
- name: crunchy-regcred
image: registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.3-0
postgresVersion: 14
instances:
- name: instance1
dataVolumeClaimSpec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 1Gi
backups:
pgbackrest:
image: registry.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.38-1
repos:
- name: repo1
volume:
volumeClaimSpec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 1Gi