Install Istio using container images

Hi
One question, I have, I am a senior enterprise architect for humana and due to security reason, pulling container images directly from dockerhub is prohibited. We need to scan dockerhub images first then import it to Jfrog and then to Azure ACR. My question is - Does running istioctl pulls anything from dockerhub? If yes how we can modify source artificatory pointing to Azure ACR?

we set hub while installing istio, that changes the docker images path to jfrog and also use the imagepullsecrets, you can use azure acr url instead of jfrog.

image pull secrets should be present in all the namespaces where istio injection is enabled

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    accessLogFile: /dev/stdout
  hub: <private-registry>.jfrog.io/istio
...
...
...
    global:
      imagePullSecrets:
      - regcred

Thank you Deepak. I am looking to do full install of Istio. Do you have yaml file to share? or is there any documentation in istio, where I can get the yaml file. I went through istio.io and all I can see is istioctl install command, but no flexibility to change imagepull url.

Hi, I got into the same path past and following writeup covering this, https://medium.com/sparsecode/customize-installation-of-istio-service-mesh-in-kubernetes-cluster-8a38641471a7

refer isttio operator api, some options arent available in operator api, so i have used values section after referring helm options

you need to create yaml file on your own :-), here is what I use for 1.5.x
1.6 needs little change (not off the top of my head)

use istioctl manifest generate -f <override.yaml> and find if your input is rendered correctly before installing.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  hub: <change-me>.jfrog.io/istio        
  addonComponents:
    grafana:
      enabled: false
    istiocoredns:
      enabled: false
    kiali:
      enabled: true
      k8s:
        replicaCount: 2
    prometheus:
      enabled: false
    tracing:
      enabled: false

  components:
    base:
      enabled: true
    citadel:
      enabled: false
    cni:
      enabled: false
    galley:
      enabled: false
    nodeAgent:
      enabled: false
    policy:
      enabled: false
    sidecarInjector:
      enabled: false
    telemetry:
      enabled: false
    pilot:
      enabled: true
      k8s:
        hpaSpec:
          minReplicas: 2

    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        hpaSpec:
          minReplicas: 2
        service:
          type: ClusterIP
          ports:
          - name: http2
            port: 80
            targetPort: 80
          - name: https
            port: 443
    egressGateways:
    - name: istio-egressgateway
      enabled: true
      k8s:
        hpaSpec:
          minReplicas: 2
        service:
          type: ClusterIP
          ports:
          - name: http2
            port: 80

  values:
    kiali:
      prometheusAddr: http://prometheus.monitoring:9090
      hub: <change-me>.jfrog.io/kiali

    global:
      proxy:
        accessLogFile: /dev/stdout
      imagePullSecrets:
      - <change-me>