Air-Gapped Installation

This guide explains how to install Kedify in air-gapped or network-restricted Kubernetes clusters.

In this setup, cluster nodes cannot pull images directly from public registries such as ghcr.io or quay.io. You must first mirror all required images into your private registry and then configure Kedify Helm values to use the mirrored locations.

For standard online installation options, refer to Dashboard Installation or Fleet Installation.

Prerequisites

• A running Kubernetes cluster (for example EKS, GKE, AKS, OpenShift, or on-prem Kubernetes)
• Access to a private container registry reachable from your cluster nodes
• kubectl configured for your cluster
• helm installed
• docker (with buildx) or another OCI-compatible image tool
• A Kedify account with Organization ID and API key

Required Images

Mirror the following Kedify and dependency images to your private registry. All entries are digest-pinned for deterministic deployments.

Current source version: v0.5.6 (updated 2026-05-13)

envoyproxy/envoy:v1.37.0@sha256:ee6db70f38ba0b95c10817484ecb7f8d71d3276b5e4dc7b52f12125806d5d419
ghcr.io/kedify/agent:v0.5.6@sha256:b66ffea94cd4c7632dc32696a614201b6e28216bea6d33b12987e4a24518b2c5
ghcr.io/kedify/http-add-on-interceptor:v0.11.1-3@sha256:024099c9bacf39eacb9fa0da3a4adda9f603052ff352a61d3507f6f45ce9f07a
ghcr.io/kedify/http-add-on-scaler:v0.11.1-3@sha256:75da7e9b0efbf1b4f8628f51f911450274940bc28be7193f2139eb537bf3c156
ghcr.io/kedify/keda-admission-webhooks:v2.19.0-2@sha256:dfc47fd6e198aaf1a07e66b60ca457b456a0e790f500eb141c59e4c3ea4c26bb
ghcr.io/kedify/keda-metrics-apiserver:v2.19.0-2@sha256:c5174d0b2296e4c7185544e2af48c663f186be7457f181ea57aa9a27857be9ee
ghcr.io/kedify/keda-operator:v2.19.0-2@sha256:f0db0d362f2b8ce4a17c8643acc61300d49758e1006b764436a5fd39d16640a0
ghcr.io/kedify/keda-prediction-controller:v0.1.4@sha256:4d58486bcfa59e5a8fbf3b426d0b93a725578118ef8fef0011503edda8ad693d
ghcr.io/kedify/keda-prophet:v0.1.4@sha256:e8c256448484df0eb425b1bdef3716458ca6624f51d23a5f13bbbe6dae72cb5a
ghcr.io/kedify/kubectl:v1.33.1@sha256:2ea25099363a3f16a491fc2c5a30fff304a8bbd939c782f0f80b399e821084c3
ghcr.io/kedify/otel-add-on:v0.1.3@sha256:05d9eb41f52ee407b0637b69deed4ccab349c486a71f3f07337272752c7c7271
ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:0.131.0@sha256:004e38c269fa37816e247d6b9196e339f7c65c5b6950309cd7b2d7d08c9cbdac
quay.io/brancz/kube-rbac-proxy:v0.19.1@sha256:ea7bdc09a4929c8cad2b84b06ea4455721e75d4b86aa3dddf41f29b4817db358

Mirror Images to Your Private Registry

The example below mirrors images to registry.internal.example.com. Adjust the registry host and target paths to match your environment.

REGISTRY="registry.internal.example.com"

while read -r IMAGE; do
  [ -z "$IMAGE" ] && continue

  TARGET="$REGISTRY/${IMAGE#*/}"

  docker pull "$IMAGE"
  docker tag "$IMAGE" "$TARGET"
  docker push "$TARGET"
done <<'IMAGES'
envoyproxy/envoy:v1.37.0@sha256:ee6db70f38ba0b95c10817484ecb7f8d71d3276b5e4dc7b52f12125806d5d419
ghcr.io/kedify/agent:v0.5.6@sha256:b66ffea94cd4c7632dc32696a614201b6e28216bea6d33b12987e4a24518b2c5
ghcr.io/kedify/http-add-on-interceptor:v0.11.1-3@sha256:024099c9bacf39eacb9fa0da3a4adda9f603052ff352a61d3507f6f45ce9f07a
ghcr.io/kedify/http-add-on-scaler:v0.11.1-3@sha256:75da7e9b0efbf1b4f8628f51f911450274940bc28be7193f2139eb537bf3c156
ghcr.io/kedify/keda-admission-webhooks:v2.19.0-2@sha256:dfc47fd6e198aaf1a07e66b60ca457b456a0e790f500eb141c59e4c3ea4c26bb
ghcr.io/kedify/keda-metrics-apiserver:v2.19.0-2@sha256:c5174d0b2296e4c7185544e2af48c663f186be7457f181ea57aa9a27857be9ee
ghcr.io/kedify/keda-operator:v2.19.0-2@sha256:f0db0d362f2b8ce4a17c8643acc61300d49758e1006b764436a5fd39d16640a0
ghcr.io/kedify/keda-prediction-controller:v0.1.4@sha256:4d58486bcfa59e5a8fbf3b426d0b93a725578118ef8fef0011503edda8ad693d
ghcr.io/kedify/keda-prophet:v0.1.4@sha256:e8c256448484df0eb425b1bdef3716458ca6624f51d23a5f13bbbe6dae72cb5a
ghcr.io/kedify/kubectl:v1.33.1@sha256:2ea25099363a3f16a491fc2c5a30fff304a8bbd939c782f0f80b399e821084c3
ghcr.io/kedify/otel-add-on:v0.1.3@sha256:05d9eb41f52ee407b0637b69deed4ccab349c486a71f3f07337272752c7c7271
ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:0.131.0@sha256:004e38c269fa37816e247d6b9196e339f7c65c5b6950309cd7b2d7d08c9cbdac
quay.io/brancz/kube-rbac-proxy:v0.19.1@sha256:ea7bdc09a4929c8cad2b84b06ea4455721e75d4b86aa3dddf41f29b4817db358
IMAGES

Configure Helm Values for Air-Gapped Registry

Create air-gapped-values.yaml and override image repositories to point to your mirrored registry.

agent:
  image:
    repository: registry.internal.example.com/kedify/agent
    tag: <agent-tag>
  kubectlImage:
    repository: registry.internal.example.com/kedify/kubectl
    tag: <kubectl-tag>

keda:
  image:
    keda:
      repository: registry.internal.example.com/kedify/keda-operator
      tag: <keda-operator-tag>
    metricsApiServer:
      repository: registry.internal.example.com/kedify/keda-metrics-apiserver
      tag: <keda-metrics-apiserver-tag>
    webhooks:
      repository: registry.internal.example.com/kedify/keda-admission-webhooks
      tag: <keda-webhooks-tag>

keda-add-ons-http:
  images:
    interceptor: registry.internal.example.com/kedify/http-add-on-interceptor:<http-interceptor-tag>
    scaler: registry.internal.example.com/kedify/http-add-on-scaler:<http-scaler-tag>
  kubectlImage:
    repository: registry.internal.example.com/kedify/kubectl
    tag: <kubectl-tag>

otel-add-on:
  image:
    repository: registry.internal.example.com/kedify/otel-add-on
    tag: <otel-add-on-tag>
  kubectlImage:
    repository: registry.internal.example.com/kedify/kubectl
    tag: <kubectl-tag>
  otelOperator:
    manager:
      image:
        repository: registry.internal.example.com/open-telemetry/opentelemetry-operator/opentelemetry-operator
        tag: <otel-operator-tag>
    kubeRBACProxy:
      image:
        repository: registry.internal.example.com/brancz/kube-rbac-proxy
        tag: <kube-rbac-proxy-tag>

kedify-predictor:
  image:
    repository: registry.internal.example.com/kedify/keda-prophet
    tag: <keda-prophet-tag>
  kedaPredictionController:
    image:
      repository: registry.internal.example.com/kedify/keda-prediction-controller
      tag: <keda-prediction-controller-tag>
  kubectlImage:
    repository: registry.internal.example.com/kedify/kubectl
    tag: <kubectl-tag>

If your registry requires authentication, configure imagePullSecrets for the relevant components and service accounts.

Install Kedify with Air-Gapped Values

Use the Kedify installation method you normally use (Dashboard, Fleet, or Helm), and provide the image override values.

helm upgrade --install kedify-agent kedifykeda/kedify-agent \
  --namespace keda \
  --create-namespace \
  -f air-gapped-values.yaml

Validate the Installation

1. Check all pods are running:

kubectl get pods -n keda

2. Confirm images are pulled from your internal registry:

kubectl get pods -n keda -o jsonpath='{..image}' | tr ' ' '\n' | sort -u

3. Ensure there are no ImagePullBackOff or ErrImagePull states:

kubectl get pods -n keda
kubectl describe pod <pod-name> -n keda

Troubleshooting

• ImagePullBackOff from public registry: one or more image repositories were not overridden in Helm values.
• Pull authentication errors: verify registry credentials and imagePullSecrets configuration.
• TLS trust errors against internal registry: ensure cluster nodes trust the private registry CA certificate.
• Missing image in internal registry: confirm the exact digest-pinned image exists in the mirrored target repository.