This document explains how to configure Apigee hybrid to use images from a private container image repository.
Overview
All Apigee hybrid runtime images are hosted in the
Google Cloud Container Registry (GCR). If for any reason you wish to employ a private image container repository,
you can download the images from GCR, push them to your private repository, and override
the default image locations in your overrides.yaml file.
Configuration steps
Follow these steps to use a private image container repository for the Apigee hybrid images. To
perform these steps and successfully use the images in your private repository, you must be familiar
with the Apigee hybrid installation procedure. In a typical
scenario, you would plan to configure the private repository as part of a fresh hybrid installation.
Push the Apigee hybrid images from GCR to your private repository. We recommend that you use the
apigee-push-pull utility to accomplish this step.
If you prefer to do this step manually, you need to have Docker
installed and use the docker pull command as follows. Be sure to append the correct tag
to each image name. For example, the tag for apigee-synchronizer is 1.10.5,
as shown below.
Get an up to date list of all images in your current
project with the --list option of the
apigee-pull-push.sh utility in the
apigeectl/tools/ directory:
Add the Secret to your overrides.yaml file. Creation of the overrides file
is described in the hybrid installation steps. See Configure the cluster for details.
imagePullSecrets:
- name: SECRET_NAME
Update your overrides.yaml file with image URLs for the images stored in your
private repository. Each component that is stored in the repository has an image:url
element. Use this element to specify the URL of each component image. For example:
Follow this pattern to update each top-level hybrid component in your overrides.yaml file with its
private repository image URL. A complete example overrides file is provided with your hybrid installation in
$APIGEECTL_HOME/examples/private-overrides.yaml
directory.
You can now complete a new hybrid installation using the private images, or update your existing
installation. See the Apigee hybrid installation steps for more information.
Installing cert-manager from a private repository
To install cert-manager from your private repository, see
Installing with Helm.
It is important that you install the same version of cert-manager as specified
in the Apigee hybrid installation instructions to ensure compatibility.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis document guides you through configuring Apigee hybrid to utilize images from a private container image repository instead of the default Google Cloud Container Registry.\u003c/p\u003e\n"],["\u003cp\u003eYou can use the \u003ccode\u003eapigee-pull-push\u003c/code\u003e utility, or manually with \u003ccode\u003edocker pull\u003c/code\u003e, to transfer Apigee hybrid images from GCR to your private repository.\u003c/p\u003e\n"],["\u003cp\u003eYou must create a Kubernetes Secret in both the \u003ccode\u003eapigee\u003c/code\u003e and \u003ccode\u003eapigee-system\u003c/code\u003e namespaces that will be used to access the private registry.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eoverrides.yaml\u003c/code\u003e file must be updated with the appropriate image URLs to redirect Apigee hybrid to your private repository.\u003c/p\u003e\n"],["\u003cp\u003eWhen installing \u003ccode\u003ecert-manager\u003c/code\u003e from a private repository, you need to ensure that the installed version is compatible with the one specified in the Apigee hybrid installation instructions.\u003c/p\u003e\n"]]],[],null,["# Use a private image repository\n\n| You are currently viewing version 1.10 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis document explains how to configure Apigee hybrid to use images from a private container image repository.\n\nOverview\n--------\n\n\nAll Apigee hybrid runtime images are hosted in the [Google Cloud Container Registry](/container-registry) (GCR). If for any reason you wish to employ a private image container repository,\nyou can download the images from GCR, push them to your private repository, and override\nthe default image locations in your `overrides.yaml` file.\n\nConfiguration steps\n-------------------\n\n\nFollow these steps to use a private image container repository for the Apigee hybrid images. To\nperform these steps and successfully use the images in your private repository, you must be familiar\nwith the [Apigee hybrid installation procedure](/apigee/docs/hybrid/v1.10/install-before-begin). In a typical\nscenario, you would plan to configure the private repository as part of a fresh hybrid installation.\n\n1. Push the Apigee hybrid images from GCR to your private repository. We recommend that you use the [apigee-push-pull](/apigee/docs/hybrid/v1.10/apigee-pull-push) utility to accomplish this step.\n\n If you prefer to do this step manually, you need to have [Docker](https://docs.docker.com/get-started/)\n installed and use the `docker pull` command as follows. Be sure to append the correct tag\n to each image name. For example, the tag for `apigee-synchronizer` is `1.10.5`,\n as shown below.\n 1. Get an up to date list of all images in your current project with the `--list` option of the [`apigee-pull-push.sh` utility](/apigee/docs/hybrid/v1.10/apigee-pull-push) in the `apigeectl/tools/` directory: \n\n ```\n apigee-pull-push.sh --list\n ```\n\n Your output should look something like: \n\n ```\n apigee:\n gcr.io/apigee-release/hybrid/apigee-mart-server:1.10.5\n gcr.io/apigee-release/hybrid/apigee-synchronizer:1.10.5\n gcr.io/apigee-release/hybrid/apigee-runtime:1.10.5\n gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra-client:1.10.5\n gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra:1.10.5\n gcr.io/apigee-release/hybrid/apigee-cassandra-backup-utility:1.10.5\n gcr.io/apigee-release/hybrid/apigee-udca:1.10.5\n gcr.io/apigee-release/hybrid/apigee-connect-agent:1.10.5\n gcr.io/apigee-release/hybrid/apigee-watcher:1.10.5\n gcr.io/apigee-release/hybrid/apigee-operators:1.10.5\n gcr.io/apigee-release/hybrid/apigee-installer:1.10.5\n gcr.io/apigee-release/hybrid/apigee-redis:1.10.5\n gcr.io/apigee-release/hybrid/apigee-diagnostics-collector:1.10.5\n gcr.io/apigee-release/hybrid/apigee-diagnostics-runner:1.10.5\n gcr.io/apigee-release/hybrid/apigee-mint-task-scheduler:1.10.5\n third party:\n gcr.io/apigee-release/hybrid/apigee-stackdriver-logging-agent:1.10.1\n gcr.io/apigee-release/hybrid/apigee-prom-prometheus:v2.48.0\n gcr.io/apigee-release/hybrid/apigee-stackdriver-prometheus-sidecar:0.9.0\n gcr.io/apigee-release/hybrid/apigee-kube-rbac-proxy:v0.15.0\n gcr.io/apigee-release/hybrid/apigee-envoy:v1.27.0\n gcr.io/apigee-release/hybrid/apigee-prometheus-adapter:v0.11.2\n gcr.io/apigee-release/hybrid/apigee-asm-ingress:1.17.8-asm.4-distroless\n gcr.io/apigee-release/hybrid/apigee-asm-istiod:1.17.8-asm.4-distroless\n gcr.io/apigee-release/hybrid/apigee-fluent-bit:2.2.0\n \n ```\n 2. Pull the images needed for the `apigee-system` and \u003cvar translate=\"no\"\u003eapigee\u003c/var\u003e namespaces with the `docker pull` command.\n\n ### `apigee-system` namespace\n\n - `apigee-installer`\n - `apigee-kube-rbac-proxy`\n - `apigee-operators`\n\n ### Your \u003cvar translate=\"no\"\u003eapigee\u003c/var\u003e namespace\n\n - `apigee-asm-ingress`\n - `apigee-asm-istiod`\n - `apigee-cassandra-backup-utility`\n - `apigee-connect-agent`\n - `apigee-diagnostics-collector`\n - `apigee-diagnostics-runner`\n - `apigee-envoy`\n - `apigee-fluent-bit`\n - `apigee-hybrid-cassandra-client`\n - `apigee-hybrid-cassandra`\n - `apigee-mart-server`\n - `apigee-prom-prometheus`\n - `apigee-prometheus-adapter`\n - `apigee-redis`\n - `apigee-runtime`\n - `apigee-stackdriver-logging-agent`\n - `apigee-stackdriver-prometheus-sidecar`\n - `apigee-synchronizer`\n - `apigee-udca`\n - `apigee-watcher`\n\n For example: \n\n ```\n docker pull gcr.io/apigee-release/hybrid/apigee-installer:1.10.5\n ```\n 3. After you pull and tag the images, push them to your private repository. See [docker\n push](https://docs.docker.com/engine/reference/commandline/push/).\n2. Create a Kubernetes Secret in the `apigee` and `apigee-system` namespaces.\n\n If these namespaces do not exist in your cluster, you must create them before performing this step.\n\n For steps to create the Secret, see [Create a Secret by providing credentials on the command line](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line).\n For example, to create a secret in the `apigee-system` namespace: \n\n ```\n kubectl create secret docker-registry SECRET_NAME -n apigee-system \\\n --docker-server=YOUR_REGISTRY_SERVER \\\n --docker-username=YOUR_DOCKER_USERNAME \\\n --docker-email=YOUR_DOCKER_EMAIL \\\n --docker-password=\"YOUR_DOCKER_PASSWORD)\"\n ```\n\n\n To create a Secret in the `apigee` namespace: \n\n ```\n kubectl create secret docker-registry SECRET_NAME -n apigee \\\n --docker-server=YOUR_REGISTRY_SERVER \\\n --docker-username=YOUR_DOCKER_USERNAME \\\n --docker-email=YOUR_DOCKER_EMAIL \\\n --docker-password=\"YOUR_DOCKER_PASSWORD)\"\n ```\n3. Add the Secret to your `overrides.yaml` file. Creation of the overrides file is described in the hybrid installation steps. See [Configure the cluster](/apigee/docs/hybrid/v1.10/install-configure-cluster) for details. \n\n ```\n imagePullSecrets:\n - name: SECRET_NAME\n ```\n4. Update your `overrides.yaml` file with image URLs for the images stored in your private repository. Each component that is stored in the repository has an `image:url` element. Use this element to specify the URL of each component image. For example: \n\n ```\n mart:\n serviceAccountPath: /installdir/hybrid-files/service-accounts/hybrid-apigee-non-prod.json\n image:\n url: my-docker.pkg.dev/hybrid-1/registry-name/apigee-mart-server\n ```\n\n\n Follow this pattern to update each top-level hybrid component in your `overrides.yaml` file with its\n private repository image URL. A complete example overrides file is provided with your hybrid installation in\n **$APIGEECTL_HOME**`/examples/private-overrides.yaml`\n directory.\n | **Note:** You only need to update the `url` property. You can accept the default values for the `tag` and `pullPolicy` properties. For a complete list of components and their configuration properties, see also [Configuration property reference](/apigee/docs/hybrid/v1.10/config-prop-ref).\n\n\nYou can now complete a new hybrid installation using the private images, or update your existing\ninstallation. See the [Apigee hybrid installation steps](/apigee/docs/hybrid/v1.10/install-before-begin) for more information.\n\nInstalling cert-manager from a private repository\n-------------------------------------------------\n\n\nTo install `cert-manager` from your private repository, see\n[Installing with Helm](https://cert-manager.io/docs/installation/helm/).\nIt is important that you install the same version of `cert-manager` as specified\nin the [Apigee hybrid installation](/apigee/docs/hybrid/v1.10/install-cert-manager) instructions to ensure compatibility."]]
