Mirror every image surface before you call the environment disconnected-ready.
An air-gapped or private-registry deployment is not just one image override. The operator image, the default OpenBao workload image, and the helper executors for init, backup, and upgrade each have their own source of truth. Use this page to make those defaults explicit before you need to promote clusters through a disconnected path.
Decision matrix
Plan every image surface explicitly
| Surface | Defaults from | Override it here | Watch for |
|---|---|---|---|
| Operator controller and provisioner images | The Helm chart image values used during installation. | Set image.repository, image.tag, and install-level imagePullSecrets on the chart. | In multi-tenant mode, both controller and provisioner deployments must be able to pull from the mirrored registry. |
| Default OpenBao workload image | The cluster version plus the RELATED_IMAGE_OPENBAO repository default. | Set the repository default on the operator install or set spec.image per cluster. | If spec.image is omitted, the operator still derives the final image from spec.version and the mirrored repository default. |
| Helper executor images | The OPERATOR_INIT_IMAGE_REPOSITORY, OPERATOR_BACKUP_IMAGE_REPOSITORY, and OPERATOR_UPGRADE_IMAGE_REPOSITORY defaults. | Set install-wide defaults or override spec.initContainer.image, spec.backup.image, and spec.upgrade.image per cluster. | Restore jobs use their own image surface in the restore workflow and should be reviewed there before a DR event. |
| Registry authentication | The operator install uses chart-level imagePullSecrets; each cluster uses spec.imagePullSecrets. | Create Docker registry Secrets in the namespace that will pull the images. | Do not assume the operator namespace and tenant namespaces can share pull secrets implicitly. |
Set install-wide defaults
Configure
Install the operator with mirrored image defaults
image:
repository: my-registry.corp/openbao-operator
tag: "<operator-version>"
imagePullSecrets:
- name: operator-registry-creds
controller:
extraEnv:
- name: RELATED_IMAGE_OPENBAO
value: "my-registry.corp/openbao/openbao"
- name: OPERATOR_INIT_IMAGE_REPOSITORY
value: "my-registry.corp/openbao-init"
- name: OPERATOR_BACKUP_IMAGE_REPOSITORY
value: "my-registry.corp/openbao-backup"
- name: OPERATOR_UPGRADE_IMAGE_REPOSITORY
value: "my-registry.corp/openbao-upgrade"
provisioner:
extraEnv:
- name: RELATED_IMAGE_OPENBAO
value: "my-registry.corp/openbao/openbao"
- name: OPERATOR_INIT_IMAGE_REPOSITORY
value: "my-registry.corp/openbao-init"
- name: OPERATOR_BACKUP_IMAGE_REPOSITORY
value: "my-registry.corp/openbao-backup"
- name: OPERATOR_UPGRADE_IMAGE_REPOSITORY
value: "my-registry.corp/openbao-upgrade"
In multi-tenant mode, keep the controller and provisioner defaults aligned so both reconciler paths resolve helper images from the same mirrored repositories.
Use the same released operator version for the controller, provisioner, init, backup, and upgrade images. For example, once 0.1.0 is published, mirror and pin 0.1.0 consistently instead of mixing tags or treating next as an artifact reference.
Install-wide defaults are the safest starting point, but they do not replace cluster-level overrides when a specific OpenBaoCluster needs a different tag, mirror, or promotion cadence.
Override images per cluster
Configure
Override mirrored workload images per cluster
apiVersion: openbao.org/v1alpha1
kind: OpenBaoCluster
metadata:
name: prod-cluster
namespace: openbao
spec:
version: "2.5.0"
image: "my-registry.corp/openbao/openbao:2.5.0"
imagePullSecrets:
- name: cluster-registry-creds
initContainer:
image: "my-registry.corp/openbao-init:<operator-version>"
backup:
image: "my-registry.corp/openbao-backup:<operator-version>"
upgrade:
image: "my-registry.corp/openbao-upgrade:<operator-version>"
Set explicit per-cluster images when the registry path or promotion cadence differs from the install-wide defaults. Otherwise, let the operator derive them from the mirrored repositories and the requested version.
Apply
Create the pull secret in the tenant namespace
kubectl create secret docker-registry cluster-registry-creds \
--namespace openbao \
--docker-server=my-registry.corp \
--docker-username=<user> \
--docker-password=<password>
The Secret must exist in the same namespace as the OpenBaoCluster that references it.
Reference table
Disconnected-environment checks
| Check | What good looks like | Why it matters |
|---|---|---|
| Every runtime image is mirrored | Operator, OpenBao, init, backup, and upgrade images exist in the internal registry before install or rollout. | A cluster that relies on public registry fallback is not disconnected-ready, even if the main OpenBao image is mirrored. |
| Pull secrets exist in every runtime namespace | The operator namespace and every tenant namespace that runs workloads have the correct registry credential Secret. | Install success does not imply workload success. Clusters can still fail to reconcile when the tenant namespace lacks the pull secret. |
| Version and tag promotion is explicit | Image tags and repository mirrors are tracked as part of the release process. | Disconnected environments make silent tag drift harder to notice and more painful to debug later. |
This page explains where images come from and how they are pulled. Signature verification, digest pinning, and trust roots are handled in the supply-chain security model, not by the mirror configuration alone.
Related platform-readiness work
You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.