Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updated airgapped instructions to use hauler #139

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+18,816 −1,524
Open

updated airgapped instructions to use hauler #139

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c1a1cb0
updated airgapped instructions for hauler
zackbradys Dec 5, 2024
06a9c2f
backported airgapped instructions
zackbradys Dec 5, 2024
bc0e0d8
added prime/carbide notice
zackbradys Dec 6, 2024
cc63c6d
backported prime/carbide notice
zackbradys Dec 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
208 changes: 142 additions & 66 deletions docs/02.deploying/09.airgap/09.airgap.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,118 +1,194 @@
---
title: Air Gapping NeuVector
title: Airgapping NeuVector
taxonomy:
category: docs
slug: /deploying/airgap
---

### Tools Needed
### Prerequistes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Prerequistes
### Prerequisites


We need to install three tools for downloading all the bits for Neuvector.
We need to install two tools to easily airgap everything for NeuVector...

* [Helm](https://helm.sh/) - Application Lifecycle Manager
* [Skopeo](https://github.com/containers/skopeo) - Image/Registry Tool
* [ZStandard](https://github.com/facebook/zstd) - Compresstion Algorithm
* [Hauler](https://github.com/hauler-dev/hauler) - Airgap Swiss Army Knife
* [Helm](https://github.com/helm/helm) - The Kubernetes Package Manager

```bash
# install hauler
curl -sfL https://get.hauler.dev | bash

# install helm
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

# install skopeo - rocky linux based
yum install zstd skopeo -y
```

### Get Images and Chart
### Fetch the Images and Helm Chart

In order to get the required container images and helm chart for NeuVector, we are able to utilize `hauler` to easily fetch, package, and distribute all the bits. We can utilize commands or declarative manifests within `hauler` to do this... feel free to use either method...
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
In order to get the required container images and helm chart for NeuVector, we are able to utilize `hauler` to easily fetch, package, and distribute all the bits. We can utilize commands or declarative manifests within `hauler` to do this... feel free to use either method...
In order to get the required container images and Helm chart for NeuVector, we are able to utilize `hauler` to easily fetch, package, and distribute all the bits. We can utilize commands or declarative manifests within `hauler` to do this using either method.


#### For Supported Customers...

In order to get all the images we are going to use the chart itself. Using [Helm](https://helm.sh/) let's add the repo and download the chart. We will also use [skopeo](https://github.com/containers/skopeo) for downloading and uploading.
If you are a **Rancher Prime** or **Rancher Government Carbide** customer, please make sure to use the commands that fetch the all the artifacts from the respective private registry. If you're a supported customer and do not know the correct `<registry-url>` for Prime or Carbide, please contact your respective support team!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you are a **Rancher Prime** or **Rancher Government Carbide** customer, please make sure to use the commands that fetch the all the artifacts from the respective private registry. If you're a supported customer and do not know the correct `<registry-url>` for Prime or Carbide, please contact your respective support team!
If you are a **Rancher Prime** or **Rancher Government Carbide** customer, please make sure to use the commands that fetch all artifacts from the respective private registry. If you're a supported customer and do not know the correct `<registry-url>` for Prime or Carbide, please contact your respective support team!


#### Fetching with Commands

```bash
# make a directory
mkdir -p neuvector/images
# set the neuvector version
export vNeuVector=5.4.1
export vNeuVectorHelm=2.8.3

# fetch the images
helm repo add neuvector https://neuvector.github.io/neuvector-helm
for image in $(helm template neuvector/core --version=${vNeuVector} | grep 'image:' | awk -F'"' '{print $2}' | sort -u); do
hauler store add image "$image"
done

# add repo
helm repo add neuvector https://neuvector.github.io/neuvector-helm/
# fetch the images (for supported customers)
helm repo add neuvector https://neuvector.github.io/neuvector-helm
for image in $(helm template neuvector/core --version=${vNeuVector} | grep 'image:' | awk -F'"' '{print $2}' | sort -u); do
hauler store add --registry <registry-url> image "$image"
done

# update local chart
helm repo update
# fetch the helm chart
hauler store add chart core --repo https://neuvector.github.io/neuvector-helm --version ${vNeuVectorHelm}
```

# pull
helm pull neuvector/core -d neuvector
#### Fetching with Declarative Manifests
```bash
# set the neuvector version
export vNeuVector=5.4.1
export vNeuVectorHelm=2.8.3

# create the declarative manifest
cat << EOF >> hauler-neuvector-airgap.yaml
apiVersion: content.hauler.cattle.io/v1alpha1
kind: Charts
metadata:
name: rancher-airgap-charts-neuvector
spec:
charts:
- name: core
repoURL: https://neuvector.github.io/neuvector-helm
version: ${vNeuVectorHelm}
---
apiVersion: content.hauler.cattle.io/v1alpha1
kind: Images
metadata:
name: rancher-airgap-images-neuvector
spec:
images:
- name: neuvector/controller:${vNeuVector}
- name: neuvector/enforcer:${vNeuVector}
- name: neuvector/manager:${vNeuVector}
- name: neuvector/scanner:latest
- name: neuvector/updater:latest
EOF

# apply/fetch the declarative manifest
hauler store sync --files hauler-neuvector-airgap.yaml

# apply/fetch the declarative manifest (for supported customers)
hauler store sync --registry <registry-url> --files hauler-neuvector-airgap.yaml
```

You should now see a file like `core-2.4.0.tgz`. The version may vary, but this is correct. This is the downloaded chart. Now we need the images. Good thing we can use the chart to figure this out.
### Verify Fetching of the Images and Helm Chart

```bash
# create image list
helm template neuvector/core-*.tgz | awk '$1 ~ /image:/ {print $2}' | sed -e 's/\"//g' > neuvector/images/list.txt

# get images
for i in $(cat neuvector/images/list.txt); do
skopeo copy docker://$i docker-archive:neuvector/images/$(echo $i| awk -F/ '{print $3}'|sed 's/:/_/g').tar:$(echo $i| awk -F/ '{print $3}')
done
# verify everything has been fetched
root@hauler-neuvector-airgap hauler % hauler store info
+--------------------------------------------+-------+-------------+----------+----------+
| REFERENCE | TYPE | PLATFORM | # LAYERS | SIZE |
+--------------------------------------------+-------+-------------+----------+----------+
| hauler/core:2.8.3 | chart | - | 1 | 33.3 kB |
| index.docker.io/neuvector/controller:5.4.1 | image | linux/amd64 | 7 | 255.8 MB |
| | image | linux/arm64 | 7 | 244.9 MB |
| index.docker.io/neuvector/enforcer:5.4.1 | image | linux/amd64 | 7 | 248.2 MB |
| | image | linux/arm64 | 7 | 236.6 MB |
| index.docker.io/neuvector/manager:5.4.1 | image | linux/amd64 | 8 | 215.7 MB |
| | image | linux/arm64 | 8 | 223.3 MB |
| index.docker.io/neuvector/scanner:latest | image | linux/amd64 | 5 | 260.5 MB |
| | image | linux/arm64 | 5 | 256.3 MB |
| index.docker.io/neuvector/updater:latest | image | linux/amd64 | 4 | 19.4 MB |
| | image | linux/arm64 | 4 | 27.5 MB |
+--------------------------------------------+-------+-------------+----------+----------+
| TOTAL | 2.0 GB |
+--------------------------------------------+-------+-------------+----------+----------+
```

Fantastic, we should have a directory that looks like:
### Save the Images and Helm Chart

```bash
[root@flux ~]# ls -lR neuvector
neuvector:
total 16
-rw-r--r--. 1 root root 15892 Jan 8 14:33 core-2.4.0.tgz
drwxr-xr-x. 2 root root 153 Jan 8 14:35 images

neuvector/images:
total 953920
-rw-r--r--. 1 root root 236693504 Jan 8 14:35 controller_5.3.0.tar
-rw-r--r--. 1 root root 226704384 Jan 8 14:35 enforcer_5.3.0.tar
-rw-r--r--. 1 root root 176 Jan 8 14:34 list.txt
-rw-r--r--. 1 root root 331550208 Jan 8 14:35 manager_5.3.0.tar
-rw-r--r--. 1 root root 169589760 Jan 8 14:35 scanner_latest.tar
-rw-r--r--. 1 root root 12265472 Jan 8 14:35 updater_latest.tar
# save the images and chart to a haul (tarball)
hauler store save --filename neuvector.tar.zst

# verify the haul (tarball)
root@hauler-neuvector-airgap hauler % ls -lh
total 3724368
-rw-r--r-- 1 root staff 1.8G Dec 5 00:32 neuvector.tar.zst
drwxr-xr-x 6 root staff 192B Dec 5 00:32 store
```

And we can compress and move everything.
### Now move `hauler` and `neuvector.tar.zst` to your airgapped environment...

### Compress and Move
### Load the Images and Helm Chart

Compressing is fairly simple. We will use `tar` with the ZST format for maximum compression.
Once we are on our airgapped environment, use `hauler` to load the haul (tarball)...

```bash
# compress
tar -I zstd -vcf neuvector_airgap.zst neuvector
# load the haul
hauler store load neuvector.tar.zst

# verify everything has been loaded
root@hauler-neuvector-airgap hauler % hauler store info
+--------------------------------------------+-------+-------------+----------+----------+
| REFERENCE | TYPE | PLATFORM | # LAYERS | SIZE |
+--------------------------------------------+-------+-------------+----------+----------+
| hauler/core:2.8.3 | chart | - | 1 | 33.3 kB |
| index.docker.io/neuvector/controller:5.4.1 | image | linux/amd64 | 7 | 255.8 MB |
| | image | linux/arm64 | 7 | 244.9 MB |
| index.docker.io/neuvector/enforcer:5.4.1 | image | linux/amd64 | 7 | 248.2 MB |
| | image | linux/arm64 | 7 | 236.6 MB |
| index.docker.io/neuvector/manager:5.4.1 | image | linux/amd64 | 8 | 215.7 MB |
| | image | linux/arm64 | 8 | 223.3 MB |
| index.docker.io/neuvector/scanner:latest | image | linux/amd64 | 5 | 260.5 MB |
| | image | linux/arm64 | 5 | 256.3 MB |
| index.docker.io/neuvector/updater:latest | image | linux/amd64 | 4 | 19.4 MB |
| | image | linux/arm64 | 4 | 27.5 MB |
+--------------------------------------------+-------+-------------+----------+----------+
| TOTAL | 2.0 GB |
+--------------------------------------------+-------+-------------+----------+----------+
```

Now simply move the 400M `neuvector_airgap.zst` to your network.
### Copy or Serve Images and Helm Chart

### Uncompress and Load
`Hauler` is able to copy all contents to your existing registry or serve it's own registry...

All we need to do now is uncompress with a similar command. The following will output to director called `neuvector`.
#### Copy to Existing Registry

```bash
tar -I zstd -vxf neuvector_airgap.zst
# set the registry url
export Registry=registry.example.com

# login to existing registry
hauler login registry.example.com -u bob -p haulin

# copy to existing registry
hauler store copy registry://${Registry}
```

Loading the images into a registry is going to require an understanding of your internal network. For this doc let's use "registry.awesome.sauce" as the DNS name. Loading the images is fairly simple again with `skopeo`. Please make sure it is installed on the "inside" machine. You will probably need to authenticate with `skopeo login` for it to work.
#### Serve a Container Registry

```bash
# skopeo load
export REGISTRY=registry.awesome.sauce
for file in $(ls neuvector/images | grep -v txt ); do
skopeo copy docker-archive:neuvector/images/$file docker://$(echo $file | sed 's/.tar//g' | awk -F_ '{print "'$REGISTRY'/neuvector/"$1":"$2}')
done
# serve the registry
hauler store serve registry
```

With all the images loaded in a registry we can install with Helm.

### Deploy with Helm

Deploying with Helm is fairly straight forward. There are a few values that are needed to insure the images are pulling from the local registry. Here is a good example. You may need to tweak a few settings. Please follow the Helm best practices for `values.yaml`. Note the `imagePullSecrets` field. This is the secret for your cluster to authenticate to the registry.
Once you have copied everything to your existing registry or served your own registry, you can install `NeuVector` as normal, with a few modified values to account for the airgapped environment. Please note you may need to tweak the below example for your environment...
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Once you have copied everything to your existing registry or served your own registry, you can install `NeuVector` as normal, with a few modified values to account for the airgapped environment. Please note you may need to tweak the below example for your environment...
Once you have copied everything to your existing registry or served your own registry, you can install `NeuVector` as normal, with a few modified values to account for the airgapped environment. Please note you may need to adjust the below example for your environment.


```bash
# helm install example
# variables
export REGISTRY=registry.awesome.sauce # registry URL
export NEU_URL=neuvector.awesome.sauce # neuvector URL
# set registry url
export Registry=registry.example.com

# helm all the things -- read all the options being set
helm upgrade -i neuvector --namespace neuvector neuvector/core --create-namespace --set imagePullSecrets=regsecret --set k3s.enabled=true --set k3s.runtimePath=/run/k3s/containerd/containerd.sock --set manager.ingress.enabled=true --set controller.pvc.enabled=true --set controller.pvc.capacity=10Gi --set manager.svc.type=ClusterIP --set registry=$REGISTRY --set tag=5.3.0 --set controller.image.repository=neuvector/controller --set enforcer.image.repository=neuvector/enforcer --set manager.image.repository=neuvector/manager --set cve.updater.image.repository=neuvector/updater --set manager.ingress.host=$NEU_URL
# additional helm values
helm install ... --set registry=$Registry ...
```
Loading