Skip to content

Air-Gap Installation

middle tier airgap

PREREQUISITES

  1. Docker
  2. Linux VM(s) with OS from a specified Linux Distribution and Version by IFS in the Supported Platforms documentation, for uploading and downloading docker images and helm charts.
  3. Wget Package (version 1.20.3 or above)
  4. A Private Registry that should be secure with a username and a password
  5. The Private Registry should supports Docker and Helm repositories
  6. Ensure that the certificate chain for jfrog.io and the private registry domain are trusted in the deployed servers.

STEPS TO RUN FOR THE AIR-GAPPED INSTALLATION

1. Copy the download.sh file in the ifsroot/artifact-download folder of the management server to the Non Air-Gapped Linux VM and make the file executable.

This script is used to download the required artifacts that should be uploaded to the private registry.

2. Run download script to save docker images and helm charts in local disk.

In this step, you will download and save all the necessary docker images and helm charts that are mentioned in the release.yml.

Run download.sh script with the below parameters in the machine that has access to the internet.

    -j or --jfrog-artifactory : jfrog artifactory url. eg:ifscloud.jfrog.io 
    -u or --username : username of artifact repository 
    -p or --password : password of artifact repository
    -r or --release : release version of release.yml
    -h or --helm-repository : helm repository name (eg: helm)
    -d or --docker-registry : docker registry name (eg: docker)
    --docker-port : Custom docker port
    --helm-port : Custom helm port

You also need to specify the category of docker images or helm charts to be downloaded at the end of the same command.

    --ifs-helm : Download and save helm charts in ifs-helm section
    --ifs-docker : Pull and save docker images in ifs-docker section
    --ifs-docker-infra : Pull and save docker images in ifs-docker-infra section
    --ifs-all : Download all helm charts and docker images mentioned in the release.yml. This is the default download method if you have not specified an option

examples -

Download helm charts only

./download.sh -u your_username -p your_password -j jfrog_artifactory_url -r x.y.z --ifs-helm

Download helm charts only with non default helm port from intermediate private registry

./download.sh -u your_username -p your_password -j private_registry_url:port_number -h repository/helm -r x.y.z --ifs-helm

or

./download.sh -u your_username -p your_password -j private_registry_url -h repository/helm --helm-port port_number -r x.y.z --ifs-helm

Download Docker images only

./download.sh -u your_username -p your_password -j jfrog_artifactory_url -r x.y.z --ifs-docker
./download.sh -u your_username -p your_password -j jfrog_artifactory_url -r x.y.z --ifs-docker-infra

Download docker images only with non default docker port from intermediate private registry

./download.sh -u your_username -p your_password -j private_registry_url:port_number -d docker -r x.y.z --ifs-docker

or

./download.sh -u your_username -p your_password -j private_registry_url -d docker --docker-port port_number -r x.y.z --ifs-docker

Download all helm charts and docker images

./download.sh -u your_username -p your_password -j private_registry_url:8443 -h repository/helm -d docker --docker-port 8444 -r x.y.z --ifs-all

or

./download.sh -u your_username -p your_password -j private_registry_url -h repository/helm --helm-port 8443 -d docker --docker-port 8444 -r x.y.z --ifs-all

For the " -j jfrog_artifactory_url " add ifscloud.jfrog.io or the domain of the customer's intermediate private registry. If the customer has an intermediate private registry where RemoteArtifactUri (e.g: https://registry.yourdomain.com:8443) and RemoteArtifactDockerRepo (e.g: registry.yourdomain.com:8444) where the docker repository port (e.g: 8444) is different from the helm repository port (e.g: 8443), then the jfrog_artifactory_url can be in the format private_registry_url:port_number (e.g: registry.yourdomain.com:8444) to download only docker images or use the --docker-port parameter to specify the docker registry port separately.

For the " -h helm " specify the helm repository. (If using private registry)

For the " --helm-port 8443 " specify the helm registry port. (If using private registry)

For the " -d docker " specify the docker registry. (If using private registry)

For the " --docker-port 8444 " specify the docker registry port. (If using private registry)

For the " -r x.y.z " taking release number as "x.y" and service update as "z" both combined should be "x.y.z".

For the "--ifs-helm" section you will have to use either ifs-helm, ifs-docker, ifs-docker-infra or ifs-all.

Docker images will be saved inside a directory called docker, and helm charts will be saved inside helm directory respectively.

NOTE: To avoid security risks by entering the username and (or) password in terminal, as a best practice you can use a script of your own to fetch the username and (or) password from a secure storage for secrets. (e.g: a vault)

./download.sh -u $(./some_script_to_fetch_username) -p $(./some_script_to_fetch_password) -j jfrog_artifactory_url -r x.y.z --ifs-helm

3. Copy the upload.sh files in the ifsroot/artifact-download folder of the management server to the Air-Gapped Linux VM and make the file executable.

This script is used to upload the required artifacts to the private registry.

4. Copy the downloaded artifacts from Non Air-Gapped Linux VM to Air-Gapped Linux VM.

If the target private registry is in a location with restricted access where the target server can’t reach ifscloud.jfrog.io, then files x.y.z-latest.yaml and x.y.z.yaml need to be copied along with download.sh to use private registries. The 'helm' and 'docker' folders can be copied to a target server via a USB or other storage device.

Copy files x.y.z-latest.yaml, x.y.z.yaml, and ‘helm’ and ‘docker’ folders, along with required folder structure, can be copied to the Air-Gapped Linux VM.

5. Run upload script to upload docker images and helm charts from local disk to artifact repository.

In this step, you will upload docker images and helm charts that reside on docker and helm directories in the local disk to a specified repository.

Run upload.sh script with the below parameters:

    -a or --artifactory : domain name of artifact repository that you need to upload artifacts (eg: registry.yourdomain.com)
    -u or --username : username of the artifact repository 
    -p or --password : password of the artifact repository
    -r or --helm-repository : helm repository name (eg: helm)
    -d or --docker-registry : docker registry name (eg: docker)

You can specify the artifacts that you need to upload from the options indicated below:

    --helm : will upload all helm charts in the helm directory
    --docker : will upload all docker images in the docker directory 
    --all : will upload all helm charts and docker images

If not specified, all helm charts and docker images will be uploaded to the given repository.

examples -

Upload helm charts and docker images

./upload.sh -a registry.yourdomain.com -u your_username -p your_password -r your_helm_repository -d docker-registry --all

NOTE: To avoid security risks by entering the username and (or) password in terminal, as a best practice you can use a script of your own to fetch the username and (or) password from a secure storage for secrets. (e.g: a vault)

./upload.sh -a artifactory -u $(../some_script_to_fetch_username) -p $(./some_script_to_fetch_password) -r your_helm_repository -d docker-registry --all

Upload helm charts only

./upload.sh -a registry.yourdomain.com -u your_username -p your_password -r your_helm_repository --helm

Upload helm charts only where the docker repository port is different from the helm repository port:

./upload.sh -a registry.yourdomain.com:port_number -u your_username -p your_password -r your_helm_repository --helm

Upload docker images only

./upload.sh -a registry.yourdomain.com -u your_username -p your_password -d docker-registry --docker

Upload docker images only where the docker repository port is different from the helm repository port:

./upload.sh -a registry.yourdomain.com:port_number -u your_username -p your_password -d docker-registry --docker

6. Clean up on both VMs after pushing artifacts to the private registry.

  • Remove the 'download.sh' and 'upload.sh' scripts.

  • Remove 'helm' and 'docker' directories.

7. Go to the main_config.json and change the variables for the private registry.

In the main_config.json file that is located inside the config folder. You will be required to change the following variables with your values.

"RemoteArtifactUri"
"RemoteArtifactDockerRepo"
"RemoteArtifactDockerRepoPath"
"RemoteArtifactHelmRepoName"
"RemoteArtifactHelmRepo"

These variables are further described in the Main Configuration Parameters File. Pleas refer to the document for further information.

example -

For a Private registry where the helm repo exist at https://registry.yourdomain.com/repository/your_helm_repository:8443 and docker repo exist at https://registry.yourdomain.com:8444

    "RemoteArtifactUri":  "https://registry.yourdomain.com:8443",
    "RemoteArtifactDockerRepo":  "registry.yourdomain.com:8444",
    "RemoteArtifactDockerRepoPath":  "your_docker_registry",
    "RemoteArtifactHelmRepoName":  "registry.yourdomain.com",
    "RemoteArtifactHelmRepo":  "repository/your_helm_repository",

8. Install Remote Infrastructure

Refer to the installation steps in Quick Installation.