Sync container images to your registry v1.3.3
The Hybrid Manager software stack is distributed through the EDB Repos 2.0 registry. Before installing or upgrading Hybrid Manager, you need to sync these container images to your own secure, approved internal registry.
Why sync images?
The sync process ensures:
- Security — Images are hosted in your organization's approved registry
- Immutability — SHA256 digests are preserved across environments
- Compliance — You control where container images are stored
- Availability — Images remain accessible even if external registries are unavailable
Prerequisites
Before syncing images, ensure you have:
- The Hybrid Manager version you want to install
- An EDB Repos 2.0 access token with read permissions
- Access to your destination container registry with push permissions
- Either
edbctlorskopeoinstalled on your system
Option 1: Using edbctl (Recommended)
edbctl is the CLI tool for managing Hybrid Manager resources and provides the simplest way to sync images.
Install edbctl
Before using edbctl, you need to install it on your system. See the edbctl installation guide for detailed instructions on how to install and configure the CLI tool.
Sync platform images
Configure the required environment variables and run the sync command:
# Configure the HM release version export HM_RELEASE=<RELEASE_VERSION> # Configure the EDB Repos 2.0 access token export EDB_TOKEN=<EDB_TOKEN> # Configure the EDB Repos 2.0 registry source export EDB_SOURCE_REGISTRY=pgai-platform # Run the sync-to-local-registry command edbctl image sync-to-local-registry \ --destination-registry-uri "<LOCAL_REGISTRY_URI>" \ --version "${HM_RELEASE}" \ --source-registry-username "${EDB_SOURCE_REGISTRY}" \ --source-registry-password "${EDB_TOKEN}" \ --destination-registry-username "<LOCAL_REGISTRY_USER>" \ --destination-registry-password "<LOCAL_REGISTRY_PWD>"
Replace the placeholders:
<RELEASE_VERSION>: The HM version (e.g.,v1.3.2)<EDB_TOKEN>: Your EDB Repos 2.0 access token<LOCAL_REGISTRY_URI>: Your destination registry URI<LOCAL_REGISTRY_USER>: Username for your destination registry<LOCAL_REGISTRY_PWD>: Password for your destination registry
Sync the Operator image
# Sync the HM Operator image edbctl operator sync-to-local-registry \ --destination-registry-uri "<LOCAL_REGISTRY_URI>" \ --version "${HM_RELEASE}" \ --source-registry-username "${EDB_SOURCE_REGISTRY}" \ --source-registry-password "${EDB_TOKEN}" \ --destination-registry-username "<LOCAL_REGISTRY_USER>" \ --destination-registry-password "<LOCAL_REGISTRY_PWD>"
Option 2: Using skopeo
Skopeo is an open-source tool for working with container images. You can use it to sync images if you prefer not to use edbctl.
Install skopeo
Follow the official skopeo installation instructions for your operating system.
Download the image list
Each Hybrid Manager release provides an artifact containing the list of all required container images:
# Configure the HM release version export HM_RELEASE=<RELEASE_VERSION> # Configure the EDB Repos 2.0 access token export EDB_TOKEN=<EDB_TOKEN> # Download the image list artifact curl -sLO "https://downloads.enterprisedb.com/${EDB_TOKEN}/pgai-platform/raw/names/${HM_RELEASE}-images.txt/versions/${HM_RELEASE}/images.txt"
Authenticate to registries
# Configure registries export EDB_SOURCE_REGISTRY=docker.enterprisedb.com/pgai-platform export LOCAL_REGISTRY_URI=<LOCAL_REGISTRY_ADDRESS> # Login to EDB Repos 2.0 source registry skopeo login docker.enterprisedb.com # Login to destination registry skopeo login <LOCAL_REGISTRY_ADDRESS>
Sync all images
# Parse the image list and sync each image while read -r image; do skopeo --override-os linux copy \ --multi-arch all \ docker://$EDB_SOURCE_REGISTRY/${image/:*@/@} \ docker://$LOCAL_REGISTRY_URI/${image/:*@/@} \ --retry-times 3 done < images.txt
Sync the Operator image
# Sync the HM Operator image skopeo --override-os linux copy \ --multi-arch all \ docker://${EDB_SOURCE_REGISTRY}/edb-hcp-operator/manager:${HM_RELEASE} \ docker://${LOCAL_REGISTRY_URI}/edb-hcp-operator/manager:${HM_RELEASE} \ --retry-times 3
Note
The sync process typically takes several minutes to complete depending on your network speed and the number of images in the release.
Platform-specific notes
AWS ECR
If using AWS ECR as your destination registry, you must create separate repositories for each image since ECR doesn't support images with multiple slashes in their names to be saved in the same repository.
When you run the sync command with edbctl, it will detect ECR and prompt for confirmation, then provide a code snippet with AWS CLI commands to pre-create all required repositories.
For authentication, use:
--destination-registry-username "AWS" \ --destination-registry-password "$(aws ecr get-login-password --region ${AWS_REGION})"
See the AWS ECR documentation for more details.
GCP Artifact Registry
For GCP Artifact Registry authentication, use:
--destination-registry-username "_json_key" \ --destination-registry-password "$(cat ~/gcp-service-account-key.json)"
Red Hat Quay / OpenShift
Standard username and password or token authentication is supported. For OpenShift internal registry, ensure you have the proper service account tokens configured.
Next steps
After syncing the container images to your private registry:
Update your Helm chart
values.yamlto point to your registry:containerRegistryURL: "<your-local-container-registry-url>"
Proceed with the Hybrid Manager installation for your platform: