Skip to main content
Version: 8.5.3 (latest)

Installing Veeam Kasten with Iron Bank Images

Iron Bank, which is a crucial part of Platform One, the DevSecOps managed services platform for the United States (US) Department of Defense (DoD), acts as the central repository for all hardened images that have gone through the container hardening process. It serves as the DoD's Centralized Artifacts Repository (DCAR), housing these secure images.

All images required to deploy Veeam Kasten have gone through this process and can be viewed in Iron Bank's catalog.

Note

To view the catalog, registration with Platform One is necessary. If you do not have an account, follow the instructions by clicking the catalog page above to register now.

The catalog page shows the verified findings, compliance details, and overall risk assessment score associated with each image.

Diving into a specific image shows additional information including the Software Bill of Materials (SBOMs) in both SPDX and CycloneDX formats. It also provides Vulnerability Assessment Tracker (VAT) findings, showcasing justifications for vulnerabilities and their verification status.

warning

Getting newly released versions of Veeam Kasten images through the Iron Bank hardening process can take some time. This may result in the unavailability of new releases for Iron Bank-based deployments for a few days following the release of standard Veeam Kasten images.

Registry1

Iron Bank uses Harbor for its registry, which can be accessed using your Platform One credentials.

The username and password required for pulling images from Registry1 via the command line can be found by clicking on your profile in the upper right corner.

Note

The password is the same as the CLI secret token.

Veeam Kasten images can be found by using the search bar at the top of the screen and searching for veeam or kasten. Clicking on an image provides more information, such as the tags that can be pulled and the sha256 of the image.

Images are signed by Cosign and the relevant information is shown for each valid image.

Installing Veeam Kasten with Iron Bank Hardened Images via Helm

Deploying Veeam Kasten with Iron Bank hardened images is possible using the public Kasten Helm chart. Please ensure that the prerequisites have been met.

Providing Registry1 Credentials for Veeam Kasten Helm Deployment

Since all images are pulled from Registry1 for a Veeam Kasten deployment using Iron Bank hardened images, your credentials must be provided in order to successfully pull the images.

Credentials can be provided by using either:

  • --set secrets.dockerConfig=<BASE64 ENCODED DOCKERCONFIG>, or
  • --set-file secrets.dockerConfigPath=<PATH TO DOCKERCONFIG>

The base64 encoded dockerconfig can be created with the jq tool: 

jq -nc \
  --arg registry "registry1.dso.mil" \
  --arg username "${REGISTRY1_USERNAME}" \
  --arg password "${REGISTRY1_CLI_SECRET}" \
  --arg auth $(printf "%s:%s" "${REGISTRY1_USERNAME}" "${REGISTRY1_CLI_SECRET}" | base64) \
  '{"auths":{($registry):{"username":$username,"password":$password,"auth":$auth}}}' \
  | base64

Helm Chart Values for Iron Bank Images

To install Veeam Kasten with Iron Bank images you need to use a pre-configured values file shown below. Save the following values within a file named ironbank-values.yaml.

ironbank-values.yaml
# Default values for k10 using Ironbank images.
# If anything needs to be set specifically, use the --set flag.

global:
  image:
    registry: registry1.dso.mil/ironbank/veeam/kasten
    pullPolicy: Always
  images:
    configmap-reload: 'registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.82.2'
    dex: 'registry1.dso.mil/ironbank/opensource/dexidp/dex:v2.43.1'
    prometheus: 'registry1.dso.mil/ironbank/opensource/prometheus/prometheus:v3.4.0'
  ironbank:
    enabled: true

These values should only be used when deploying Veeam Kasten with Iron Bank hardened images.

Note

This file should not be modified. Should you wish to specify any other values, use the corresponding Helm flags, such as --set, --values, etc.

Once you have saved the ironbank-values.yaml file, execute the following command ensuring you correctly reference the path to the file: 

helm upgrade k10 kasten/k10 --install --namespace=kasten-io \
  --values ironbank-values.yaml \
  --set secrets.dockerConfig=<BASE64 ENCODED DOCKERCONFIG> \
  --set global.imagePullSecret=k10-ecr

Since the only differences as compared to a standard Veeam Kasten installation are the images used, the rest of the process can follow the official Veeam Kasten documentation.

Using Iron Bank Veeam Kasten Images in an Air-Gapped Environment

Iron Bank hardened Veeam Kasten images can be used in an air-gapped environment by following the instructions found here.

Implementing Iron Bank for Veeam Kasten Disaster Recovery

The Iron Bank hardened restorectl image can be used for Veeam Kasten disaster recovery by following the instructions found here.