Installing loft into an air-gapped environment

About This Guide

Goal: Install Loft into an air-gapped kubernetes cluster
Estimated time: 40 minutes
Requirements:

  • a running air-gapped kubernetes cluster
  • a private docker registry that you and the kubernetes cluster can access (e.g. my-private-registry:5000 or gcr.io/my-team)
  • kubectl (check via kubectl version)
  • helm v3 (check with helm version)
  • docker (check with docker version)
  • a kube-context with admin access to this Kubernetes cluster (check with kubectl auth can-i create clusterrole -A)
  • an offline license key for loft (contact info@loft.sh to get one)

Download and push the needed docker images

The first step of installing loft into an air-gapped environment is to push the required docker images into the private registry. To find out which images are needed we provide a file called loft-images.txt with each loft release. Download the loft-images.txt from your chosen loft release on the releases page.

Next download the script download-images.sh from the releases page and run it inside a folder with loft-images.txt:

# Make sure the script is executable
chmod +x ./download-images.sh
# Download all required images and compress them
./download-images.sh --image-list loft-images.txt

Please be patient since this process can take a while. After the command has finished a file called loft-images.tar.gz should have been created. For the next step download the script push-images.sh from the releases page and run it inside the same folder:

# Make sure the script is executable
chmod +x ./push-images.sh
# Push all images to the private registry (make sure you are logged into the registry)
# You can also append a suffix to the registry e.g. gcr.io/my-team
./push-images.sh --registry my-private-registry:5000

After a while all images should be pushed and you can continue with the next step.

Install loft into the cluster

The next step is to deploy loft via helm into the air-gapped cluster.

Open Ports in VPC Networks

Since loft and kiosk install webhooks and api server extensions into the cluster, the kubernetes master needs to be able to communicate with the loft and kiosk pods. In private GKE clusters the kubernetes master and nodes for example are not in the same subnetwork and cannot communicate directly with each other on every port. Hence, you need to ensure that there is a firewall rule that allows incoming traffic from the kubernetes master network to the tcp ports:

  • 8888 (loft api service extension)
  • 8443 (kiosk api service extension)
  • 9443 (kiosk webhook & loft webhook)

Now use helm to install loft into the cluster:

# Put any loft version here that you want to install and pushed the images for
# Please strip the 'v' infront of the version (e.g. v1.0.0 is bad, 1.0.0 is good)
export VERSION=1.3.0
# The initial password for the admin user. You can login
# into loft via admin:PASSWORD
export PASSWORD=my-password
# The registry you pushed the required images to.
# e.g. my-private-registry:5000 or gcr.io/my-team
export REGISTRY=my-private-registry:5000
# The email that should be used for the admin user
export EMAIL=my-email@my-company.com
# The license key you have received from us
export LICENSE=LICENSE_KEY
# Run the helm command
helm install loft loft --repository-config '' \
--repo https://charts.devspace.sh \
--version $VERSION \
--set admin.password=$PASSWORD \
--set admin.email=$EMAIL \
--set env.LICENSE_KEY=$LICENSE \
--set image=$REGISTRY/loftsh/loft:$VERSION \
--set env.DEFAULT_IMAGE_REGISTRY=$REGISTRY \
--namespace loft \
--create-namespace \
--set certIssuer.create=false \
--set cluster.connect.local=true

After a while the loft container and kiosk should be running:

$ kubectl get pods -n loft
NAME READY STATUS RESTARTS AGE
kiosk-6cf658c9ff-sqcjg 1/1 Running 0 140s
loft-769d77774d-2ckh2 1/1 Running 0 184s

For testing purposes you can connect to loft directly via port-forwarding:

kubectl port-forward deploy/loft -n loft 8080:443

You then can reach loft under https://localhost:8080 (Please make sure to accept any untrusted certificates).

Upgrading loft

Upgrading loft basically follows the same principle as installing loft:

  • Download and push the required images for the version into the private registry
  • Upgrade loft via helm:
# Put any loft version here that you want to upgrade and pushed the images for
# Please strip the 'v' infront of the version (e.g. v1.0.0 is bad, 1.0.0 is good)
export VERSION=1.3.0
# The registry you pushed the required images to.
# e.g. my-private-registry:5000 or gcr.io/my-team
export REGISTRY=my-private-registry:5000
# Run the helm command
helm upgrade loft loft --repository-config '' \
--repo https://charts.devspace.sh \
--version $VERSION \
--namespace loft \
--reuse-values \
--set image=$REGISTRY/loftsh/loft:$VERSION