Air-gapped installation

You can install Gloo Mesh Enterprise in an air-gapped environment, such as an on-premises datacenter, clusters that run on an intranet or private network only, or other disconnected environments.

Before you begin

Before you begin, set up the following prerequisites.

Set up your environment for an air-gapped installation

Make sure that your environment accounts for the following components of an air-gapped installation.

Connected and disconnected devices:

Private registry: To transfer the downloaded images from your connected device to your disconnected device, you commonly set up some sort of private registry. The registry might be local to a private network that both devices are connected to, or you might use a service such as Sonatype Nexus Repository or JFrog Artifactory. Your connected device can push the downloaded images to the private registry so that the disconnected device can pull these images during the Gloo Mesh Enterprise installation.

To set up your private registry, review the following considerations.

Install the required command-line interfaces

Your disconnected device also must have these CLI tools, which might be harder to install without a public internet connection. Follow each CLI's documentation for an air-gapped installation method. For example, you might follow a similar process to this procedure to download the CLI images to your connected device, transfer to a private registry, and install on the disconnected device.

Install in an air-gapped environment by using a private registry

The following steps provide an example when using a private registry, based off this Airgap workshop. You can also download each image individually, as described in the Versions reference page, such as if you want to manually transfer the images to your air-gapped environment.

  1. Set an environment variable for the registry address that you want to use. The example is for a local registry to your connected device, but you might want to use a remote, private registry. If you need to set up credentials to the registry, consult your registry provider.

    registry=localhost:5000
    
  2. Set environment variables for the Gloo Mesh Istio and Gloo Mesh Enterprise versions that you want to use.

    For more information, such as to download hardened Solo or FIPS versions of the Istio image, see the Versions reference page.

    Example environment variables:

    export GLOO_MESH_VERSION=1.1.4
    export ISTIO_VERSION=1.10.4
    export ISTIO_BOOKINFO_VERSION=1.16.2
    
  3. Run or script the following commands to pull the images.

    For the highlighted lines, notice that the image names are manipulated to standardize the organization of the repository, such as to add docker.io/ to an image repository and tag. Depending on the settings of your proxy repository, you might have certain naming conventions that you can manually overwrite in the images.txt file. For more information, consult your registry provider, such as Nexus Repository Manager or JFrog Artifactory.

    For example, you might want to create your own organization in your private registry, such as gloo-mesh-images and then use only the image repository and tag for all the images in the images.txt, so that all the images are organized together instead of in subdirectories.

    Example commands to pull images:

       cat <<EOF > images.txt
       gcr.io/istio-enterprise/operator:$ISTIO_VERSION
       gcr.io/istio-enterprise/pilot:$ISTIO_VERSION
       gcr.io/istio-enterprise/proxyv2:$ISTIO_VERSION
       docker.io/istio/examples-bookinfo-productpage-v1:$ISTIO_BOOKINFO_VERSION
       docker.io/istio/examples-bookinfo-reviews-v1:$ISTIO_BOOKINFO_VERSION
       docker.io/istio/examples-bookinfo-reviews-v2:$ISTIO_BOOKINFO_VERSION
       docker.io/istio/examples-bookinfo-reviews-v3:$ISTIO_BOOKINFO_VERSION
       docker.io/istio/examples-bookinfo-details-v1:$ISTIO_BOOKINFO_VERSION
       docker.io/istio/examples-bookinfo-ratings-v1:$ISTIO_BOOKINFO_VERSION
       EOF
    
       wget https://storage.googleapis.com/gloo-mesh-enterprise/enterprise-agent/enterprise-agent-$GLOO_MESH_VERSION.tgz
       tar zxvf enterprise-agent-$GLOO_MESH_VERSION.tgz
       find enterprise-agent -name "values.yaml" | while read file; do
       cat $file | yq eval -j | jq -r '.. | .image? | select(. != null) | (if .registry then (if .registry == "docker.io" then "docker.io/library" else .registry end) + "/" else "" end) + .repository + ":" + (.tag | tostring)'
       done | sort -u >> images.txt
    
       wget https://storage.googleapis.com/gloo-mesh-enterprise/gloo-mesh-enterprise/gloo-mesh-enterprise-$GLOO_MESH_VERSION.tgz
       tar zxvf gloo-mesh-enterprise-$GLOO_MESH_VERSION.tgz
       find gloo-mesh-enterprise -name "values.yaml" | while read file; do
       cat $file | yq eval -j | jq -r '.. | .image? | select(. != null) | (if .registry then (if .registry == "docker.io" then "docker.io/library" else .registry end) + "/" else "" end) + .repository + ":" + (.tag | tostring)'
       done | sort -u >> images.txt
    
       cat images.txt | while read image; do
       src=$(echo $image | sed 's/^docker\.io\///g')
       #dst=$(echo $image | awk -F/ '{ if(NF>2){ print $2"/"$3}else{print $1"/"$2}}')
       dst=$(echo $image | awk -F/ '{ if(NF>2){ print $2"/"$3}else{if($1=="docker.io"){print $2}else{print $1"/"$2}}}')
       docker pull $image
    
       id=$(docker images $src  --format "{{.ID}}") 
    
       docker tag $id ${registry}/$dst
       docker push ${registry}/$dst
       done
       

    Depending on the versions you use, the resulting images.txt file looks similar to the following.

    gcr.io/istio-enterprise/operator:1.10.4
    gcr.io/istio-enterprise/pilot:1.10.4
    gcr.io/istio-enterprise/proxyv2:1.10.4
    docker.io/istio/examples-bookinfo-productpage-v1:1.16.2
    docker.io/istio/examples-bookinfo-reviews-v1:1.16.2
    docker.io/istio/examples-bookinfo-reviews-v2:1.16.2
    docker.io/istio/examples-bookinfo-reviews-v3:1.16.2
    docker.io/istio/examples-bookinfo-details-v1:1.16.2
    docker.io/istio/examples-bookinfo-ratings-v1:1.16.2
    docker.io/library/redis:6
    gcr.io/gloo-mesh/enterprise-agent:1.1.4
    quay.io/solo-io/ext-auth-service:0.19.1
    soloio/rate-limiter:0.4.3
    docker.io/library/redis:5
    gcr.io/gloo-mesh/enterprise-networking:1.1.4
    gcr.io/gloo-mesh/gloo-mesh-apiserver:1.1.4
    gcr.io/gloo-mesh/gloo-mesh-envoy:1.1.4
    gcr.io/gloo-mesh/gloo-mesh-ui:1.1.4
    gcr.io/gloo-mesh/rbac-webhook:1.1.4
    jimmidyson/configmap-reload:v0.5.0
    k8s.gcr.io/kube-state-metrics/kube-state-metrics:v1.9.8
    prom/pushgateway:v1.3.1
    quay.io/prometheus/alertmanager:v0.21.0
    quay.io/prometheus/node-exporter:v1.0.1
    quay.io/prometheus/prometheus:v2.24.0
    
  4. Push the images from the connected device to a private registry that the disconnected device can pull from. For instructions and any credentials you must set up to complete this step, consult your registry provider, such as Nexus Repository Manager or JFrog Artifactory.

  5. Optional: You might want to set up your private registry so that you can also pull the Helm charts. For instructions, consult your registry provider, such as Nexus Repository Manager or JFrog Artifactory.

  6. When you install Gloo Mesh Enterprise and Istio, make sure to use the specific images that you downloaded and stored in your private registry in the previous steps.

    Example Helm installation command for management clusters: Note the --set flags to overwrite the default images to the images in the private registry.

    helm upgrade --install gloo-mesh-enterprise gloo-mesh-enterprise/gloo-mesh-enterprise \
    --namespace gloo-mesh --kube-context ${MGMT} \
    --version=${GLOO_MESH_VERSION} \
    --set rbac-webhook.enabled=true \
    --set enterprise-networking.enterpriseNetworking.image.registry=${registry}/gloo-mesh \
    --set enterprise-networking.prometheus.configmapReload.prometheus.image.repository=${registry}/jimmidyson/configmap-reload \
    --set enterprise-networking.prometheus.server.image.repository=${registry}/prometheus/prometheus \
    --set rbac-webhook.rbacWebhook.image.registry=${registry}/gloo-mesh \
    --set gloo-mesh-ui.dashboard.image.registry=${registry}/gloo-mesh \
    --set gloo-mesh-ui.dashboard.sidecars.console.image.registry=${registry}/gloo-mesh \
    --set gloo-mesh-ui.dashboard.sidecars.envoy.image.registry=${registry}/gloo-mesh \
    --set gloo-mesh-ui.redis-dashboard.redisDashboard.image.registry=${registry} \
    --set licenseKey=${GLOO_MESH_LICENSE_KEY} \
    --set "rbac-webhook.adminSubjects[0].kind=Group" \
    --set "rbac-webhook.adminSubjects[0].name=system:masters"
    

Next steps

Now that Gloo Mesh Enterprise and Istio are installed in your disconnected device, you can continue to register clusters and use Gloo Mesh Enterprise as described in the Guides. Keep in mind that because your environment is air-gapped, some tasks might require taking similar steps as described on this page, such as to Upgrade your version.