Install Gloo in air-gapped environments

You can install Gloo Platform in an air-gapped environment, such as an on-premises datacenter, clusters that run on an intranet or private network only, or other disconnected environments.

Before you begin

Before you begin, set up the following prerequisites.

Set up your environment for an air-gapped installation

Make sure that your environment accounts for the following components of an air-gapped installation.

Connected and disconnected devices:

Private registry: To transfer the downloaded images from your connected device to your disconnected device, you commonly set up some sort of private registry. The registry might be local to a private network that both devices are connected to, or you might use a service such as Sonatype Nexus Repository or JFrog Artifactory. Your connected device can push the downloaded images to the private registry so that the disconnected device can pull these images during the Gloo Mesh Enterprise installation.

To set up your private registry, review the following considerations.

Install the required command-line interfaces

Your disconnected device also must have these CLI tools, which might be harder to install without a public internet connection. Follow each CLI's documentation for an air-gapped installation method. For example, you might follow a similar process to this procedure to download the CLI images to your connected device, transfer to a private registry, and install on the disconnected device.

Install in an air-gapped environment by using a private registry

The following steps provide an example when using a private registry. You can also download each image individually, as described in the Versions reference page, such as if you want to manually transfer the images to your air-gapped environment.

  1. Set an environment variable for the registry address that you want to use. The example is for a local registry to your connected device, but you might want to use a remote, private registry. If you need to set up credentials to the registry, consult your registry provider.

    registry=localhost:5000
    
  2. Set environment variables for the Gloo Istio and Gloo Mesh Enterprise versions that you want to use.

    For more information, such as to download hardened Solo or FIPS versions of the Istio image, see the Versions reference page.

    Example environment variables:

    export GLOO_VERSION=2.1.0
    export ISTIO_IMAGE=1.15.3
    export ISTIO_BOOKINFO_VERSION=1.16.2
    
  3. Download and run the script in the public solo-cop repository to list the images that you need for the Gloo Mesh Enterprise version that you want to install, such as 2.1.0. Include the --pull option to pull the images locally to your connected device.

    ./get-image-list 2.1.0 --pull
    

    Example output:

    Finding images for Gloo Mesh Enterprise version 2.1.0
    
    ###################################
    # Getting gloo-mesh-agent images #
    ###################################
    docker.io/library/redis:6
    gcr.io/gloo-mesh/gloo-mesh-agent:2.1.0
    quay.io/solo-io/ext-auth-service:0.19.1
    soloio/rate-limiter:0.4.3
    
    ###################################
    # Getting Gloo Mesh images        #
    ###################################
    docker.io/library/redis:5
    gcr.io/gloo-mesh/gloo-mesh-mgmt-server:2.1.0
    gcr.io/gloo-mesh/gloo-mesh-apiserver:2.1.0
    gcr.io/gloo-mesh/gloo-mesh-envoy:2.1.0
    gcr.io/gloo-mesh/gloo-mesh-ui:2.1.0
    gcr.io/gloo-mesh/rbac-webhook:2.1.0
    jimmidyson/configmap-reload:v0.5.0
    k8s.gcr.io/kube-state-metrics/kube-state-metrics:v1.9.8
    prom/pushgateway:v1.3.1
    quay.io/prometheus/alertmanager:v0.21.0
    quay.io/prometheus/node-exporter:v1.0.1
    quay.io/prometheus/prometheus:v2.24.0
    
    Pulling images locally
    6: Pulling from library/redis
    7d63c13d9b9b: Pull complete
    ...
    
  4. Pull the Gloo Istio images for the version of Istio that you want to use.

  5. Push the images from the connected device to a private registry that the disconnected device can pull from. For instructions and any credentials you must set up to complete this step, consult your registry provider, such as Nexus Repository Manager or JFrog Artifactory.

  6. Optional: You might want to set up your private registry so that you can also pull the Helm charts. For instructions, consult your registry provider, such as Nexus Repository Manager or JFrog Artifactory.

  7. When you install Gloo Mesh Enterprise and Istio, make sure to use the specific images that you downloaded and stored in your private registry in the previous steps. For installation steps, refer to the following guides:

    Example Helm installation command for management clusters: Note the --set flags to overwrite the default images to the images in the private registry.

    helm upgrade --install gloo-mesh-enterprise gloo-mesh-enterprise/gloo-mesh-enterprise \
    --namespace gloo-mesh --kube-context ${MGMT_CONTEXT} \
    --version=${GLOO_VERSION} \
    --set glooMeshMgmtServer.image.registry=${registry}/gloo-mesh \
    --set prometheus.configmapReload.prometheus.image.repository=${registry}/jimmidyson/configmap-reload \
    --set prometheus.server.image.repository=${registry}/prometheus/prometheus \
    --set glooMeshUi.image.registry=${registry}/gloo-mesh \
    --set glooMeshUi.sidecars.console.image.registry=${registry}/gloo-mesh \
    --set glooMeshUi.sidecars.envoy.image.registry=${registry}/gloo-mesh \
    --set glooMeshRedis.image.registry=${registry} \
    --set glooMeshLicenseKey=${GLOO_MESH_LICENSE_KEY} \
    

Next steps

Now that Gloo Mesh Enterprise and Istio are installed in your disconnected device, you can continue to register clusters by using Helm or meshctl. Keep in mind that because your environment is air-gapped, some tasks might require taking similar steps as described on this page, such as to Upgrade your version.