Using Azure Container Registry to host istio images

We’re trying to use istio, but we have a requirement to use a Docker repo hosted on Azure instead of the images on

I used istioctl manifest generate to create the manifest and modified the generated yaml replacing with the host of our private ACR. I also modified the yaml adding imagePullSecrets to the ingress-gateway and istiod Deployments. I also replaced the json for the config of imagePullSecrets with

 "imagePullSecrets": [
   "name": "REPLACE_WITH_CREDS" 

Istio seems to install OK. istiod and ingress-gateway are both running using images hosted on our instance of ACR. But whenever a sidecar needs to be created for a stateful set, I get the following error when describing the pod:

  Type     Reason        Age                  From                    Message
  ----     ------        ----                 ----                    -------
  Warning  FailedCreate  79s (x16 over 4m3s)  statefulset-controller  create Pod helper-0 in StatefulSet helper failed error: admission webhook "" denied the request: failed to run injection template: could not parse configuration values: json: cannot unmarshal object into Go value of type string

I saw this error, until I ran kubectl edit -n istio-system cm istio-sidecar-injector and reverted the values for hub and imagePullSecrets to the orginal values.

This is what the config looked like before reverting:

"hub": "",
"imagePullPolicy": "",
"imagePullSecrets": [
    "name": "dockerCredsSecret"

After reverting, the statefulset and its pod came up but using the copies from Are there any tutorials I can follow to guide me through the process of using a Docker repo other than


Worked around this by switching to an istio operator install.

istioctl --kubeconfig=${KC} operator init --hub ${HUB_STRING} --imagePullSecrets ${CREDS}
kubectl --kubeconfig=${KC} apply -f - <<EOF
kind: IstioOperator
  namespace: istio-system
  name: istiocontrolplane
  profile: default
      hub: ${HUB_STRING}
       - ${CREDS}