On this page

Install in air-gapped environments

Install Gloo Mesh Enterprise in an air-gapped environment, such as an on-premises datacenter, clusters that run on an intranet or private network only, or other disconnected environments.

Before you begin

Before you begin, set up the following prerequisites.

Set up your environment for an air-gapped installation

Make sure that your environment accounts for the following components of an air-gapped installation.

Connected and disconnected devices:

Connected device: To get the required images to run Gloo Mesh Enterprise, you must have a device that can connect to the public internet and access a Kubernetes cluster.
Disconnected device: You install the downloaded images to set up Gloo Mesh Enterprise on your disconnected device, such as a server in an on-premises datacenter, a cluster in a private-only network, or other type of host in an air-gapped environment. The disconnected device must have access to a Kubernetes cluster to install Istio and Gloo Mesh in.

Private registry: To transfer the downloaded images from your connected device to your disconnected device, you commonly set up some sort of private registry. The registry might be local to a private network that both devices are connected to, or you might use a service such as Sonatype Nexus Repository or JFrog Artifactory. Your connected device can push the downloaded images to the private registry so that the disconnected device can pull these images during the Gloo Mesh Enterprise installation.

To set up your private registry, review the following considerations.

Registry credentials in your cluster: When you use a private registry, you might have to add its credentials to your cluster, such as in a global image pull secret for OpenShift clusters.
Allowed access to common registry domains: You might have a firewall set up for your private registry or private network, and want to allow access to the public registry domains that Gloo Mesh uses.
- docker.io
- gcr.io and k8s.gcr.io subdomain
- quay.io

Install the required command-line interfaces

Install the following command-line (CLI) tools.

kubectl, the Kubernetes command line tool. Download the kubectl version that is within one minor version of the Kubernetes clusters you plan to use.

meshctl, the Solo command line tool.

  curl -sL https://run.solo.io/meshctl/install | GLOO_MESH_VERSION=v2.7.0-beta1 sh -
export PATH=$HOME/.gloo-mesh/bin:$PATH

Optional: yq, a YAML processor that is used in a script that helps to push and pull images to the private registry.

info

Your disconnected device also must have these CLI tools, which might be harder to install without a public internet connection. Follow each CLI’s documentation for an air-gapped installation method. For example, you might follow a similar process to this procedure to download the CLI images to your connected device, transfer to a private registry, and install on the disconnected device.

Install in an air-gapped environment by using a private registry

The following steps provide an example when using a private registry. You can also download each image individually, as described in the Versions reference page, such as if you want to manually transfer the images to your air-gapped environment.

Set an environment variable for the registry address that you want to use. The example is for a local registry to your connected device, but you might want to use a remote, private registry. If you need to set up credentials to the registry, consult your registry provider.
```
  registry=localhost:5000
  
```
Set environment variables for the Solo distribution of Istio and Gloo Mesh Enterprise versions that you want to use.
check_circle
For more information, such as to download hardened Solo or FIPS versions of the Istio image, see the Versions reference page.
Example environment variables:
```
  export GLOO_VERSION=2.7.0-beta1
export ISTIO_IMAGE=1.23.2-patch1
export ISTIO_BOOKINFO_VERSION=1.23.2-patch1
  
```

Download and run the script in the public solo-cop repository to list the images that you need for the Gloo Mesh Enterprise version that you want to install, such as 2.7.0-beta1. Include the --pull option to pull the images locally to your connected device. Note that Gloo components are multi-arch images by default, but some community images, such as Redis, might not be.

  ./get-image-list 2.7.0-beta1 --pull

Example output:

  Finding images for Gloo Mesh Enterprise version 2.7.0-beta1

###################################
# Getting Gloo Mesh images        #
###################################
cassandra:3.11.6
criteord/cassandra_exporter:2.0.2
docker.io/bitnami/bitnami-shell:11-debian-11-r51
docker.io/bitnami/bitnami-shell:11-debian-11-r57
docker.io/bitnami/clickhouse:23.11.1-debian-11-r1
docker.io/bitnami/jmx-exporter:0.17.2-debian-11-r23
docker.io/bitnami/kafka-exporter:1.6.0-debian-11-r34
docker.io/bitnami/kafka:3.3.1-debian-11-r19
docker.io/bitnami/kubectl:1.25.4-debian-11-r6
docker.io/bitnami/os-shell:11-debian-11-r91
docker.io/bitnami/os-shell:11-debian-11-r92
docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r2
docker.io/bitnami/postgresql:16.1.0-debian-11-r15
docker.io/bitnami/zookeeper:3.8.0-debian-11-r56
docker.io/bitnami/zookeeper:3.8.3-debian-11-r3
docker.io/bitnami/zookeeper:3.9.1-debian-11-r2 
gcr.io/gloo-mesh/ext-auth-service:0.55.3
gcr.io/gloo-mesh/gloo-mesh-agent:2.7.0-beta1
gcr.io/gloo-mesh/gloo-mesh-analyzer:2.7.0-beta1
gcr.io/gloo-mesh/gloo-mesh-apiserver:2.7.0-beta1
gcr.io/gloo-mesh/gloo-mesh-envoy:2.7.0-beta1
gcr.io/gloo-mesh/gloo-mesh-insights:2.7.0-beta1
gcr.io/gloo-mesh/gloo-mesh-mgmt-server:2.7.0-beta1
gcr.io/gloo-mesh/gloo-mesh-portal-server:2.7.0-beta1
gcr.io/gloo-mesh/gloo-mesh-spire-controller:2.7.0-beta1 
gcr.io/gloo-mesh/gloo-mesh-ui:2.7.0-beta1
gcr.io/gloo-mesh/gloo-otel-collector:2.7.0-beta1 
gcr.io/gloo-mesh/rate-limiter:0.11.7 
gcr.io/gloo-mesh/kubectl:1.16.4
gcr.io/gloo-mesh/hubble-ui:v0.0.11
gcr.io/gloo-mesh/opa:0.59.0
gcr.io/gloo-mesh/prometheus:v2.49.1
gcr.io/gloo-mesh/redis:7.2.4-alpine 
gcr.io/gloo-mesh/spire-server:1.8.6  
gloo-mesh/gloo-network-agent-8d33bc4d8c7a/gloo-network-agent:0.2.3
gloo-mesh/sidecar-accel/sidecar-accel:0.1.1
jaegertracing/example-hotrod:latest
jimmidyson/configmap-reload:v0.8.0
maorfr/cain:0.6.0 
otel/opentelemetry-collector-contrib: latest
prom/pushgateway:latest 
quay.io/brancz/kube-rbac-proxy:v0.14.0
quay.io/prometheus/alertmanager:latest
quay.io/prometheus/node-exporter:latest 
registry.k8s.io/kube-state-metrics/kube-state-metrics:latest

#######################################
# Getting Solo distributions of Istio #
#######################################
us-docker.pkg.dev/gloo-mesh/istio-workshops/pilot:1.23.2-patch1-solo
us-docker.pkg.dev/gloo-mesh/istio-workshops/proxyv2:1.23.2-patch1-solo

Pulling images locally
6: Pulling from library/redis
7d63c13d9b9b: Pull complete
...

Pull the Solo distributions of Istio for the version of Istio that you want to use.
Push the images from the connected device to a private registry that the disconnected device can pull from. For instructions and any credentials you must set up to complete this step, consult your registry provider, such as Nexus Repository Manager or JFrog Artifactory.
Optional: You might want to set up your private registry so that you can also pull the Helm charts. For instructions, consult your registry provider, such as Nexus Repository Manager or JFrog Artifactory.

Create an image pull secret with the credentials to your private registry in the same namespace where you plan to install the Gloo Mesh Enterprise, such as gloo-mesh. For more information about the credentials, consult your private registry provider. You can refer to the image pull secret in your Helm values file for the components in the following table.

Component	Helm field
Agent	`glooAgent.image.pullSecret`
Analyzer	`glooAnalyzer.image.pullSecret`
Insights engine	`glooInsightsEngine.image.pullSecret`
Management server	`glooMgmtServer.image.pullSecret`
Portal server	`glooPortalServer.image.pullSecret`
Spire server	`glooSpireServer.image.pullSecret`
UI server	`glooUi.image.pullSecret`
Redis instance for the external auth service and portal server	`redisStore.extAuthService.deployment.image.pullSecret`
Redis instance for the insights engine	`redisStore.insights.deployment.image.pullSecret`
Redis instance for the rate limiter	`redisStore.rateLimiter.deployment.image.pullSecret`
Redis instance for snapshots	`redisStore.snapshot.deployment.image.pullSecret`

Prepare the other image options for each component. You must include the image.registry location. If you renamed the image, you can configure the image.repository and image.tag options. Optionally, you can update other image values, such as the image.pullPolicy. For more information, see the Helm reference docs.

When you install Gloo Mesh Enterprise and Istio, make sure to use the specific images that you downloaded and stored in your private registry in the previous steps. For installation steps, refer to the following guides:

Note: Update your Helm value file or use --set flags to overwrite the default images to the images in the private registry. The images that you replace depend on the components that you use. For example, you might replace several Redis instances or have a multicluster OTel setup. Also, update the following commands to include any other image options that you prepared, such as image.pullSecret if your private registry requires an image pull secret.

Example Helm installation command for management clusters:

  helm upgrade --install gloo-platform gloo-platform/gloo-platform \
  --kube-context $MGMT_CONTEXT \
  -n gloo-mesh \
  --version $GLOO_VERSION \
  --values mgmt-plane.yaml \
  --set common.cluster=$MGMT_CLUSTER \
  --set licensing.glooMeshLicenseKey=$GLOO_MESH_LICENSE_KEY \
  --set glooMgmtServer.image.registry=${registry}/gloo-mesh \
  --set prometheus.configmapReload.prometheus.image.repository=${registry}/prometheus-config-reloader \
  --set prometheus.server.image.repository=${registry}/prometheus/prometheus \
  --set prometheus.prometheus-server-migration.image.registry=${registry} \
  --set prometheus.prometheus-server-migration.image.repository=kubectl \
  --set glooUi.image.registry=${registry}/gloo-mesh \
  --set glooUi.sidecars.console.image.registry=${registry}/gloo-mesh \
  --set glooUi.sidecars.envoy.image.registry=${registry}/gloo-mesh \
  --set redis.deployment.image.registry=${registry} \
  --set telemetryCollector.image.repository=${registry}/gloo-otel-collector \
  --set telemetryGateway.image.repository=${registry}/gloo-otel-collector

Example Helm installation command for workload clusters:

  helm upgrade --install gloo-platform gloo-platform/gloo-platform \
  --kube-context $REMOTE_CONTEXT \
  -n gloo-mesh \
  --version $GLOO_VERSION \
  --values data-plane.yaml \
  --set glooAgent.image.registry=${registry} \
  --set telemetryCollector.image.repository=${registry}/gloo-otel-collector

Next steps

Now that Gloo Mesh Enterprise and Istio are installed in your disconnected device, you can continue to register clusters by using Helm or meshctl. Keep in mind that because your environment is air-gapped, some tasks might require taking similar steps as described on this page, such as to Upgrade your version.

Install in air-gapped environments

Before you begin link

Set up your environment for an air-gapped installation link

Install the required command-line interfaces link

Install in an air-gapped environment by using a private registry link

Next steps link

Before you begin

Set up your environment for an air-gapped installation

Install the required command-line interfaces

Install in an air-gapped environment by using a private registry

Next steps