Before you begin

Before you begin, set up the following prerequisites.

Set up your environment for an air-gapped installation

Make sure that your environment accounts for the following components of an air-gapped installation.

Connected and disconnected devices:

  • Connected device: To get the required images to run Gloo Mesh Enterprise, you must have a device that can connect to the public internet and access a Kubernetes cluster.
  • Disconnected device: You install the downloaded images to set up Gloo Mesh Enterprise on your disconnected device, such as a server in an on-premises datacenter, a cluster in a private-only network, or other type of host in an air-gapped environment. The disconnected device must have access to a Kubernetes cluster to install Istio and Gloo Mesh in.

Private registry: To transfer the downloaded images from your connected device to your disconnected device, you commonly set up some sort of private registry. The registry might be local to a private network that both devices are connected to, or you might use a service such as Sonatype Nexus Repository or JFrog Artifactory. Your connected device can push the downloaded images to the private registry so that the disconnected device can pull these images during the Gloo Mesh Enterprise installation.

To set up your private registry, review the following considerations.

  • Registry credentials in your cluster: When you use a private registry, you might have to add its credentials to your cluster, such as in a global image pull secret for OpenShift clusters.
  • Allowed access to common registry domains: You might have a firewall set up for your private registry or private network, and want to allow access to the public registry domains that Gloo Mesh uses.
    • docker.io
    • gcr.io and k8s.gcr.io subdomain
    • quay.io

Install the required command-line interfaces

Install the following command-line (CLI) tools.

  • kubectl, the Kubernetes command line tool. Download the kubectl version that is within one minor version of the Kubernetes clusters you plan to use.
  • meshctl, the Solo command line tool.
      curl -sL https://run.solo.io/meshctl/install | GLOO_MESH_VERSION=v2.6.5 sh -
    export PATH=$HOME/.gloo-mesh/bin:$PATH
      
  • Optional: yq, a YAML processor that is used in a script that helps to push and pull images to the private registry.

Install in an air-gapped environment by using a private registry

The following steps provide an example when using a private registry. You can also download each image individually, as described in the Versions reference page, such as if you want to manually transfer the images to your air-gapped environment.

  1. Set an environment variable for the registry address that you want to use. The example is for a local registry to your connected device, but you might want to use a remote, private registry. If you need to set up credentials to the registry, consult your registry provider.

      registry=localhost:5000
      
  2. Set environment variables for the Solo distribution of Istio and Gloo Mesh Enterprise versions that you want to use.

    Example environment variables:

      export GLOO_VERSION=2.6.5
    export ISTIO_IMAGE=1.23.2-patch1
    export ISTIO_BOOKINFO_VERSION=1.23.2-patch1
      
  3. Download and run the script in the public solo-cop repository to list the images that you need for the Gloo Mesh Enterprise version that you want to install, such as 2.6.5. Include the --pull option to pull the images locally to your connected device. Note that Gloo components are multi-arch images by default, but some community images, such as Redis, might not be.

      ./get-image-list 2.6.5 --pull
      

    Example output:

      Finding images for Gloo Mesh Enterprise version 2.6.5
    
    ###################################
    # Getting Gloo Mesh images        #
    ###################################
    cassandra:3.11.6
    criteord/cassandra_exporter:2.0.2
    docker.io/bitnami/bitnami-shell:11-debian-11-r51
    docker.io/bitnami/bitnami-shell:11-debian-11-r57
    docker.io/bitnami/clickhouse:23.11.1-debian-11-r1
    docker.io/bitnami/jmx-exporter:0.17.2-debian-11-r23
    docker.io/bitnami/kafka-exporter:1.6.0-debian-11-r34
    docker.io/bitnami/kafka:3.3.1-debian-11-r19
    docker.io/bitnami/kubectl:1.25.4-debian-11-r6
    docker.io/bitnami/os-shell:11-debian-11-r91
    docker.io/bitnami/os-shell:11-debian-11-r92
    docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r2
    docker.io/bitnami/postgresql:16.1.0-debian-11-r15
    docker.io/bitnami/zookeeper:3.8.0-debian-11-r56
    docker.io/bitnami/zookeeper:3.8.3-debian-11-r3
    docker.io/bitnami/zookeeper:3.9.1-debian-11-r2 
    gcr.io/gloo-mesh/ext-auth-service:0.55.3
    gcr.io/gloo-mesh/gloo-mesh-agent:2.6.5
    gcr.io/gloo-mesh/gloo-mesh-analyzer:2.6.5
    gcr.io/gloo-mesh/gloo-mesh-apiserver:2.6.5
    gcr.io/gloo-mesh/gloo-mesh-envoy:2.6.5
    gcr.io/gloo-mesh/gloo-mesh-insights:2.6.5
    gcr.io/gloo-mesh/gloo-mesh-mgmt-server:2.6.5
    gcr.io/gloo-mesh/gloo-mesh-portal-server:2.6.5
    gcr.io/gloo-mesh/gloo-mesh-spire-controller:2.6.5 
    gcr.io/gloo-mesh/gloo-mesh-ui:2.6.5
    gcr.io/gloo-mesh/gloo-otel-collector:2.6.5 
    gcr.io/gloo-mesh/rate-limiter:0.11.7 
    gcr.io/gloo-mesh/kubectl:1.16.4
    gcr.io/gloo-mesh/hubble-ui:v0.0.11
    gcr.io/gloo-mesh/opa:0.59.0
    gcr.io/gloo-mesh/prometheus:v2.49.1
    gcr.io/gloo-mesh/redis:7.2.4-alpine 
    gcr.io/gloo-mesh/spire-server:1.8.6  
    gloo-mesh/gloo-network-agent-8d33bc4d8c7a/gloo-network-agent:0.2.3
    gloo-mesh/sidecar-accel/sidecar-accel:0.1.1
    jaegertracing/example-hotrod:latest
    jimmidyson/configmap-reload:v0.8.0
    maorfr/cain:0.6.0 
    otel/opentelemetry-collector-contrib: latest
    prom/pushgateway:latest 
    quay.io/brancz/kube-rbac-proxy:v0.14.0
    quay.io/prometheus/alertmanager:latest
    quay.io/prometheus/node-exporter:latest 
    registry.k8s.io/kube-state-metrics/kube-state-metrics:latest
    
    #######################################
    # Getting Solo distributions of Istio #
    #######################################
    us-docker.pkg.dev/gloo-mesh/istio-workshops/pilot:1.23.2-patch1-solo
    us-docker.pkg.dev/gloo-mesh/istio-workshops/proxyv2:1.23.2-patch1-solo
    
    Pulling images locally
    6: Pulling from library/redis
    7d63c13d9b9b: Pull complete
    ...
      
  4. Pull the Solo distributions of Istio for the version of Istio that you want to use.

  5. Push the images from the connected device to a private registry that the disconnected device can pull from. For instructions and any credentials you must set up to complete this step, consult your registry provider, such as Nexus Repository Manager or JFrog Artifactory.

  6. Optional: You might want to set up your private registry so that you can also pull the Helm charts. For instructions, consult your registry provider, such as Nexus Repository Manager or JFrog Artifactory.

  7. Create an image pull secret with the credentials to your private registry in the same namespace where you plan to install the Gloo Mesh Enterprise, such as gloo-mesh. For more information about the credentials, consult your private registry provider. You can refer to the image pull secret in your Helm values file for the components in the following table.

    ComponentHelm field
    AgentglooAgent.image.pullSecret
    AnalyzerglooAnalyzer.image.pullSecret
    Insights engineglooInsightsEngine.image.pullSecret
    Management serverglooMgmtServer.image.pullSecret
    Portal serverglooPortalServer.image.pullSecret
    Spire serverglooSpireServer.image.pullSecret
    UI serverglooUi.image.pullSecret
    Redis instance for the external auth service and portal serverredisStore.extAuthService.deployment.image.pullSecret
    Redis instance for the insights engineredisStore.insights.deployment.image.pullSecret
    Redis instance for the rate limiterredisStore.rateLimiter.deployment.image.pullSecret
    Redis instance for snapshotsredisStore.snapshot.deployment.image.pullSecret
  8. Prepare the other image options for each component. You must include the image.registry location. If you renamed the image, you can configure the image.repository and image.tag options. Optionally, you can update other image values, such as the image.pullPolicy. For more information, see the Helm reference docs.

  9. When you install Gloo Mesh Enterprise and Istio, make sure to use the specific images that you downloaded and stored in your private registry in the previous steps. For installation steps, refer to the following guides:

    Note: Update your Helm value file or use --set flags to overwrite the default images to the images in the private registry. The images that you replace depend on the components that you use. For example, you might replace several Redis instances or have a multicluster OTel setup. Also, update the following commands to include any other image options that you prepared, such as image.pullSecret if your private registry requires an image pull secret.

    • Example Helm installation command for management clusters:
        helm upgrade --install gloo-platform gloo-platform/gloo-platform \
        --kube-context $MGMT_CONTEXT \
        -n gloo-mesh \
        --version $GLOO_VERSION \
        --values mgmt-plane.yaml \
        --set common.cluster=$MGMT_CLUSTER \
        --set licensing.glooMeshLicenseKey=$GLOO_MESH_LICENSE_KEY \
        --set glooMgmtServer.image.registry=${registry}/gloo-mesh \
        --set prometheus.configmapReload.prometheus.image.repository=${registry}/prometheus-config-reloader \
        --set prometheus.server.image.repository=${registry}/prometheus/prometheus \
        --set prometheus.prometheus-server-migration.image.registry=${registry} \
        --set prometheus.prometheus-server-migration.image.repository=kubectl \
        --set glooUi.image.registry=${registry}/gloo-mesh \
        --set glooUi.sidecars.console.image.registry=${registry}/gloo-mesh \
        --set glooUi.sidecars.envoy.image.registry=${registry}/gloo-mesh \
        --set redis.deployment.image.registry=${registry} \
        --set telemetryCollector.image.repository=${registry}/gloo-otel-collector \
        --set telemetryGateway.image.repository=${registry}/gloo-otel-collector
        
    • Example Helm installation command for workload clusters:
        helm upgrade --install gloo-platform gloo-platform/gloo-platform \
        --kube-context $REMOTE_CONTEXT \
        -n gloo-mesh \
        --version $GLOO_VERSION \
        --values data-plane.yaml \
        --set glooAgent.image.registry=${registry} \
        --set telemetryCollector.image.repository=${registry}/gloo-otel-collector
        

Next steps

Now that Gloo Mesh Enterprise and Istio are installed in your disconnected device, you can continue to register clusters by using Helm or meshctl. Keep in mind that because your environment is air-gapped, some tasks might require taking similar steps as described on this page, such as to Upgrade your version.