Kasten K10 Header

Kasten K10 – Air gap installation using Harbor Image Registry

In this blog post, I will cover the steps for an air-gap installation for Kasten K10. For situations where your Kubernetes cluster doesn’t have available internet access to pull down the container images directly from their online locations.

Pre-requisites
  • Image Registry that is accessible by your Kubernetes cluster
  • Client that has access to download the container images and then to the Image Registry
    • In this example, I am using my local machine which has docker installed.
  • Helm downloaded
    • Run the following to get the helm files locally for the install.
helm repo update && \
    helm fetch kasten/k10 --version=<k10-version>

Example for Kasten K10 4.5.0

helm repo update && \ 
    helm fetch kasten/k10 --version=4.5.0

This will download a file, for example "k10-4.5.0.tgz"
Log into your Image Registry

First you need to ensure that your docker client (or similar) has authenticated to your Image Registry which your air-gap Kubernetes cluster can access.

When using Harbor and Docker, I typically use this method with a robot account for programmatic access.

However, when running the Kasten tooling which we’ll discuss next, I kept hitting an error.

54e42005468d: Waiting  File=kasten.io/k10/kio/tools/k10offline/k10offline.go Function=kasten.io/k10/kio/tools/k10offline.PushK10Images Line=179 hostname=3ffc0162e190

Error: {"message":"Failed to push K10 container images to harbor-repo.veducate.co.uk/deanl","function":"main.pullImages","linenumber":171,"cause":{"message":"Failed to push","function":"kasten.io/k10/kio/tools/k10offline.PushK10Images","linenumber":181,"fields":[{"name":"image","value":"harbor-repo.veducate.co.uk/deanl/kanister-tools:k10-0.69.0"}],"cause":{"Stderr":"dW5hdXRob3JpemVkOiB1bmF1dGhvcml6ZWQgdG8gYWNjZXNzIHJlcG9zaXRvcnk6IGRlYW5sL2thbmlzdGVyLXRvb2xzLCBhY3Rpb246IHB1c2g6IHVuYXV0aG9yaXplZCB0byBhY2Nlc3MgcmVwb3NpdG9yeTogZGVhbmwva2FuaXN0ZXItdG9vbHMsIGFjdGlvbjogcHVzaAo="}}}

Base64 decode the message above in light bold provides you the response:

unauthorized: unauthorized to access repository: deanl/kanister-tools, action: push: unauthorized to access repository: deanl/kanister-tools, action: push

To resolve this, I had to remove the credsStore line from my ~/.docker/config.json file. Then log into my Harbor registry using the above method.

  • This does mean your auth account details are stored in a JSON file locally.

docker login - remove credsStore

Pull down the Kasten K10 images locally and Push to internal Air-Gap Image Registry

Kasten has provided an easy-to-use tool which can run locally on your docker client to make pulling the necessary images simple.

docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock \
    -v ${HOME}/.docker:/root/.docker \
    gcr.io/kasten-images/k10offline:{TAG} pull images

# Example with Tag

docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock \
    -v ${HOME}/.docker:/root/.docker \
    gcr.io/kasten-images/k10offline:4.5.0 pull images

By specifying the appropriate tag, you this will use a container image to pull down all the containers and store them within your docker client. To push to an internal repo, you simply add the argument:

--newrepo {repo url}

For example:

docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock \
    -v ${HOME}/.docker:/root/.docker \
    gcr.io/kasten-images/k10offline:4.5.0 pull images --newrepo harbor-repo.veducate.co.uk/deanl

The below image shows the tool download containers and pushing them to the repo.

docker run k10offline-4.5.0 pull images --newrepo

Here are my images in Harbor.

harbor - kasten images

Installing Kasten K10 with a local Helm Chart and Container Images

Create your Kasten namespace

kubectl create namespace kasten-io

Then run the following Helm command

helm install k10 k10-4.5.0.tgz --namespace kasten-io \
--set global.airgapped.repository={registry URL}

# Example

helm install k10 k10-4.5.0.tgz --namespace kasten-io \
  --set global.airgapped.repository=harbor-repo.veducate.co.uk/deanl

air gap - helm install k10 k10-4.5.0.tgz --set global.airgapped.repository

We can now watch the pods start by using the command:

kubectl get pods -n kasten-io -w

air gap - kubectl get pods -n kasten-io -w

We can check these are coming from our local image repository by running the describe command against one of our pods.

air gap - describe pod - pulled from airgap repo

Finally, we can also see pulls in our Harbor image registry as well.

harbor - kasten image pulls

Summary

Kasten has made it easy to perform an air-gap internet restricted installation of their software in a Kubernetes cluster, made especially easy thanks to the little k10offline tool you run in your docker client to grab the necessary images for you.

I did hit that little authentication issue where I had to remove the credsStore in docker, due to the way the tool reads the Image Registry auth details. I messaged the Kasten support team about this and they were quick to give me the workaround I documented earlier.

I’m not going to say outside of this I did anything more than follow the Kasten docs on the subject. But I always feel sometimes it’s good to add some more context and colour with screenshots and using real environments to demonstrate these capabilities and configurations.

Regards

Dean Lewis

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.