VMware vSphere Airgap Instructions

This guide provides instructions for preparing your airgap environment for a Palette VerteX installation, by ensuring you complete all the required preparatory steps 1 and 2 shown in the diagram. The installation process is covered in the respective installation guides for each platform.

Prepare Airgap Installation

Use the following steps to prepare your airgap environment for a VerteX installation.

tip

Carefully review the prerequisites section before proceeding. This will save you time and frustration. Each prerequisite is required for a successful installation.

Prerequisites

• An x86 Linux jumpbox or bastion host with connectivity to the target platform where you are installing VerteX.

• 30 GB of disk space available for the airgap setup binary and temporary files. The uncompressed airgap content is approximately 20 GB.

• An OCI registry such as Harbor or AWS ECR to store VerteX images and packages. The OCI registry must be accessible from the VMware vSphere environment. We have verified the installation against Harbor and AWS ECR. Other OCI registries may work but have not been tested.

  caution

  Ensure the OCI registries are set up with HTTPS. AWS ECR is enabled with HTTPS by default. Harbor requires you to enable HTTPS. If you are using Harbor, you must enable HTTPS to authenticate with the registry. Refer to the Harbor documentation for guidance.

• An HTTP file server to host the VerteX manifest. The file server must be accessible from the target environment where VerteX will be installed. Below is a list of common HTTP file servers:

  • Apache HTTP Server

  • Nginx

  • Caddy

  
  
  caution

  Take the necessary steps to secure your file server and ensure it can automatically recover from a failure. The file server is a critical component of the airgap installation and must be available post-install for VerteX to function properly.

• jq - Command-line JSON processor installed and available. Refer to the jq download page for guidance.

• To interact with the OCI registry, you must have the following tools installed and available.

  • AWS CLI v2 - Required for AWS ECR.

  • Oras CLI v1.0.0 - This version is explicitly required for the setup script.

  • zip - required for the setup script.

  • unzip - or equivalent for extracting the manifest content from the airgap setup binary.

• Palette CLI installed and available. Refer to the Palette CLI Install page for guidance.

• Review the required vSphere permissions. Ensure you have created the proper custom roles and zone tags. Zone tagging is required for dynamic storage allocation across fault domains when provisioning workloads that require persistent storage. Refer to Zone Tagging for information.

info

Self-hosted VerteX installations provide a system Private Cloud Gateway (PCG) out-of-the-box and typically do not require a separate, user-installed PCG. However, you can create additional PCGs as needed to support provisioning into remote data centers that do not have a direct incoming connection to VerteX. To learn how to install a PCG on VMware, check out the VMware guide.

Instructions

Complete the following steps before deploying the airgap VerteX installation.

1. Log in to your vCenter environment.

2. Create a vSphere VM and Template folder with the name spectro-templates. Ensure this folder is accessible by the user account you will use to deploy the airgap VerteX installation.

3. Use the URL below to import the Operating System and Kubernetes distribution OVA required for the install. Place the OVA in the spectro-templates folder. Refer to the Import Items to a Content Library guide for information about importing an OVA in vCenter.

   https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2004-0-k-12510-fips.ova

4. Append an r_ prefix to the OVA name after the import. For example, r_u-2004-0-k-12510-fips.ova. This prefix is required for the install process to identify the OVA. Refer to the Supplement Packs page for a list of additional OVAs you can download and upload to your vCenter environment.

5. In your OCI registry, create a repository with the name spectro-packs and ensure the repository is private. This repository will host the VerteX Packs.

   • Refer to the Create Projects guide for information about creating a repository in Harbor.
   • Refer to the Create a repository guide for information about creating a repository in AWS ECR.

6. In your OCI registry, create another repository with the name spectro-images and ensure the repository is public. The repositry will host VerteX images.

7. Download the Certificate Authority (CA) for your OCI registry. You will need to provide the CA during the installation process. Otherwise, you may encounter errors when authenticating with the OCI registry, which could result in an incomplete install.

8. Log in to the Linux environment where you will download the airgap binaries and complete the remaining steps, including the VerteX installation.

9. Authenticate with your OCI registry and acquire credentials to both repositories you created earlier. You will need these credentials when deploying the airgap VerteX installation.

   Harbor

   Use oras to log in to your OCI registry. Replace the values below with your environment configuration values. Check out the oras login documentation for information about additional CLI flags and examples.

   oras login X.X.X.X --user 'yourUserNameHere' --password 'yourPasswordHere' 

   If you are using a Harbor registry with a self-signed certificate, you will need to add the --insecure flag to the oras command.

   oras login X.X.X.X --insecure --user 'yourUserNameHere' --password 'yourPasswordHere'

   AWS ECR

   You can acquire the AWS ECR authentication command from the AWS ECR console. From the ECR repository details page, click on the View push commands button to access the command. Refer to the AWS ECR Authentication documentation for more information.

   Below is the command you will use to authenticate to AWS ECR. The output of the aws command is passed to oras to authenticate with the ECR registry. Replace the values below with your environment configuration values.

   aws ecr get-login-password --region xxxxx | oras login --username AWS --password-stdin 1234567890.dkr.ecr.us-east-1.amazonaws.com

   For the public image repository, use the docker CLI instead of using oras. Replace the values below with your environment configuration values.

   aws ecr-public get-login-password --region xxxxx | docker login --username AWS --password-stdin public.ecr.aws/xxxxxxx
   tip

   Be aware of the timeout period for the authentication token. The process of uploading images and packages to the OCI registry can take a approximately an hour. If the authentication token expires, you will need to re-authenticate to the OCI registry and restart the upload process.

---

10. The airgap setup binary requires a set of environment variables to be available and populated. The environment variables will be different depending on the OCI registry you are using. Select the OCI registry and populate the environment variables accordingly.

    Harbor

    
    

    • OCI_IMAGE_REGISTRY: The IP address or domain name of the OCI registry.

    • OCI_PACK_BASE: The namespace or repository name that hosts the VerteX Packs.

    • OCI_PACK_REGISTRY: The IP address or domain name of the OCI registry.

    • OCI_IMAGE_BASE: The namespace or repository name that hosts the VerteX images.

      export OCI_IMAGE_REGISTRY=<harbor-endpoint> 
      export OCI_PACK_BASE=spectro-packs  
      export OCI_PACK_REGISTRY=<harbor-endpoint>
      export OCI_IMAGE_BASE=spectro-images 

      Example

      export OCI_IMAGE_REGISTRY=example.internal.com
      export OCI_PACK_BASE=spectro-packs
      export OCI_PACK_REGISTRY=10.10.100.48
      export OCI_IMAGE_BASE=spectro-images

    AWS ECR

    
    

    • ECR_IMAGE_REGISTRY: The IP address or domain name of the public OCI registry for images.

    • ECR_IMAGE_BASE: The namespace or repository name that hosts the VerteX images.

    • ECR_IMAGE_REGISTRY_REGION: The AWS region where the ECR registry is located.

    • ECR_PACK_BASE: The namespace or repository name that hosts the VerteX Packs.

    • ECR_PACK_REGISTRY: The IP address or domain name of the OCI registry.

    • ECR_PACK_REGISTRY_REGION: The AWS region where the ECR registry is located.

      export ECR_IMAGE_REGISTRY=<ecr-endpoint>
      export ECR_IMAGE_BASE=spectro-images
      export ECR_IMAGE_REGISTRY_REGION=us-east-1
      export ECR_PACK_REGISTRY=<ecr-endpoint>
      export ECR_PACK_BASE=spectro-packs
      export ECR_PACK_REGISTRY_REGION=us-east-1

      Example

      export ECR_IMAGE_REGISTRY=public.ecr.aws/1234567890
      export ECR_IMAGE_BASE=spectro-images
      export ECR_IMAGE_REGISTRY_REGION=us-east-1
      export ECR_PACK_REGISTRY=123456789.dkr.ecr.us-east-1.amazonaws.com
      export ECR_PACK_BASE=spectro-packs
      export ECR_PACK_REGISTRY_REGION=us-east-1

---

11. Download the airgap setup binary. Replace the placeholder values in the commands below with the recommended version and credentials that our support team provides.

    VERSION=4.1.6

    curl --user XXXXX:YYYYYYY https://software-private.spectrocloud.com/airgap-fips/$VERSION/airgap-fips-v$VERSION.bin  \
    --output airgap-fips-v$VERSION.bin

12. Update the airgap setup binary permissions to allow execution. Replace the file name below with the name of the airgap setup binary you downloaded.

    chmod +x airgap-fips-v$VERSION.bin

13. Start the airgap setup binary. Replace the file name below with the name of the airgap setup binary you downloaded.

    ./airgap-fips-v$VERSION.bin

    Upon completion, a success message will be displayed. The output is condensed for brevity.

    Verifying archive integrity...  100%   MD5 checksums are OK. All good.
    Uncompressing Airgap Setup - Version 4.0.17  100%
    Setting up Packs
    - Pushing Pack cni-calico:3.25.1
    ...
    Setting up Images
    - Pushing image docker.io/kindest/kindnetd:v20230227-15197099
    - Pushing image gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.22.8
    .....
    Preparing Manifests Archive
    Manifests are available in /tmp/spectro-manifests-1696971110.zip. Extract the archive to a file server to serve as a Spectro Cloud Repository
    Setup Completed
    info

    If you encounter an error during the airgap setup process, verify the required environment variables are set and populated correctly. If you are still having issues, reach out to our support team for assistance.

14. Move the manifest file located in your temporary directory to the location of your file server. Unzip the manifest file to a folder accessible by the file server. Replace the file name below with the name of the manifest file provided to you by the airgap setup.

    unzip spectro-manifests-XXXXXXXXXXXX.zip -d /target/folder
    tip

    If you want to get started quickly with a file server, install Caddy or use Python3's http sever and issue one of the following commands in the folder where you unzipped the manifest content. Each command will start a file server on port 2015.

    caddy file-server --listen :2015 --browse

    python3 -m http.server 2015

    We do not recommend serving the manifest content over HTTP, but it is an option if you want to get started quickly. For production workloads, enable HTTPS on your file server.

15. Review the additional packs available for download. The supplemental packs are optional and not required for a successful installation. However, to create cluster profiles you may require several of the packs available for download. Refer to the Additional Packs resource for a list of available packs.

16. Once you select the packs you want to install, download the pack binaries and start the binary to initiate the upload process.

    In the example below, the airgap-fips-pack-amazon-linux-eks-1.0.0.bin binary is downloaded and started.

    chmod +x airgap-fips-pack-amazon-linux-eks-1.0.0.bin && \
    ./airgap-fips-pack-amazon-linux-eks-1.0.0.bin

      Verifying archive integrity...  100%   MD5 checksums are OK. All good.
      Uncompressing Airgap Pack - amazon-linux-eks Version 4.0.17  100%
      Setting up Packs
      - Pushing Pack amazon-linux-eks:1.0.0
      Setup Completed

17. Repeat step 16 for each pack you want to install.

You now have completed the preparation steps for an airgap installation. Check out the Validate section to ensure the airgap setup process completed successfully.

Validate

Use the following steps to validate the airgap setup process completed successfully.

1. Log in to your OCI registry and verify the VerteX images and packs are available.

2. Verify the manifest file is accessible from the file server. The manifest file is required for the VerteX installation process. The screenshot below is an example of a file server hosting the unzipped manifest content. The example is using Caddy as the file server.

   

3. Ensure your file server is accessible from the environment in which you are installing VerteX. Use the following command to verify the manifest content is accessible from the file server. Replace the hostname or IP address below with your file server hostname or IP address.

   curl http://<hostname>:<port>/roar/nickfury/versions.yaml

     versions:
     - version: "3.3"
       filepath: "/roar/nickfury/3.3/version.yaml"
       patchVersionsFilepath: "/roar/nickfury/3.3/versions.yaml"
     - version: "3.4"
       filepath: "/roar/nickfury/3.4/version.yaml"
       patchVersionsFilepath: "/roar/nickfury/3.4/versions.yaml"
     - version: "4.0"
       filepath: "/roar/nickfury/4.0/version.yaml"
       patchVersionsFilepath: "/roar/nickfury/4.0/versions.yaml"

Next Steps

You are now ready to deploy the airgap VerteX installation. You will specify your OCI registry and file server during the installation process. Refer to the VMware Install Instructions guide for detailed guidance on installing VerteX.