If you're setting up Kubernetes for a private project — internal tools, an isolated network, an in-house stack — at some point you hit the question: where do the images come from?
Every tutorial assumes public registries like docker.io, ghcr.io, or quay.io are reachable. When they aren't, the chicken-and-egg starts. You can't pull your registry image from your registry. You can't authenticate against your IdP before the IdP is up. Each foundation service has the same shape.
There isn't much written about how to actually bootstrap from this state. Here's the approach I've been using.
Foundation services all have the same problem
The same pattern shows up everywhere:
