DEV Community

Dean
Dean

Posted on • Originally published at veducate.co.uk on

Kasten K10 – Air gap installation using Harbor Image Registry

In this blog post, I will cover the steps for an air-gap installation for Kasten K10. For situations where your Kubernetes cluster doesn’t have available internet access to pull down the container images directly from their online locations.

Pre-requisites
  • Image Registry that is accessible by your Kubernetes cluster
  • Client that has access to download the container images and then to the Image Registry
    • In this example, I am using my local machine which has docker installed.
  • Helm downloaded
    • Run the following to get the helm files locally for the install.
helm repo update && \
    helm fetch kasten/k10 --version=<k10-version>

**Example for Kasten K10 4.5.0**

helm repo update && \ 
    helm fetch kasten/k10 --version=4.5.0

This will download a file, for example "k10-4.5.0.tgz"
Enter fullscreen mode Exit fullscreen mode
Log into your Image Registry

First you need to ensure that your docker client (or similar) has authenticated to your Image Registry which your air-gap Kubernetes cluster can access.

When using Harbor and Docker, I typically use this method with a robot account for programmatic access.

However, when running the Kasten tooling which we’ll discuss next, I kept hitting an error.

54e42005468d: Waiting  File=kasten.io/k10/kio/tools/k10offline/k10offline.go Function=kasten.io/k10/kio/tools/k10offline.PushK10Images Line=179 hostname=3ffc0162e190

Error: {"message":"Failed to push K10 container images to harbor-repo.veducate.co.uk/deanl","function":"main.pullImages","linenumber":171,"cause":{"message":"Failed to push","function":"kasten.io/k10/kio/tools/k10offline.PushK10Images","linenumber":181,"fields":[{"name":"image","value":"harbor-repo.veducate.co.uk/deanl/kanister-tools:k10-0.69.0"}],"cause":{"Stderr":" **dW5hdXRob3JpemVkOiB1bmF1dGhvcml6ZWQgdG8gYWNjZXNzIHJlcG9zaXRvcnk6IGRlYW5sL2thbmlzdGVyLXRvb2xzLCBhY3Rpb246IHB1c2g6IHVuYXV0aG9yaXplZCB0byBhY2Nlc3MgcmVwb3NpdG9yeTogZGVhbmwva2FuaXN0ZXItdG9vbHMsIGFjdGlvbjogcHVzaAo=**"}}}

**Base64 decode the message above in light bold provides you the response:**

unauthorized: unauthorized to access repository: deanl/kanister-tools, action: push: unauthorized to access repository: deanl/kanister-tools, action: push
Enter fullscreen mode Exit fullscreen mode

To resolve this, I had to remove the credsStore line from my ~/.docker/config.json file. Then log into my Harbor registry using the above method.

  • This does mean your auth account details are stored in a JSON file locally.

docker login - remove credsStore

Pull down the Kasten K10 images locally and Push to internal Air-Gap Image Registry

Kasten has provided an easy-to-use tool which can run locally on your docker client to make pulling the necessary images simple.

docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock \
    -v ${HOME}/.docker:/root/.docker \
    gcr.io/kasten-images/k10offline: **{TAG}** pull images

# Example with Tag

docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock \
    -v ${HOME}/.docker:/root/.docker \
    gcr.io/kasten-images/k10offline:4.5.0 pull images
Enter fullscreen mode Exit fullscreen mode

By specifying the appropriate tag, you this will use a container image to pull down all the containers and store them within your docker client. To push to an internal repo, you simply add the argument:

--newrepo {repo url}
Enter fullscreen mode Exit fullscreen mode

For example:

docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock \
    -v ${HOME}/.docker:/root/.docker \
    gcr.io/kasten-images/k10offline:4.5.0 pull images --newrepo harbor-repo.veducate.co.uk/deanl
Enter fullscreen mode Exit fullscreen mode

The below image shows the tool download containers and pushing them to the repo.

docker run k10offline-4.5.0 pull images --newrepo

Here are my images in Harbor.

harbor - kasten images

Installing Kasten K10 with a local Helm Chart and Container Images

Create your Kasten namespace

kubectl create namespace kasten-io
Enter fullscreen mode Exit fullscreen mode

Then run the following Helm command

helm install k10 k10-4.5.0.tgz --namespace kasten-io \
--set global.airgapped.repository= **{registry URL}**

# Example

helm install k10 k10-4.5.0.tgz --namespace kasten-io \
  --set global.airgapped.repository=harbor-repo.veducate.co.uk/deanl
Enter fullscreen mode Exit fullscreen mode

air gap - helm install k10 k10-4.5.0.tgz --set global.airgapped.repository

We can now watch the pods start by using the command:

kubectl get pods -n kasten-io -w
Enter fullscreen mode Exit fullscreen mode

air gap - kubectl get pods -n kasten-io -w

We can check these are coming from our local image repository by running the describe command against one of our pods.

air gap - describe pod - pulled from airgap repo

Finally, we can also see pulls in our Harbor image registry as well.

harbor - kasten image pulls

Summary

Kasten has made it easy to perform an air-gap internet restricted installation of their software in a Kubernetes cluster, made especially easy thanks to the little k10offline tool you run in your docker client to grab the necessary images for you.

I did hit that little authentication issue where I had to remove the credsStore in docker, due to the way the tool reads the Image Registry auth details. I messaged the Kasten support team about this and they were quick to give me the workaround I documented earlier.

I’m not going to say outside of this I did anything more than follow the Kasten docs on the subject. But I always feel sometimes it’s good to add some more context and colour with screenshots and using real environments to demonstrate these capabilities and configurations.

Regards

Follow @Saintdle

Dean Lewis

The post Kasten K10 – Air gap installation using Harbor Image Registry appeared first on vEducate.co.uk.

Discussion (0)