Install in Airgap Environments Enterprise
From wikipedia
An air gap, air wall, air gapping or disconnected network is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network...
This document guides on how to install Weave Gitops Enterprise in a restricted environment.
Before Start
There are multiple restrictions that could happen within an airgap environment. This guide assumes that you have egress network restrictions. In order to install Weave Gitops Enterprise (WGE), the required artifacts are required to be loaded from a private registry. This guide helps you with the task to identity the helm charts and container images required to install WGE and to load them into your private registry.
It also assumes that you could prepare the installation from a proxy host. A proxy host is defined here as a computer that is able to access to both the public and private network. It could take different shapes, for example, it could be a bastion host, a corp laptop, etc.
Access to both public and private network is required during the airgap installation but not simultaneously. It is expected to have an online stage to gather the artifacts first, and an offline stage later, to load the artifacts in the private network.
Finally, we aim to provide an end to end example to use it as a guidance more than a recipe. Feel free to adapt the details that do not fit within your context.
Install
There are different variations of the following stages and conditions. We consider that installing Weave Gitops Enterprise in an airgap environment could follow the following stages.
- Setup a WGE install environment.
- Collect artifacts and publish to a private registry.
- Install Weave Gitops Enterprise in the airgap environment.
Setup a WGE install environment
The main goal of this stage is to recreate a local Weave Gitops Enterprise within your context, to collect the container images and helm charts, that will be required in your private registry for the offline installation.
A three-step setup is followed.
- Setup a proxy host
- Setup a private registry
- Install Weave Gitops Enterprise
Setup a proxy host
There are many possible configurations for this host. This guide will assume that the host has installed the following:
- docker as container runtime.
- kubectl and kind
- helm
- skopeo to manage container images
- flux to boostrap flux in the environment.
- clusterctl to replicate the cluster management capabilities.
Create Kind Cluster
Create a kind cluster with registry following this guide
Install flux
You could just use flux install
to install flux into your kind cluster
Setup a helm repo
We are going to install ChartMuseum via flux.
Remember to also install helm plugin cm-push.
Expand to see installation yaml
Setup access from your host.
#expose kubernetes svc
kubectl -n flux-system port-forward svc/helm-repo-chartmuseum 8080:8080 &
#add hostname
sudo -- sh -c "echo 127.0.0.1 helm-repo-chartmuseum >> /etc/hosts"
Test that you could reach it.
#add repo to helm
helm repo add private http://helm-repo-chartmuseum:8080
#test that works
helm repo update private
At this stage you have already a private registry for container images and helm charts.
Install Weave Gitops Enterprise
This step is to gather the artifacts and images in your local environment to push to the private registry.
Cluster API
This would vary depending on the provider, given that we target a offline environment, most likely we are in a private cloud environment, so we will be using liquidmetal.
Export these environment variables to configure CAPI experience. Adjust them to your context.
export CAPI_BASE_PATH=/tmp/capi
export CERT_MANAGER_VERSION=v1.9.1
export CAPI_VERSION=v1.3.0
export CAPMVM_VERSION=v0.7.0
export EXP_CLUSTER_RESOURCE_SET=true
export CONTROL_PLANE_MACHINE_COUNT=1
export WORKER_MACHINE_COUNT=1
export CONTROL_PLANE_VIP="192.168.100.9"
export HOST_ENDPOINT="192.168.1.130:9090"
Execute the following script to generate clusterctl
config file.
cat << EOF > clusterctl.yaml
cert-manager:
url: "$CAPI_BASE_PATH/cert-manager/$CERT_MANAGER_VERSION/cert-manager.yaml"
providers:
- name: "microvm"
url: "$CAPI_BASE_PATH/infrastructure-microvm/$CAPMVM_VERSION/infrastructure-components.yaml"
type: "InfrastructureProvider"
- name: "cluster-api"
url: "$CAPI_BASE_PATH/cluster-api/$CAPI_VERSION/core-components.yaml"
type: "CoreProvider"
- name: "kubeadm"
url: "$CAPI_BASE_PATH/bootstrap-kubeadm/$CAPI_VERSION/bootstrap-components.yaml"
type: "BootstrapProvider"
- name: "kubeadm"
url: "$CAPI_BASE_PATH/control-plane-kubeadm/$CAPI_VERSION/control-plane-components.yaml"
type: "ControlPlaneProvider"
EOF
Execute make
using the following makefile to intialise capi in your cluster:
Expand to see Makefile contents
TF-Controller
Apply the following example manifest to deploy the terraform controller:
Expand to see file contents
Weave Gitops Enterprise
Update the following manifest to your context.
Expand to see file contents
At this stage you have a local management cluster with Weave Gitops Enterprise installed.
➜ kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
...
flux-system weave-gitops-enterprise-cluster-controller-6f8c69dc8-tq994 2/2 Running 5 (12h ago) 13h
flux-system weave-gitops-enterprise-mccp-cluster-bootstrap-controller-cxd9c 2/2 Running 0 13h
flux-system weave-gitops-enterprise-mccp-cluster-service-8485f5f956-pdtxw 1/1 Running 0 12h
flux-system weave-gitops-enterprise-pipeline-controller-85b76d95bd-2sw7v 1/1 Running 0 13h
...
You can observe the installed Helm Charts with kubectl
kubectl get helmcharts.source.toolkit.fluxcd.io
NAME CHART VERSION SOURCE KIND SOURCE NAME AGE READY STATUS
flux-system-cert-manager cert-manager 0.0.7 HelmRepository weaveworks-charts 13h True pulled 'cert-manager' chart with version '0.0.7'
flux-system-tf-controller tf-controller 0.9.2 HelmRepository tf-controller 13h True pulled 'tf-controller' chart with version '0.9.2'
flux-system-weave-gitops-enterprise mccp v0.10.2 HelmRepository weave-gitops-enterprise-charts 13h True pulled 'mccp' chart with version '0.10.2'
As well as the container images
kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec['containers','initContainers'][*].image}" |tr -s '[[:space:]]' '\n' \
| sort | uniq | grep -vE 'kindest|etcd|coredns'
docker.io/prom/prometheus:v2.34.0
docker.io/weaveworks/cluster-controller:v1.4.1
docker.io/weaveworks/weave-gitops-enterprise-clusters-service:v0.10.2
docker.io/weaveworks/weave-gitops-enterprise-ui-server:v0.10.2
ghcr.io/fluxcd/flagger-loadtester:0.22.0
ghcr.io/fluxcd/flagger:1.21.0
ghcr.io/fluxcd/helm-controller:v0.23.1
ghcr.io/fluxcd/kustomize-controller:v0.27.1
ghcr.io/fluxcd/notification-controller:v0.25.2
...
Collect and publish artifacts
This section guides you to push installed artifacts to your private registry. The following Makefile is supplied to help you with each stage.
Expand to see Makefile contents
The image-sync.sh
referenced in the images
target of the the above Makefile
is similar to:
skopeo copy docker://$1 docker://$2/$1 --preserve-digests --multi-arch=all
Skopeo allows you to configure a range a security features to meet your requirements. For example, configuring trust policies before pulling or signing containers before making them available in your private network. Feel free to adapt the previous script to meet your security needs.
- Configure the environment variables to your context.
- Execute
make
to automatically sync helm charts and container images.
➜ resources git:(docs-airgap-install) ✗ make
kubectl get microvmmachinetemplates --all-namespaces -o jsonpath="{.items[*].spec.template.spec.kernel.image}"|tr -s '[[:space:]]' '\n' \
| sort | uniq | xargs -L 1 -I {} ./image-pull-push.sh {} docker-registry:5000
5.10.77: Pulling from weaveworks-liquidmetal/flintlock-kernel
Digest: sha256:5ef5f3f5b42a75fdb69cdd8d65f5929430f086621e61f00694f53fe351b5d466
Status: Image is up to date for ghcr.io/weaveworks-liquidmetal/flintlock-kernel:5.10.77
ghcr.io/weaveworks-liquidmetal/flintlock-kernel:5.10.77
...5.10.77: digest: sha256:5ef5f3f5b42a75fdb69cdd8d65f5929430f086621e61f00694f53fe351b5d466 size: 739
Airgap Install
Weave Gitops Enterprise
At this stage you have in your private registry both the helm charts and container images required to install weave gitops enterprise.Now you are ready to install WGE from your private registry.
Follow the indications to install wge with the following considerations:
- Adjust Helm Releases
spec.chart.spec.sourceRef
to tell Flux to pull helm charts from your helm repo. - Adjust Helm Releases
spec.values
to use the container images from your private registry.
An example of how it would look like for Weave Gitops Enterprise is shown below.
Expand to view example WGE manifest
Cluster API
Indicate in the cluster api configuration file clusterctl.yaml
that you want to use images from the private repo
by leveraging image overrides.
images:
all:
repository: localhost:5001/registry.k8s.io/cluster-api
infrastructure-microvm:
repository: localhost:5001/ghcr.io/weaveworks-liquidmetal
Then execute make clusterctl-init
to init capi using your private registry.