Skip to main content
Skip table of contents

Registry Mirror Tools

Kubernetes does not natively provide a registry for hosting the container images you will use to run the applications you want to deploy on Kubernetes. Instead, Kubernetes requires you to use an external solution for storing and sharing container images. There are a variety of Kubernetes-compatible registry options that are compatible with DKP.

In an environment with access to the Internet, you can retrieve artifacts from specialized repositories dedicated to them, such as Docker images contained in DockerHub and Helm Charts that come from a dedicated Helm Chart repository. You can also create your own local repository to hold the container images you need, including any custom images you’ve created with the Konvoy Image Builder tool.

In an air-gapped environment, you need a local repository to store Helm charts, Docker images, and other artifacts. Tools such as JFrog™ Artifactory, Amazon® AWS ECR, Harbor™, and Nexus™ handle multiple types of artifacts in one local repository.

Air-Gapped Registry Prerequisites

Private registries provide security and privacy into enterprise container image storage, whether hosted remotely or on-premises locally in an air-gapped environment. DKP in an air-gapped environment requires a local container registry of trusted images to enable production-level Kubernetes cluster management.

If you want to use images from this local registry to deploy applications inside your Kubernetes cluster, you’ll need to set up a secret for a private registry. The secret contains your login data, which Kubernetes needs to connect to your private repository. Local registry tools compatible with DKP are listed below.


AWS ECR (Elastic Container Registry) is supported as your air-gapped image registry or a non-air-gapped registry mirror. DKP added support for using AWS ECR as a default registry when uploading image bundles in AWS.


Upload the Air-gapped Image Bundle to the Local ECR Registry:

A cluster administrator uses DKP CLI commands to upload the image bundle to ECR with parameters:

dkp push bundle --bundle <bundle> --to-registry=<ecr-registry-address>/<ecr-registry-name>

Parameter definitions:

  • --bundle <bundle> the group of images. The example below is for the DKP air-gapped environment bundle

  • --to-registry=<ecr-registry-address>/<ecr-registry-name> to provide registry location for push

An example command would be:

dkp push bundle --bundle container-images/konvoy-image-bundle-v2.6.2.tar

Air-gapped Environment Information regarding your AWS ECR Account

  • The cluster administrator uses existing DKP CLI commands to create the cluster and refer to their internal ECR for image repository. The administrator does not need to provide static ECR registry credentials. See Use a Registry Mirror and Create an EKS Cluster from the CLI for more details.

JFrog Artifactory

JFrog Artifactory can function as a container registry, as well as an automated management tool for binaries and artifacts of all types. If you use JFrog Artifactory or JFrog Container Registry, you must update to a new version of the software. Use a build newer than version 7.11; older versions are not compatible.

Nexus Registry

Nexus Repository is a package registry for your Docker images and Helm Chart repositories and supports Proxy, Hosted, and Group repositories. It can be used a single registry for all your Kubernetes deployments.

Harbor Registry

Install Harbor and configure any HTTP access required, as well as the system level parameters in the harbor.yml file. Then run the installer script. If you are upgrading from a previous version of Harbor, you update the configuration file and migrate your data to fit the database schema of the later version. For information about upgrading, see Upgrading Harbor. A version than Harbor Registry v2.1.1-5f52168e will support OCI images.

While seeding you may see error messages such as the following:

2023/09/12 20:01:18 retrying without mount: POST https://harbor-registry.daclusta/v2/harbor-registry/mesosphere/kube-proxy/blobs/uploads/?from=mesosphere%2Fkube-proxy&mount=sha256%3A9fd5070b83085808ed850ff84acc98a116e839cd5dcfefa12f2906b7d9c6e50d&origin=REDACTED: UNAUTHORIZED: project not found, name: mesosphere: project not found, name: mesosphere

 This appears to indicate that the image was not successfully pushed to your Harbor docker registry, but it is a false positive error message. This will only affect version of the DKP binary newer than DKP 2.4.0. This does not affect any other Local Registry solution such as Nexus or Artifactory. You can safely ignore these error messages. 

Bastion Host

If you have not set up a Bastion Host yet, refer to that section of the documentation.

Registry Mirror

If you need to set up a private registry with a registry mirror, see this page for details on using that flag.

Next Topic:

Air-gapped Seed the Registry

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.