Private Registries

PGO, the open source Postgres Operator, can use containers that are stored in private registries. There are a variety of techniques that are used to load containers from private registries, including image pull secrets. This guide will demonstrate how to install PGO and deploy a Postgres cluster using the Crunchy Data Customer Portal registry as an example.

Create an Image Pull Secret

The Kubernetes documentation provides several methods for creating image pull secrets. You can choose the method that is most appropriate for your installation. You will need to create image pull secrets in the namespace that PGO is deployed and in each namespace where you plan to deploy Postgres clusters.

For example, to create an image pull secret for accessing the Crunchy Data Customer Portal image registry in the postgres-operator namespace, you can execute the following commands:

kubectl create ns postgres-operator

kubectl create secret docker-registry crunchy-regcred -n postgres-operator \
  --docker-server=registry.crunchydata.com \
  --docker-username=$YOUR_USERNAME \
  --docker-email=$YOUR_EMAIL \
  --docker-password=$YOUR_PASSWORD

This creates an image pull secret named crunchy-regcred in the postgres-operator namespace.

Install PGO from a Private Registry

To install PGO from a private registry, you will need to set an image pull secret on the installation manifest.

For example, to set up an image pull secret using the Kustomize install method to install PGO from the Crunchy Data Customer Portal, you can add the following in the kustomize/install/default/kustomization.yaml manifest:

patches:
  - target: { group: apps, version: v1, kind: Deployment, name: pgo }
    patch: |-
      - path: /spec/template/spec/imagePullSecrets
        op: add
        value:
          - name: crunchy-regcred

If you are using a version of kubectl prior to v1.21.0, you will have to create an explicit patch file named install-ops.yaml:

- path: /spec/template/spec/imagePullSecrets
  op: add
  value:
    - name: crunchy-regcred

and add the following to the manifest:

patchesJson6902:
  - target: { group: apps, version: v1, kind: Deployment, name: pgo }
    path: install-ops.yaml

You can then install PGO from the private registry using the standard installation procedure, e.g.:

kubectl apply --server-side -k kustomize/install/default

Deploy a Postgres cluster from a Private Registry

To deploy a Postgres cluster using images from a private registry, you will need to set the value of spec.imagePullSecrets on a PostgresCluster custom resource.

For example, to deploy a Postgres cluster using images from the Crunchy Data Customer Portal with an image pull secret in the postgres-operator namespace, you can use the following manifest:

apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
  name: hippo
spec:
  imagePullSecrets:
    - name: crunchy-regcred
  image: registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.7-5.3.8-0
  postgresVersion: 15
  instances:
    - name: instance1
      dataVolumeClaimSpec:
        accessModes:
          - 'ReadWriteOnce'
        resources:
          requests:
            storage: 1Gi
  backups:
    pgbackrest:
      image: registry.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-5.3.8-0
      repos:
        - name: repo1
          volume:
            volumeClaimSpec:
              accessModes:
                - 'ReadWriteOnce'
              resources:
                requests:
                  storage: 1Gi