Ververica Platform Docker Images
For convenience, Ververica hosts a public Docker registry that contains images of all Ververica Platform components. You can either use this registry directly or host the images yourself in a private registry. Please find more details for both options below.
Ververica Platform Public Registry
The registry is hosted at registry.ververica.com, and the images of a particular Ververica Platform version are published under the specific version prefix.
We use the following base images for the Ververica Platform images.
- flink openjdk:8-jre-slim-buster
- vvp-appmanager, vvp-artifact-fetcher, vvp-gateway, vvp-result-fetcher-service openjdk:11-jre-slim-buster
- vvp-ui nginx:latest
For Ververica Platform 2.4, the following images are available and needed to run Ververica Platform.
| Repository | Tag | Additional Tags |
|---|---|---|
| v2.4/vvp-appmanager | 2.4.3 | |
| v2.4/vvp-artifact-fetcher | 2.4.3 | |
| v2.4/vvp-gateway | 2.4.3 | |
| v2.4/vvp-result-fetcher-service | 2.4.3 | |
| v2.4/vvp-ui | 2.4.3 | |
| v2.4/flink | 1.10.3-stream3-scala_2.11 | |
| v2.4/flink | 1.10.3-stream3-scala_2.12 | 1.10, 1.10.3, 1.10.3-stream3 |
| v2.4/flink | 1.11.6-stream2-scala_2.11 | |
| v2.4/flink | 1.11.6-stream2-scala_2.12 | 1.11, 1.11.6, 1.11.6-stream2 |
| v2.4/flink | 1.12.7-stream2-scala_2.11-java8 | |
| v2.4/flink | 1.12.7-stream2-scala_2.12-java8 | 1.12, 1.12.7, 1.12.7-stream2 |
| v2.4/flink | 1.12.7-stream2-scala_2.11-java11 | |
| v2.4/flink | 1.12.7-stream2-scala_2.12-java11 |
The table above lists the most recent releases of our distribution of Apache Flink®. They contain, among others, a fix for the log4j shell vulnerability (see CVE-2021-45046), but were not shipped with a Ververica Platform 2.4 release. However, they can be manually integrated into a Ververica Platform Deployment through the vvp.flinkVersionMetadata Helm chart configuration option. Alternatively, they can be referenced explicitly in the Deployment configuration.
The registry hosted by Ververica is provided without SLA. If you require availability guarantees, you should import the Ververica Platform images into your own registry.
Private Registry
We recommend using a private registry for all Ververica Platform images. The setup consists of two steps.
Mirroring the Images
If you wish to host the Ververica Platform images yourself, you will have to pull, re-tag, and push all of the images listed above.
Below is a snippet demonstrating this for one of the images used by Ververica Platform, just update REGISTRY and IMAGE as necessary.
REGISTRY=registry.acme.inc; \
IMAGE=v2.4/vvp-appmanager:2.4.3; \
docker pull registry.ververica.com/${IMAGE} && \
docker tag registry.ververica.com/${IMAGE} ${REGISTRY}/${IMAGE} && \
docker push ${REGISTRY}/${IMAGE}
These snippets are provided as examples, and may need to be adapted for your particular operating system/environment.
If you're using a private registry that has restricted network access, you may need to be able to fetch the images, move them, and then load them into the target registry. Below is a simple recipe which builds on the one above to accomplish this.
REGISTRY=registry.acme.inc; \
IMAGE=v2.4/vvp-appmanager:2.4.3; \
ARCHIVE=$(echo ${IMAGE} | sed -e 's/.*\///g' -e 's/:/-/g').tar.gz; \
docker pull registry.ververica.com/${IMAGE} && \
docker tag registry.ververica.com/${IMAGE} ${REGISTRY}/${IMAGE} && \
docker save ${REGISTRY}/${IMAGE} | gzip > ${ARCHIVE}
REGISTRY=registry.acme.inc; \
IMAGE=v2.4/vvp-appmanager:2.4.3; \
ARCHIVE=$(echo ${IMAGE} | sed -e 's/.*\///g' -e 's/:/-/g').tar.gz; \
gunzip -c ${ARCHIVE} | docker load && \
docker push ${REGISTRY}/${IMAGE}
These snippets are provided as examples, and may need to be adapted for your particular operating system/environment.
Configuring the Helm Chart
To configure Ververica Platform to use your registry, you point vvp.registry in your Helm values file to your private registry.
vvp:
registry: registry.acme.inc/vvp
If your private Docker registry requires authentication from within Kubernetes, you first need to create a
Kubernetes Secret containing
credentials for your registry in every Kubernetes namespace that the platform uses, i.e. the platform's namespace and all namespaces listed under rbac.additionalNamespaces.
Second, you need to configure Ververica Platform as well as your Deployments to use this secret as an
imagePullSecret for all pods:
-
The Kubernetes service account used by Ververica Platform needs to use your secret as an
imagePullSecret. If you lethelmcreate the service account for you (rbac.create: true), this done by settingrbac.imagePullSecret. If you pass a service account during installation withhelm(rbac.serviceAccountName: <existing-service-account>) this service account needs to use your secret, too. -
For every Apache Flink® Deployment configure your secret as an image pull secret as described in Image Pull Secrets. In order to use this secret as a default for all Deployments, you can use Global Deployment Defaults.