Skip to main content

Helm Chart Container Images

This guide explains how to list the container images an on-prem deployment pulls and mirror them into a private registry for air-gapped or network-restricted environments.

info

No image catalog is maintained on this page — the Helm chart is the single source of truth. Run list-onprem-images.sh against your values files to get the exact name:tag references your deployment will pull. Exact tags vary per release.

Mirror Images to a Private Registry

For air-gapped or restricted environments, generate the image list, copy each image to your registry, and point the chart at it with a single value.

Prerequisites

  • A private container registry accessible from your Kubernetes cluster
  • helm 3.x and docker installed on the workstation that will mirror the images
  • Credentials for both registries:
    • Source — the Google Artifact Registry service-account key (artifact-key.json) provided by Zipstack
    • Destination — credentials with push access to your private registry

Step 1: Generate the Image List

Download the helper script and run it against your values files. It renders the chart with helm template and writes the complete name:tag list for your deployment.

curl -fsSLO https://docs.unstract.com/unstract/files/list-onprem-images.sh
chmod +x list-onprem-images.sh
Air-gapped installs

The script is fetched over the network from docs.unstract.com. Download it during your initial internet-connected staging session — the same one where you mirror the images and pull the chart — before the environment is sealed. Once you have the script and images.txt, the rest of the workflow runs offline.

# Unstract Platform images (includes the operator images it needs)
./list-onprem-images.sh unstract \
-c oci://us-central1-docker.pkg.dev/pandoras-tamer/charts/unstract-platform \
-v <chart-version> \
-f on-prem.values.yaml \
-o images.txt

# Include HA-only images (Redis Sentinel, MinIO Tenant) by passing the same
# overlay you deploy with
./list-onprem-images.sh unstract \
-c oci://us-central1-docker.pkg.dev/pandoras-tamer/charts/unstract-platform \
-v <chart-version> \
-f on-prem.values.yaml -f values-multi-az.yaml -o images.txt

The same script serves LLMWhisperer (llmwhisperer target) and can emit just the cluster-scoped operator images (operators target). Run ./list-onprem-images.sh --help for all options.

Step 2: Authenticate with Both Registries

Log in to the source registry (to pull) and your destination registry (to push).

# Source (Unstract) registry, using the service-account key from Zipstack
cat artifact-key.json | docker login -u _json_key --password-stdin https://us-central1-docker.pkg.dev/

# Your private registry
docker login my-private-registry.example.com

Step 3: Mirror Images

Pull every image in images.txt and push it under your registry, preserving the final image name so the push path matches what the chart pulls.

PRIVATE_REGISTRY="my-private-registry.example.com/unstract"

while IFS= read -r img; do
[[ "$img" =~ ^#.*$ || -z "$img" ]] && continue
target="${PRIVATE_REGISTRY}/${img##*/}"
docker pull "$img"
docker tag "$img" "$target"
docker push "$target"
done < images.txt
note

The MinIO HA Tenant image uses a RELEASE.YYYY-MM-DDTHH-MM-SSZ tag rather than a semver tag — it is mirrored like any other line in images.txt, but keep the exact tag when you reference it in your values.

Step 4: Redirect the Chart to Your Registry

A single global.image.registry value redirects all chart images — core services, infrastructure (Redis, MinIO, PgBouncer, RabbitMQ, LibreOffice), init containers, and the tool-structure / tool-sidecar runtime images. Set it in the same on-prem values file you already deploy withsample.on-prem.values.yaml for Unstract (sample.onprem.values.yaml for LLMWhisperer). No separate override file is needed:

global:
image:
# Redirects every chart image to your registry
registry: my-private-registry.example.com/unstract
# Optional: pin one tag for all Unstract-owned services
# tag: "<UNSTRACT_APPS_VERSION>"

# Uncomment if your private registry requires authentication (see Step 5):
# imagePullSecrets:
# - name: your-registry-secret
info

Not covered by global.image.registry:

  • Runtime classifier/extractor tools (unstract/tool-classifier, unstract/tool-text-extractor) — pulled from Docker Hub. Mirror them (they appear in images.txt) and redirect the runner separately.
  • Operator images — redirected where each operator is installed, not via this value. See Operator Images.

Step 5: Create Image Pull Secret (if required)

If your private registry requires authentication:

kubectl create secret docker-registry your-registry-secret \
--namespace unstract \
--docker-server=my-private-registry.example.com \
--docker-username=<username> \
--docker-password=<password>

Then uncomment the global.imagePullSecrets section in your on-prem values file.

Step 6: Deploy

Deploy as usual — global.image.registry is already set in your on-prem values file, so no extra flag is required:

helm upgrade --install unstract-platform \
oci://us-central1-docker.pkg.dev/pandoras-tamer/charts/unstract-platform \
--version <chart-version> \
-f on-prem.values.yaml \
-f on-prem.secret.yaml \
-n unstract

Operator Images (Out-of-Chart)

The MinIO and RabbitMQ operators are installed outside the Unstract Platform chart (separate upstream chart / manifest), so they are not redirected by global.image.registry. The unstract target already appends them to images.txt, but you must redirect them where each operator is installed.

To list only the operator images (no chart render or helm needed), use the operators target:

./list-onprem-images.sh operators
# Cluster-scoped operator images to mirror (installed outside the product charts)
# rabbitmq = both products | minio* = Unstract MinIO HA only

docker.io/rabbitmqoperator/cluster-operator:2.11.0
quay.io/minio/operator-sidecar:v7.0.1
quay.io/minio/operator:v7.1.1

Override the pinned versions to match what you install with --rabbitmq-operator-version / --minio-operator-version / --minio-sidecar-version. The MinIO operator images are only needed for MinIO HA; the RabbitMQ operator applies to every deployment.

note

The MinIO operator and its tenant sidecar are versioned independently — the operator chart ships quay.io/minio/operator:v7.1.1 but injects quay.io/minio/operator-sidecar:v7.0.1 onto Tenant pods (the chart leaves operator.sidecarImage empty, so the operator falls back to its compiled-in default sidecar tag, which lags the operator; there is no operator-sidecar:v7.1.1 published). If you override operator.sidecarImage.tag at install time, pass the same tag to --minio-sidecar-version so the mirror matches.

How each operator image is redirected to a private registry:

  • MinIO Operator is a Helm chart, so its images are redirected with --set operator.image.* / operator.sidecarImage.* at install time — see Override the MinIO Operator Image.
  • RabbitMQ Cluster Operator is installed once per cluster as part of the required LLMWhisperer prerequisite setup (not a separate Unstract step). It is a raw manifest, so its image is redirected by editing the manifest, not a --set — see Deploy RabbitMQ Operator in the LLMWhisperer deployment guide. Its rabbitmq broker image (rendered by the chart) follows global.image.registry and is already mirrored.

Registry Domains to Whitelist

If your network uses egress filtering, ensure these domains are reachable from your Kubernetes nodes (and from the workstation running Helm):

DomainPurpose
us-central1-docker.pkg.devUnstract container images and Helm chart OCI registry
docker.ioPython utility image and the unstract/tool-classifier / unstract/tool-text-extractor runtime tools
quay.ioMinIO Operator controller + sidecar images (MinIO HA only)
github.comRabbitMQ Cluster Operator manifest (cluster-operator.yml)
downloads.unstructured.ioUnstructured API image (only if enabled)