Helm Chart Container Images
This guide explains how to list the container images an on-prem deployment pulls and mirror them into a private registry for air-gapped or network-restricted environments.
No image catalog is maintained on this page — the Helm chart is the single source
of truth. Run list-onprem-images.sh against
your values files to get the exact name:tag references your deployment will
pull. Exact tags vary per release.
Mirror Images to a Private Registry
For air-gapped or restricted environments, generate the image list, copy each image to your registry, and point the chart at it with a single value.
Prerequisites
- A private container registry accessible from your Kubernetes cluster
helm 3.xanddockerinstalled on the workstation that will mirror the images- Credentials for both registries:
- Source — the Google Artifact Registry service-account key (
artifact-key.json) provided by Zipstack - Destination — credentials with push access to your private registry
- Source — the Google Artifact Registry service-account key (
Step 1: Generate the Image List
Download the helper script and run it against your values files. It renders the
chart with helm template and writes the complete name:tag list for your
deployment.
curl -fsSLO https://docs.unstract.com/unstract/files/list-onprem-images.sh
chmod +x list-onprem-images.sh
The script is fetched over the network from docs.unstract.com. Download it during
your initial internet-connected staging session — the same one where you mirror
the images and pull the chart — before the environment is sealed. Once you have the
script and images.txt, the rest of the workflow runs offline.
# Unstract Platform images (includes the operator images it needs)
./list-onprem-images.sh unstract \
-c oci://us-central1-docker.pkg.dev/pandoras-tamer/charts/unstract-platform \
-v <chart-version> \
-f on-prem.values.yaml \
-o images.txt
# Include HA-only images (Redis Sentinel, MinIO Tenant) by passing the same
# overlay you deploy with
./list-onprem-images.sh unstract \
-c oci://us-central1-docker.pkg.dev/pandoras-tamer/charts/unstract-platform \
-v <chart-version> \
-f on-prem.values.yaml -f values-multi-az.yaml -o images.txt
The same script serves LLMWhisperer (llmwhisperer target) and can emit just the
cluster-scoped operator images (operators target). Run ./list-onprem-images.sh --help
for all options.
Step 2: Authenticate with Both Registries
Log in to the source registry (to pull) and your destination registry (to push).
# Source (Unstract) registry, using the service-account key from Zipstack
cat artifact-key.json | docker login -u _json_key --password-stdin https://us-central1-docker.pkg.dev/
# Your private registry
docker login my-private-registry.example.com
Step 3: Mirror Images
Pull every image in images.txt and push it under your registry, preserving the
final image name so the push path matches what the chart pulls.
PRIVATE_REGISTRY="my-private-registry.example.com/unstract"
while IFS= read -r img; do
[[ "$img" =~ ^#.*$ || -z "$img" ]] && continue
target="${PRIVATE_REGISTRY}/${img##*/}"
docker pull "$img"
docker tag "$img" "$target"
docker push "$target"
done < images.txt
The MinIO HA Tenant image uses a RELEASE.YYYY-MM-DDTHH-MM-SSZ tag rather than a
semver tag — it is mirrored like any other line in images.txt, but keep the
exact tag when you reference it in your values.
Step 4: Redirect the Chart to Your Registry
A single global.image.registry value redirects all chart images — core
services, infrastructure (Redis, MinIO, PgBouncer, RabbitMQ, LibreOffice), init
containers, and the tool-structure / tool-sidecar runtime images. Set it in
the same on-prem values file you already deploy with — sample.on-prem.values.yaml
for Unstract (sample.onprem.values.yaml for LLMWhisperer). No separate override
file is needed:
global:
image:
# Redirects every chart image to your registry
registry: my-private-registry.example.com/unstract
# Optional: pin one tag for all Unstract-owned services
# tag: "<UNSTRACT_APPS_VERSION>"
# Uncomment if your private registry requires authentication (see Step 5):
# imagePullSecrets:
# - name: your-registry-secret
Not covered by global.image.registry:
- Runtime classifier/extractor tools (
unstract/tool-classifier,unstract/tool-text-extractor) — pulled from Docker Hub. Mirror them (they appear inimages.txt) and redirect the runner separately. - Operator images — redirected where each operator is installed, not via this value. See Operator Images.
Step 5: Create Image Pull Secret (if required)
If your private registry requires authentication:
kubectl create secret docker-registry your-registry-secret \
--namespace unstract \
--docker-server=my-private-registry.example.com \
--docker-username=<username> \
--docker-password=<password>
Then uncomment the global.imagePullSecrets section in your on-prem values file.
Step 6: Deploy
Deploy as usual — global.image.registry is already set in your on-prem values
file, so no extra flag is required:
helm upgrade --install unstract-platform \
oci://us-central1-docker.pkg.dev/pandoras-tamer/charts/unstract-platform \
--version <chart-version> \
-f on-prem.values.yaml \
-f on-prem.secret.yaml \
-n unstract
Operator Images (Out-of-Chart)
The MinIO and RabbitMQ operators are installed outside the Unstract Platform
chart (separate upstream chart / manifest), so they are not redirected by
global.image.registry. The unstract target already appends them to images.txt,
but you must redirect them where each operator is installed.
To list only the operator images (no chart render or helm needed), use the
operators target:
./list-onprem-images.sh operators
# Cluster-scoped operator images to mirror (installed outside the product charts)
# rabbitmq = both products | minio* = Unstract MinIO HA only
docker.io/rabbitmqoperator/cluster-operator:2.11.0
quay.io/minio/operator-sidecar:v7.0.1
quay.io/minio/operator:v7.1.1
Override the pinned versions to match what you install with
--rabbitmq-operator-version / --minio-operator-version /
--minio-sidecar-version. The MinIO operator
images are only needed for MinIO HA; the RabbitMQ
operator applies to every deployment.
The MinIO operator and its tenant sidecar are versioned independently — the
operator chart ships quay.io/minio/operator:v7.1.1 but injects
quay.io/minio/operator-sidecar:v7.0.1 onto Tenant pods (the chart leaves
operator.sidecarImage empty, so the operator falls back to its compiled-in
default sidecar tag, which lags the operator; there is no operator-sidecar:v7.1.1
published). If you override operator.sidecarImage.tag at install time, pass the
same tag to --minio-sidecar-version so the mirror matches.
How each operator image is redirected to a private registry:
- MinIO Operator is a Helm chart, so its images are redirected with
--set operator.image.* / operator.sidecarImage.*at install time — see Override the MinIO Operator Image. - RabbitMQ Cluster Operator is installed once per cluster as part of the
required LLMWhisperer prerequisite setup (not a separate Unstract step). It is a
raw manifest, so its image is redirected by editing the manifest, not a
--set— see Deploy RabbitMQ Operator in the LLMWhisperer deployment guide. Itsrabbitmqbroker image (rendered by the chart) followsglobal.image.registryand is already mirrored.
Registry Domains to Whitelist
If your network uses egress filtering, ensure these domains are reachable from your Kubernetes nodes (and from the workstation running Helm):
| Domain | Purpose |
|---|---|
us-central1-docker.pkg.dev | Unstract container images and Helm chart OCI registry |
docker.io | Python utility image and the unstract/tool-classifier / unstract/tool-text-extractor runtime tools |
quay.io | MinIO Operator controller + sidecar images (MinIO HA only) |
github.com | RabbitMQ Cluster Operator manifest (cluster-operator.yml) |
downloads.unstructured.io | Unstructured API image (only if enabled) |