Air-Gapped Install

For environments that are connected to the Internet, one needs access to three repositories to install Veeam Kasten:

  • The Helm repository that contains the Veeam Kasten chart

  • The container registry that contains the Veeam Kasten container images

  • Upstream repositories to install Veeam Kasten dependencies (e.g., Prometheus)

However, if an air-gapped installation is required, it is possible to use your own private container registry to install Veeam Kasten. While this can always be done manually, the k10offline tool makes it easier to automate the process.

Air-Gapped Veeam Kasten Installation

If the Veeam Kasten container images are already available in a private repository, the below instructions can be used to install in an air-gapped environment. If needed, support for uploading images to a private image registry is documented below.

Fetching the Helm Chart for Local Use

To fetch the most recent Veeam Kasten Helm chart for local use, run the following command to pull the latest Veeam Kasten chart as a compressed tarball (.tgz) file into the working directory.

$ helm repo update && \
    helm fetch kasten/k10

If you need to fetch a specific version, please run the following command:

$ helm repo update && \
    helm fetch kasten/k10 --version=<k10-version>

Installing Veeam Kasten with Local Helm Chart and Container Images

If the Veeam Kasten container images were uploaded to a registry at repo.example.com, an air-gapped installation can be performed by setting global.airgapped.repository=repo.example.com as shown in the below command:

$ kubectl create namespace kasten-io
$ helm install k10 k10-7.0.14.tgz --namespace kasten-io \
    --set global.airgapped.repository=repo.example.com

Installing Veeam Kasten with Disconnected OpenShift Operator

To install Veeam Kasten with an OpenShift operator in an air-gapped cluster, follow the steps under offline operator install.

Running Veeam Kasten Within a Local Network

To run Veeam Kasten in a network without the ability to connect to the internet, Veeam Kasten needs to be installed in an air-gapped mode with the helm value metering.mode=airgap as shown in the command below:

$ kubectl create namespace kasten-io
$ helm install k10 k10-7.0.14.tgz --namespace kasten-io \
    --set metering.mode=airgap

Note

If metering.mode=airgap is not set in an offline cluster, some functionality will be disabled. A message warning that Veeam Kasten is "Unable to validate license" will be displayed in the web based user interface. Errors containing messages "Could not get google bucket for metrics", "License check failed" and "Unable to validate license" will be logged.

If the metering service is unable to connect to the internet for 24 hours, the metering service will restart.

Providing Credentials if Local Container Repository is Private

If the local repository that has been provided as the value of global.airgapped.repository is private, credentials for that repository can be provided using secrets.dockerConfig and global.imagePullSecret flags, as below, with the helm install command.

--set secrets.dockerConfig=$(base64 -w 0 < ${HOME}/.docker/config.json) \
--set global.imagePullSecret="k10-ecr"

Note

Our Helm chart creates a secret with the name k10-ecr with the value that has been provided for secrets.dockerConfig. That's why we are providing secret name k10-ecr as value of global.imagePullSecret.

Preparing Veeam Kasten Container Images for Air-Gapped Use

There are multiple ways to use a private repository including setting up a caching or proxy image registry that points to the Veeam Kasten image repositories using tools such as JFrog Artifactory. However, if images need to be manually uploaded or an automated upload pipeline is required to add Veeam Kasten images into your private repository, the following documentation should help.

Using Iron Bank Veeam Kasten Container Images

If you want to use the Iron Bank hardened Veeam Kasten images in an air-gapped environment, execute the following commands, each with the additional --ironbank flag. This flag ensures the pulling of images from Registry1, including all third-party images.

Warning

You must be logged in to the docker registry locally for this process to function correctly. Use docker login registry1.dso.mil --username "${REGISTRY1_USERNAME}" --password-stdin with your Registry1 CLI secret as the password to login.

List Veeam Kasten Container Images

The following command will list all images used by the current Veeam Kasten version, This can be helpful if there is a requirement to tag and push Veeam Kasten images into your private repository manually instead of using the Kasten provided tool documented below.

$ docker run --rm -it gcr.io/kasten-images/k10offline:7.0.14 list-images

Local Pull of all Veeam Kasten Container Images

The following command will execute the k10offline tool and use docker-in-docker (via docker.sock) to download all Veeam Kasten images into the local machine's registry.

$ docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock \
    gcr.io/kasten-images/k10offline:7.0.14 pull images

Move Veeam Kasten Images Into a Private Repository

Finally, to completely automate the download and re-upload of Veeam Kasten container images, the following command will pull all Veeam Kasten images into your local repository, re-tag them for a repository located at repo.example.com and push them to this specified registry.

Note

Veeam Kasten uses a few upstream container images. To avoid a possible collision with a customer's private version, the k10offline tool adds the k10- prefix to these container images tags.

$ docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock \
    -v ${HOME}/.docker:/root/.docker \
    gcr.io/kasten-images/k10offline:7.0.14 pull images --newrepo repo.example.com

Note

After running the previous command, use the instructions above to install Veeam Kasten via images uploaded to repo.example.com.

Note that k10offline tool will use your local docker config if the private registry requires authentication. To access the private registry, you may need to log in manually within the k10offline container shell if your local docker config does not have the credentials stored. You can execute below commands to access k10offline container shell.

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
    -it --entrypoint /bin/sh gcr.io/kasten-images/k10offline:7.0.14

Obtaining Older Veeam Kasten Versions

The above commands operate against the latest version of Veeam Kasten (7.0.14). If you want an older version, you can execute the following to discover older available version number (listed under the CHART VERSION column) and the replace the version listed in all the below commands.

$ helm repo update && \
    helm search repo kasten/k10 --versions