Air-Gapped Install
For environments that are connected to the Internet, one needs access to three repositories to install K10:
The Helm repository that contains the K10 chart
The container registry that contains the K10 container images
Upstream repositories to install K10 dependencies (e.g., Prometheus)
However, if an air-gapped installation is required, it is possible to
use your own private container registry to install K10. While this can
always be done manually, the k10offline
tool makes it easier to
automate the process.
Air-Gapped K10 Installation
If the K10 container images are already available in a private repository, the below instructions can be used to install in an air-gapped environment. If needed, support for uploading images to a private image registry is documented below.
Fetching the Helm Chart for Local Use
To fetch the most recent K10 Helm chart for local use, run the following
command to pull the latest K10 chart as a compressed tarball (.tgz
)
file into the working directory.
$ helm repo update && \
helm fetch kasten/k10
If you need to fetch a specific version, please run the following command:
$ helm repo update && \
helm fetch kasten/k10 --version=<k10-version>
Installing K10 with Local Helm Chart and Container Images
If the K10 container images were uploaded to a registry at
repo.example.com
, an air-gapped installation can be performed by
setting global.airgapped.repository=repo.example.com
as shown in
the below command:
$ kubectl create namespace kasten-io
$ helm install k10 k10-6.5.14.tgz --namespace kasten-io \
--set global.airgapped.repository=repo.example.com
Installing K10 with Disconnected OpenShift Operator
To install K10 with an OpenShift operator in an air-gapped cluster, follow the steps under offline operator install.
Running K10 Within a Local Network
To run K10 in a network without the ability to connect to the internet, K10
needs to be installed in an air-gapped mode with the helm value
metering.mode=airgap
as shown in the command below:
$ kubectl create namespace kasten-io
$ helm install k10 k10-6.5.14.tgz --namespace kasten-io \
--set metering.mode=airgap
Note
If metering.mode=airgap
is not set in an offline cluster, some functionality
will be disabled. A message warning that K10 is "Unable to validate license" will
be displayed in the web based user interface. Errors containing messages
"Could not get google bucket for metrics", "License check failed" and "Unable to validate license"
will be logged.
If the metering service is unable to connect to the internet for 24 hours, the metering service will restart.
Providing Credentials if Local Container Repository is Private
If the local repository that has been provided as the value of
global.airgapped.repository
is private, credentials for that
repository can be provided using secrets.dockerConfig
and
global.imagePullSecret
flags, as below, with
the helm install
command.
--set secrets.dockerConfig=$(base64 -w 0 < ${HOME}/.docker/config.json) \
--set global.imagePullSecret="k10-ecr"
Note
Our Helm chart creates a secret with the name k10-ecr
with the value that has been provided for secrets.dockerConfig
.
That's why we are providing secret name k10-ecr
as value of
global.imagePullSecret
.
Preparing K10 Container Images for Air-Gapped Use
There are multiple ways to use a private repository including setting up a caching or proxy image registry that points to the Kasten K10 image repositories using tools such as JFrog Artifactory. However, if images need to be manually uploaded or an automated upload pipeline is required to add K10 images into your private repository, the following documentation should help.
Using Iron Bank K10 Container Images
If you want to use the Iron Bank hardened K10 images in an air-gapped
environment, execute the following commands, each with the additional
--ironbank
flag. This flag ensures the pulling of images from
Registry1, including all third-party images.
Warning
You must be logged in to the docker registry locally for this
process to function correctly. Use
docker login registry1.dso.mil --username "${REGISTRY1_USERNAME}"
--password-stdin
with your Registry1 CLI secret
as the password to
login.
List K10 Container Images
The following command will list all images used by the current K10 version, This can be helpful if there is a requirement to tag and push K10 images into your private repository manually instead of using the Kasten provided tool documented below.
$ docker run --rm -it gcr.io/kasten-images/k10offline:6.5.14 list-images
Local Pull of all K10 Container Images
The following command will execute the k10offline
tool and use
docker-in-docker (via docker.sock) to
download all K10 images into the local machine's registry.
$ docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock \
gcr.io/kasten-images/k10offline:6.5.14 pull images
Move K10 Images Into a Private Repository
Finally, to completely automate the download and re-upload of K10
container images, the following command will pull all K10 images into
your local repository, re-tag them for a repository located at
repo.example.com
and push them to this specified registry.
Note
K10 uses a few upstream container images. To avoid a
possible collision with a customer's private version, the
k10offline
tool adds the k10-
prefix to these container
images tags.
$ docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock \
-v ${HOME}/.docker:/root/.docker \
gcr.io/kasten-images/k10offline:6.5.14 pull images --newrepo repo.example.com
Note
After running the previous command, use the
instructions above to install K10 via images uploaded
to repo.example.com
.
Note that k10offline
tool will use your local docker config if the private
registry requires authentication. To access the private registry,
you may need to log in manually within the k10offline
container shell
if your local docker config does not have the credentials stored.
You can execute below commands to access k10offline
container shell.
$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-it --entrypoint /bin/sh gcr.io/kasten-images/k10offline:6.5.14
Obtaining Older K10 Versions
The above commands operate against the latest version of K10
(6.5.14). If you want an older version, you can execute the
following to discover older available version number (listed under the
CHART VERSION
column) and the replace the version listed in all
the below commands.
$ helm repo update && \
helm search repo kasten/k10 --versions