About This Guide
Goal: Install Loft into an air-gapped kubernetes cluster
Estimated time: 40 minutes
- a running air-gapped kubernetes cluster
- a private docker registry that you and the kubernetes cluster can access (e.g. my-private-registry:5000 or gcr.io/my-team)
helmv3 (check with
- a kube-context with admin access to this Kubernetes cluster (check with
kubectl auth can-i create clusterrole -A)
- an offline license key for loft (contact email@example.com to get one)
Download and push the needed docker images
The first step of installing loft into an air-gapped environment is to push the required docker images into the private registry.
To find out which images are needed we provide a file called
loft-images.txt with each loft release.
loft-images.txt from your chosen loft release on the releases page.
Next download the script
download-images.sh from the releases page and run it inside a folder with
Please be patient since this process can take a while. After the command has finished a file called
loft-images.tar.gz should have been created.
For the next step download the script
push-images.sh from the releases page and run it inside the same folder:
After a while all images should be pushed and you can continue with the next step.
Install loft into the cluster
The next step is to deploy loft via helm into the air-gapped cluster.
Open Ports in VPC Networks
Since loft and kiosk install webhooks and api server extensions into the cluster, the kubernetes master needs to be able to communicate with the loft and kiosk pods. In private GKE clusters the kubernetes master and nodes for example are not in the same subnetwork and cannot communicate directly with each other on every port. Hence, you need to ensure that there is a firewall rule that allows incoming traffic from the kubernetes master network to the tcp ports:
- 8888 (loft api service extension)
- 8443 (kiosk api service extension)
- 9443 (kiosk webhook & loft webhook)
Now use helm to install loft into the cluster:
After a while the loft container and kiosk should be running:
For testing purposes you can connect to loft directly via port-forwarding:
You then can reach loft under
https://localhost:8080 (Please make sure to accept any untrusted certificates).
Upgrading loft basically follows the same principle as installing loft:
- Download and push the required images for the version into the private registry
- Upgrade loft via helm: