The ECK operator can be run in an air-gapped environment without access to the open internet when it is configured not to pull container images from docker.elastic.co.
By default ECK does not require you to specify the container image for each Elastic Stack application you deploy.
apiVersion: elasticsearch.k8s.elastic.co/{eck_crd_version}
kind: Elasticsearch
metadata:
name: quickstart
spec:
version: {version}
# image: docker.elastic.co/elasticsearch/elasticsearch:{version} <1>
nodeSets:
- name: default
count: 1
# podTemplate:
# spec:
# imagePullSecrets: <2>
# - name: private-registry-credentials-secret-
The ECK operator will set this value by default. You can explicitly set it to your mirrored container image when running in an air-gapped environment
-
You can provide credentials to your private container registry by setting the
imagePullSecretsfield through thespec.podTemplatesection of your Elastic resource specification, check how to customize the Elastic resources Pods and how to setup a Secret containing your registry credentials.
ECK will automatically set the correct container image for each application. When running in an air-gapped or offline environment you will have to mirror the official Elastic container images in a private container image registry. To make use of your mirrored images you can either set the image for each application explicitly as shown in the preceding example or more conveniently override the default container registry as explained in the next section.
To deploy the ECK operator in an air-gapped environment, you first have to mirror the operator image itself from docker.elastic.co to a private container registry, for example my.registry.
Once the ECK operator image is copied internally, replace the original image name docker.elastic.co/eck/eck-operator:{eck_version} with the private name of the image, for example my.registry/eck/eck-operator:{eck_version}, in the operator manifests. When using Helm charts, replace the image.repository Helm value with, for example, my.registry/eck/eck-operator.
When creating custom resources ({eck_resources_list}), the operator defaults to using container images pulled from the docker.elastic.co registry. If you are in an environment where external network access is restricted, you can configure the operator to use a different default container registry by starting the operator with the --container-registry command-line flag. Check [{p}-operator-config] for more information on how to configure the operator using command-line flags and environment variables.
The operator expects container images to be located at specific repositories in the default container registry. Make sure that your container images are stored in the right repositories and are tagged correctly with the Stack version number. For example, if your private registry is my.registry and you wish to deploy components from Stack version {version}, the following image names should exist:
-
my.registry/elasticsearch/elasticsearch:{version}
-
my.registry/kibana/kibana:{version}
-
my.registry/apm/apm-server:{version}
If you cannot follow the default Elastic image repositories naming scheme, you can configure the operator to use a different container repository by starting the operator with the --container-repository command-line flag.
Check [{p}-operator-config] for more information on how to configure the operator using command-line flags and environment variables.
For example, if your private registry is my.registry and all Elastic images are located under the elastic repository, the following image names should exist:
-
my.registry/elastic/elasticsearch:{version}
-
my.registry/elastic/kibana:{version}
-
my.registry/elastic/apm-server:{version}
The eck-diagnostics tool optionally runs diagnostics for Elastic Stack applications in a separate container that is deployed into the Kubernetes cluster.
In air-gapped environments with no access to the docker.elastic.co registry, you should copy the latest support-diagnostics container image to your internal image registry and then run the tool with the additional flag --diagnostic-image <custom-support-diagnostics-image-name>. To find out which support diagnostics container image matches your version of eck-diagnostics run the tool once without arguments and it will print the default image in use.