Installing loft into an air-gapped environment
About This Guide
Goal: Install Loft into an air-gapped kubernetes cluster
Estimated time: 40 minutes
Requirements:
- a running air-gapped kubernetes cluster
kubectl
(check viakubectl version
)helm
v3 (check withhelm version
)docker
(check withdocker version
)- a kube-context with admin access to this Kubernetes cluster (check with
kubectl auth can-i create clusterrole -A
) - an offline license key for loft (contact info@loft.sh to get one)
- Optionally: a private docker registry that you and the kubernetes cluster can access (e.g. my-private-registry:5000 or gcr.io/my-team)
Optional: Download and push the needed docker images
If your cluster is not able to pull images from docker hub, you have to push the required docker images into a private registry.
To find out which images are needed we provide a file called loft-images.txt
with each loft release.
Download the loft-images.txt
from your chosen loft release on the releases page.
Next download the script download-images.sh
from the releases page and run it inside a folder with loft-images.txt
:
# Make sure the script is executable
chmod +x ./download-images.sh
# Download all required images and compress them
./download-images.sh --image-list loft-images.txt
Please be patient since this process can take a while. After the command has finished a file called loft-images.tar.gz
should have been created.
For the next step download the script push-images.sh
from the releases page and run it inside the same folder:
# Make sure the script is executable
chmod +x ./push-images.sh
# Push all images to the private registry (make sure you are logged into the registry)
# You can also append a suffix to the registry e.g. gcr.io/my-team
./push-images.sh --registry my-private-registry:5000
After a while all images should be pushed and you can continue with the next step.
Install loft into the cluster
The next step is to deploy loft via helm into the air-gapped cluster.
Open Ports in VPC Networks
Since loft and kiosk install webhooks and api server extensions into the cluster, the kubernetes master needs to be able to communicate with the loft and kiosk pods. In private GKE clusters the kubernetes master and nodes for example are not in the same subnetwork and cannot communicate directly with each other on every port. Hence, you need to ensure that there is a firewall rule that allows incoming traffic from the kubernetes master network to the tcp ports:
- 8888 (loft api service extension)
- 8443 (loft agent api service extension)
- 9443 (loft agent webhook & loft webhook)
Now use helm to install loft into the cluster:
- With Private Docker Registry
- Without Private Docker Registry
# Put any loft version here that you want to install and pushed the images for
# Please strip the 'v' infront of the version (e.g. v1.0.0 is bad, 1.0.0 is good)
# Check https://github.com/loft-sh/loft/releases for the latest Loft release version
export VERSION=x.x.x
# The initial password for the admin user. You can login
# into loft via admin:PASSWORD
export PASSWORD=my-password
# The email that should be used for the admin user
export EMAIL=my-email@my-company.com
# The license key you have received from us
export LICENSE=LICENSE_KEY
# The registry you pushed the required images to.
# e.g. my-private-registry:5000 or gcr.io/my-team
export REGISTRY=my-private-registry:5000
# Run the helm command
helm install loft loft --repository-config '' \
--repo https://charts.loft.sh \
--version $VERSION \
--set admin.password=$PASSWORD \
--set admin.email=$EMAIL \
--set image=$REGISTRY/loftsh/loft:$VERSION \
--set env.LICENSE_KEY=$LICENSE \
--set env.DEFAULT_IMAGE_REGISTRY=$REGISTRY \
--namespace loft \
--create-namespace
# The initial password for the admin user. You can login
# into loft via admin:PASSWORD
export PASSWORD=my-password
# The email that should be used for the admin user
export EMAIL=my-email@my-company.com
# The license key you have received from us
export LICENSE=LICENSE_KEY
# Run the helm command
helm install loft loft --repository-config '' \
--repo https://charts.loft.sh \
--set admin.password=$PASSWORD \
--set admin.email=$EMAIL \
--set env.LICENSE_KEY=$LICENSE \
--namespace loft \
--create-namespace
After a while the loft container and kiosk should be running:
$ kubectl get pods -n loft
NAME READY STATUS RESTARTS AGE
loft-agent-6cf658c9ff-sqcjg 1/1 Running 0 140s
loft-769d77774d-2ckh2 1/1 Running 0 184s
For testing purposes you can connect to loft directly via port-forwarding:
kubectl port-forward deploy/loft -n loft 8080:443
You then can reach loft under https://localhost:8080
(Please make sure to accept any untrusted certificates).
Upgrading loft
Upgrading loft basically follows the same principle as installing loft:
- Optionally: Download and push the required images for the version into the private registry
- Upgrade loft via helm:
- With Private Docker Registry
- Without Private Docker Registry
# Put any loft version here that you want to upgrade and pushed the images for
# Please strip the 'v' infront of the version (e.g. v1.0.0 is bad, 1.0.0 is good)
export VERSION=x.x.x
# The registry you pushed the required images to.
# e.g. my-private-registry:5000 or gcr.io/my-team
export REGISTRY=my-private-registry:5000
# Run the helm command
helm upgrade loft loft --repository-config '' \
--repo https://charts.loft.sh \
--version $VERSION \
--namespace loft \
--reuse-values \
--set image=$REGISTRY/loftsh/loft:$VERSION
# Put any loft version here that you want to upgrade and pushed the images for
# Please strip the 'v' infront of the version (e.g. v1.0.0 is bad, 1.0.0 is good)
export VERSION=x.x.x
# Run the helm command
helm upgrade loft loft --repository-config '' \
--repo https://charts.loft.sh \
--version $VERSION \
--namespace loft