Store Helm charts and Docker container images in a private artifact registry#

Helm charts, Docker container images, and the artifact registry#

Helm charts#

The Helm charts for Aspen Mesh and its companion products are stored in an artifact registry and referenced when necessary.

When Helm charts are referenced#

You reference a Helm chart when you use Helm to perform a clean installation or an upgrade of Aspen Mesh or one of its companion products.

Docker container images#

Aspen Mesh and its companion products each run as a set of Docker containers whose images are stored in an artifact registry and pulled (downloaded) by Kubernetes when necessary.

When Docker container images are pulled#

Kubernetes pulls the Docker container images for Aspen Mesh or a companion product during a clean installation or an upgrade and—when necessary—while the product is running on your cluster.

Default artifact registry versus private artifact registry#

By default, you reference Helm charts in—and Kubernetes pulls Docker container images from—the Aspen Mesh Artifact Registry, which is available over the public internet.

However, you can instead reference Helm charts in—and have Kubernetes pull Docker container images from—a private artifact registry.

Note

The private artifact registry must be an OCI registry.
The private artifact registry must be accessible by your cluster.
The private artifact registry must be accessible by your computer.
You must be authorized to push artifacts to the private artifact registry.

When to use a private artifact registry#

Use a private artifact registry instead of the default artifact registry if any of the following are true:

Your cluster is not connected to the public internet (this is sometimes referred to as an air-gapped cluster).
You want to use your own infrastructure to store Helm charts and Docker container images for improved security and reliability.

Store Helm charts and Docker container images in a private artifact registry#

When to follow these instructions#

Follow the instructions below only if you want to use a private artifact registry and only when the Aspen Mesh clean-installation or upgrade instructions tell you to do so. Perform the tasks in order.

Log in to the Aspen Mesh Artifact Registry with Helm and Docker#

Pull Helm charts and Docker container images from the Aspen Mesh Artifact Registry#

In a terminal window on your computer, make sure you’re in the Aspen Mesh Platform chart directory.
Pull all the Helm charts and Docker container images for the Aspen Mesh Platform version to your computer:
```
$ ./tools/pull-charts-and-images.sh
```

Store Helm charts and Docker container images in the private artifact repository#

In a terminal window on your computer, make sure you’re in the Aspen Mesh Platform chart directory.
If the private artifact registry requires authentication, log in to it with Helm and Docker.
Make sure you’re authorized to push artifacts to the private artifact registry.
Store all the Helm charts and Docker container images for the Aspen Mesh Platform version in the private artifact repository, making sure to replace <privateRepositoryAddress> with the address of the Aspen Mesh repository in the private artifact registry you want to push the Aspen Mesh images to (for example, registry.company.com/aspenmesh).
```
$ registry_repo=<privateRepositoryAddress> ./tools/store-charts-and-images.sh
```

Create a pull-secret manifest for authenticating to the private artifact registry#

Important

Perform this task only if the private artifact registry requires authentication (that is, you must provide credentials to access the registry). Typically, a private artifact registry in an air-gapped cluster doesn’t require authentication.

In a terminal window on your computer, decide where you want to store the private artifact registry’s pull-secret manifest and change to that directory.

Kubernetes uses the private artifact registry’s pull secret to authenticate to the private artifact registry when pulling Docker container images from it. You’ll need access to the private artifact registry’s pull-secret manifest—whose filename is referred to by the placeholder <privateRegistryPullSecretManifestFilename>—when performing a clean installation of Aspen Mesh or a companion product.
Create the private artifact registry’s pull-secret manifest.
Note

You can use any name you like for the pull secret except the following, which are reserved as names for the Aspen Mesh Artifact Registry pull secret:
- aspen-mesh-cni-pull-secret
- aspen-mesh-pull-secret
- dns-controller-pull-secret
- packet-inspector-1-analysis-emulator-pull-secret
- packet-inspector-2-analysis-emulator-pull-secret
- packet-inspector-pull-secret
Most artifact registries can provide you with a pull-secret manifest, which looks like this for a pull secret named private-registry-pull-secret:
```
apiVersion: v1
kind: Secret
metadata:
  name: private-registry-pull-secret
data:
  .dockerconfigjson: eyJodHRwczovL2luZGV4L...J0QUl6RTIifX0=
type: kubernetes.io/dockerconfigjson
```
If your registry can’t provide you with a pull-secret manifest, see Pull an Image from a Private Registry.