spectrocloud · achuribooks · Jun 25, 2026 · Jun 2, 2026 · Jun 10, 2026 · Jun 17, 2026
@@ -13,6 +13,6 @@ Now that you have installed {props.version}, you can either
         edition={props.edition}
         text="activate your installation"
         url="/activate-installation"
-    /> .     
+    />.     
 
 Beginning with version 4.6.32, once you install {props.version}, you have 30 days to activate it; versions older than 4.6.32 do not need to be activated. During the 30-day trial period, you can use {props.version} without any restrictions. After 30 days, you can continue to use {props.version}, but you cannot deploy additional clusters or perform any day-2 operations on existing clusters until {props.version} is activated. Each installation of {props.version} must be activated separately. We recommend activating {props.version} as soon as possible to avoid any disruptions.
@@ -0,0 +1,28 @@
+---
+partial_category: self-hosted
+partial_name: image-pull-secret-config-not-required
+---
+
+Image pull secrets are managed by Spectro Cloud. While you do not need to configure the pull secret, you must ensure
+that the secret propagates to your workload clusters. This happens automatically unless there are connectivity
+constraints from your workload clusters to the {props.version} management plane.
+
+- **SaaS deployments** - Image pull secrets are managed automatically on the backend. For multi-tenant SaaS, no action
+  is needed; for dedicated SaaS customers with access to the system console, consult with your customer support
+  representative.
+
+- **Airgapped self-hosted {props.version} environments** - The Spectro Cloud-owned images are pulled directly
+  from your local registry and do not need the Spectro Cloud's OCI registry pull secret.
+
+- **Environments with configured mirror registries or image swaps** - If your non-airgapped self-hosted {props.version} environment pulls all Spectro Cloud-owned images from a custom or private registry through
+    <PaletteVertexUrlMapper
+        edition={props.edition}
+        text="mirror registries"
+        url="/system-management/registry-override/"
+    /> or [image swaps](/clusters/cluster-management/image-swap/), you do not need to configure the image pull secret.
+
+- **Self-hosted OCI registries with pull-through cache** - If you are using a registry that uses pull-through cache (for
+  example, a [Harbor proxy cache project](https://goharbor.io/docs/latest/administration/configure-proxy-cache/) or a
+  [JFrog Artifactory remote repository](https://docs.jfrog.com/artifactory/docs/remote-repositories)), you must
+  configure the hardened image registry credentials at the cache level.
+
@@ -0,0 +1,13 @@
+---
+partial_category: self-hosted
+partial_name: image-pull-secret-config-required
+---
+
+Non-airgapped self-hosted {props.version} environments that pull images directly from Spectro Cloud-owned OCI
+registries must configure an image pull secret. This _does not_ include environments that use
+    <PaletteVertexUrlMapper
+        edition={props.edition}
+        text="mirror registries"
+        url="/system-management/registry-override/"
+    /> or [image swap](/clusters/cluster-management/image-swap/) configurations to redirect image pulls to a private
+registry.
@@ -0,0 +1,15 @@
+---
+partial_category: self-hosted
+partial_name: image-pull-secret-during-install
+---
+
+Adding an image pull secret during installation is supported on the following deployment models:
+
+- Helm charts installations
+
+It is _not_ supported for the following deployment models:
+
+- Palette CLI
+- Palette Management Appliance
+
+For these deployments, you must configure the secret [post-installation](#post-installation) using the system console.
@@ -0,0 +1,23 @@
+---
+partial_category: self-hosted
+partial_name: image-pull-secret-enablement
+---
+
+1. Log in to the {props.version} 
+    <PaletteVertexUrlMapper
+        edition={props.edition}
+        text="system console"
+        url="/system-management/#access-the-system-console/"
+    />.
+
+2. From the left main menu, select **Administration**.
+
+3. Select the **Hardened Images** tab.
+
+4. In the **Pull secret** field, paste the image pull secret you received from Spectro Cloud support.
+
+5. Select **Validate and Save**.
+
+If the secret is valid, it is saved and distributed to the management plane, workload clusters, and PCGs. If you need to
+rotate your image pull secret for any reason, repeat these steps, and paste your new secret into the **Pull secret**
+field.
@@ -0,0 +1,20 @@
+---
+partial_category: self-hosted
+partial_name: image-pull-secret-helm-install
+---
+
+For self-hosted {props.version} environments installed on an existing Kubernetes cluster using Helm charts,
+you can apply your image pull secret during the installation process.
+
+| **File**                                      | **Parameter**                                                                                                               |
+| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| <code>{props.helm}/values.yaml</code> | <code><PaletteVertexUrlMapper edition={props.edition} text="global.imagePullSecret.dockerConfigJson" palettePath="/install-palette/install-on-kubernetes/palette-helm-ref/#image-pull-secret/" vertexPath="/install-palette-vertex/install-on-kubernetes/vertex-helm-ref/#image-pull-secret/" /></code> |
+| `extras/cert-manager/values.yaml` | `imagePullSecret.dockerConfigJson` | 
+
+For the full installation process, refer to the 
+    <PaletteVertexUrlMapper
+        edition={props.edition}
+        text="installation guide"
+        palettePath="/install-palette/install-on-kubernetes/install/"
+        vertexPath="/install-palette-vertex/install-on-kubernetes/install/"
+    />.
@@ -0,0 +1,34 @@
+---
+partial_category: self-hosted
+partial_name: image-pull-secret-intro
+---
+
+Beginning in 4.9.b, Spectro Cloud is initiating the shift to security-hardened images. While images have a smaller
+attack surface compared to physical and virtual machines, security-hardened images are built to reduce the attack
+surface further by containing only the essential runtime components an application needs. They have strict Service Level
+Agreements (SLAs) that require the images to be regularly scanned for vulnerabilities, rebuilt, and patched, keeping the
+number of CVEs to a minimum. These images also contain artifacts such as Software Bill of Materials (SBOMs) and
+cryptographic signatures to verify that the image has not been tampered with.
+
+As a result of this transition, all images hosted in Spectro Cloud's OCI registries must now be authenticated and
+retrieved using
+[image pull secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-imagepullsecrets-1). Like
+    <PaletteVertexUrlMapper
+        edition={props.edition}
+        text="activation keys"
+        url="/activate-installation/"
+    />, these secrets are obtained from your Spectro Cloud
+customer support representative; they are intended for long-term use and only need to be configured once as part of your
+initial setup process. If you need to rotate the secret as part of your organization's security policy, contact support
+to request a new one.
+
+Once configured, the secret is distributed to the management plane, PCGs, and all managed workload clusters so they can
+pull the required images.
+
+:::warning
+
+As of 4.9.b, configuring an image pull secret is optional; however, it will be mandatory in an upcoming release.
+Therefore, we recommend configuring your image pull secret as soon as possible to avoid service disruptions. Refer to
+the [Announcements](/release-notes/announcements/#upcoming-breaking-changes) page for the latest updates.
+
+:::
@@ -0,0 +1,14 @@
+---
+partial_category: self-hosted
+partial_name: image-pull-secret-post-install
+---
+
+You can also configure the image pull secret once {props.version} is installed.
+
+:::warning
+
+Configuring an image pull secret is currently optional. Once it is mandatory, image pull secrets must be added during
+the installation process. At that time, the following system console method will only be used to rotate the image
+pull secret if required by your organization's security policy.
+
+:::
@@ -0,0 +1,15 @@
+---
+partial_category: self-hosted
+partial_name: image-pull-secret-prereqs
+---
+
+- A self-hosted instance of {props.version}.
+
+- Access to the {props.version}
+    <PaletteVertexUrlMapper
+        edition={props.edition}
+        text="system console"
+        url="/system-management/#access-the-system-console/"
+    />.
+
+- An image pull secret provided by Spectro Cloud support.
@@ -0,0 +1,66 @@
+---
+partial_category: self-hosted
+partial_name: image-pull-secret-validate
+---
+
+<Tabs>
+
+<TabItem value="ui" label="UI">
+
+1. Log in to the {props.version} 
+    <PaletteVertexUrlMapper
+        edition={props.edition}
+        text="system console"
+        url="/system-management/#access-the-system-console/"
+    />.
+
+2. From the left main menu, select **Administration**.
+
+3. Select the **Hardened Images** tab.
+
+4. Verify that the **Pull secret** field displays a masked secret.
+
+    {props.edition === 'vertex' ? <img src="/configure-image-pull-secret_vertex.webp" alt="Configuring an image pull secret in the system console." /> : <img src="/configure-image-pull-secret_palette.webp" alt="Configuring an image pull secret in the system console." />}
+
+</TabItem>
+
+<TabItem value="terminal" label="Terminal">
+
+1. Open a terminal session in an environment that has network access to the cluster. Set the `KUBECONFIG` environment
+   variable to the file path of your cluster's kubeconfig that {props.version} is installed on.
+
+   ```shell
+   export KUBECONFIG=<path-to-kubeconfig>
+   ```
+
+2. Issue the following command to verify the secret propagated to your management cluster matches the one configured in
+   the system console.
+
+   ```shell
+   kubectl get secret spectro-image-pull-secret --namespace hubble-system --output yaml
+   ```
+
+   ```yaml title="Example output" hideClipboard {3}
+   apiVersion: v1
+   data:
+     .dockerconfigjson: abcdEFGhiJKlmnOPQrSTUVwX... # output omitted for brevity
+   kind: Secret
+   metadata:
+     annotations:
+       meta.helm.sh/release-name: hubble
+       meta.helm.sh/release-namespace: default
+     creationTimestamp: "2026-06-18T22:33:37Z"
+     labels:
+       app: spectro
+       app.kubernetes.io/managed-by: Helm
+       module: hubble
+     name: spectro-image-pull-secret
+     namespace: hubble-system
+     resourceVersion: "28192"
+     uid: c7991fac-2ec0-4419-b451-10c82208f8e5
+   type: kubernetes.io/dockerconfigjson
+   ```
+
+</TabItem>
+
+</Tabs>
@@ -0,0 +1,18 @@
+---
+partial_category: self-hosted
+partial_name: kubernetes-install-begin
+---
+
+The following instructions are written agnostic to the Kubernetes distribution you are using. Depending on the
+underlying infrastructure provider and your Kubernetes distribution, you may need to modify the instructions to match
+your environment. Reach out to our support team if you need assistance.
+
+1.  Open a terminal session and navigate to the directory where you downloaded the {props.version} install ZIP file
+    provided by our support team. Unzip the file to a directory named <code>{props.helm}-install</code>.
+
+    <CodeBlock language="shell">{`unzip charts.zip -d ${props.helm}-install`}</CodeBlock>
+
+
+2.  Navigate to the <code>{props.helm}-install</code> directory.
+
+    <CodeBlock language="shell">{`cd ${props.helm}-install`}</CodeBlock>
@@ -0,0 +1,68 @@
+---
+partial_category: self-hosted
+partial_name: kubernetes-install-cert-manager-airgap
+---
+
+Open the file `extras/cert-manager/values.yaml` using a text editor of your choice. This example uses Vim.
+
+    ```shell
+    vim extras/cert-manager/values.yaml
+    ```
+
+
+<li> Append `<your-registry-url>` to each image, along with the `<repository>` where you want to store your images. </li>
+
+
+    image:
+      cainjectorImage: "<your-registry-url>/<repository>/us-docker.pkg.dev/palette-images-fips/palette/spectro-cert-manager/cert-manager-cainjector:v1.19.3-spectro-4.8.b"
+      controllerImage: "<your-registry-url>/<repository>/us-docker.pkg.dev/palette-images-fips/palette/spectro-cert-manager/cert-manager-controller:v1.19.3-spectro-4.8.b"
+      webhookImage: "<your-registry-url>/<repository>/us-docker.pkg.dev/palette-images-fips/palette/spectro-cert-manager/cert-manager-webhook:v1.19.3-spectro-4.8.b"
+      amceResolverImage: "<your-registry-url>/<repository>/us-docker.pkg.dev/palette-images-fips/palette/spectro-cert-manager/cert-manager-acmesolver:v1.19.3-spectro-4.8.b"
+    ```
+
+    In the example below, we used `harbor.docs.spectro.dev` for the registry and `spectro-images` for the repository.
+
+    ```yaml hideClipboard title="Example output"
+    image:
+      cainjectorImage: "harbor.docs.spectro.dev/spectro-images/us-docker.pkg.dev/palette-images-fips/palette/spectro-cert-manager/cert-manager-cainjector:v1.19.3-spectro-4.8.b"
+      controllerImage: "harbor.docs.spectro.dev/spectro-images/us-docker.pkg.dev/palette-images-fips/palette/spectro-cert-manager/cert-manager-controller:v1.19.3-spectro-4.8.b"
+      webhookImage: "harbor.docs.spectro.dev/spectro-images/us-docker.pkg.dev/palette-images-fips/palette/spectro-cert-manager/cert-manager-webhook:v1.19.3-spectro-4.8.b"
+      amceResolverImage: "harbor.docs.spectro.dev/spectro-images/us-docker.pkg.dev/palette-images-fips/palette/spectro-cert-manager/cert-manager-acmesolver:v1.19.3-spectro-4.8.b"
+    ```
+
+<li> If the registry you are pulling images from requires authentication, use the base64-encoded
+    contents of your `config.json` containing the registry credentials. Refer to
+    <PaletteVertexUrlMapper
+        edition={props.edition}
+        text="Helm Configuration Reference"
+        palettePath="/install-palette/install-on-kubernetes/palette-helm-ref/"
+        vertexPath="/install-palette-vertex/install-on-kubernetes/vertex-helm-ref/"
+    /> for more information. </li>
+
+    ```yaml title="Example configuration" hideClipboard {5}
+    imagePullSecret:
+      # When true, render Secret spectro-image-pull-secret in the cert-manager namespace.
+      # Pods automatically reference that pull secret when create is true or the secret already exists.
+      create: false
+      dockerConfigJson: "abcdEFGhiJKlmnOPQrSTUVwX..." # Used when create is true: base64-encoded dockerconfigjson
+    ```
+
+<li>  Install the Cert-Manager Helm chart. </li>
+
+    ```shell
+    helm upgrade --install cert-manager \
+      ./extras/cert-manager/cert-manager-*.tgz \
+      --namespace cert-manager \
+      --create-namespace \
+      --values ./extras/cert-manager/values.yaml
+    ```
+
+    ```shell hideClipboard title="Example output"
+    Release "cert-manager" does not exist. Installing it now.
+    NAME: cert-manager
+    LAST DEPLOYED: Wed Jun 17 12:54:27 2026
+    NAMESPACE: default
+    STATUS: deployed
+    REVISION: 1
+    TEST SUITE: None
+    ```