From 25df179382cf66efdf01da626673de51f20c306a Mon Sep 17 00:00:00 2001 From: dbw7 Date: Fri, 26 Apr 2024 10:31:46 -0400 Subject: [PATCH] Air-gapped NeuVector docs (#242) * Update air-gapped-eib-deployments.adoc * Update air-gapped-eib-deployments.adoc --- .../guides/air-gapped-eib-deployments.adoc | 128 +++++++++++++++++- 1 file changed, 127 insertions(+), 1 deletion(-) diff --git a/asciidoc/guides/air-gapped-eib-deployments.adoc b/asciidoc/guides/air-gapped-eib-deployments.adoc index 76a5dd0c..0750ea6e 100644 --- a/asciidoc/guides/air-gapped-eib-deployments.adoc +++ b/asciidoc/guides/air-gapped-eib-deployments.adoc @@ -194,7 +194,7 @@ The `embeddedArtifactRegistry` section will include all images which are only re The <> deployment that will be demonstrated will be highly slimmed down for demonstration purposes. For your actual deployments, additional artifacts may be necessary depending on your configuration. ==== -The release assets of https://github.com/rancher/rancher/releases/tag/v2.8.3[Rancher v2.8.3] contain a `rancher-images.txt` file which lists all the images required for an air-gapped installation. +The https://github.com/rancher/rancher/releases/tag/v2.8.3[Rancher v2.8.3] release assets contain a `rancher-images.txt` file which lists all the images required for an air-gapped installation. There are about 602 container images in total which means that the resulting CRB image would be roughly 28GB+. For our Rancher installation, we will strip down that list to the smallest working configuration. From there, you can add back any images you may need for your deployments. @@ -515,6 +515,132 @@ And when we go to `https://192.168.100.50.sslip.io` and log in with the `adminad image::air-gapped-rancher.png[] +== NeuVector Installation + +Unlike the Rancher installation, the NeuVector installation does not require any special handling in EIB. EIB will automatically air-gap every image required by NeuVector. + +We will create the definition file: +[,console] +---- +apiVersion: 1.0 +image: + imageType: iso + arch: x86_64 + baseImage: slemicro.iso + outputImageName: eib-image.iso +operatingSystem: + users: + - username: root + encryptedPassword: $6$jHugJNNd3HElGsUZ$eodjVe4te5ps44SVcWshdfWizrP.xAyd71CVEXazBJ/.v799/WRCBXxfYmunlBO2yp1hm/zb4r8EmnrrNCF.P/ +kubernetes: + version: v1.28.8+rke2r1 + helm: + charts: + - name: neuvector-crd + version: 103.0.3+up2.7.6 + repositoryName: rancher-charts + targetNamespace: neuvector + createNamespace: true + installationNamespace: kube-system + valuesFile: neuvector-values.yaml + - name: neuvector + version: 103.0.3+up2.7.6 + repositoryName: rancher-charts + targetNamespace: neuvector + createNamespace: true + installationNamespace: kube-system + valuesFile: neuvector-values.yaml + repositories: + - name: rancher-charts + url: https://charts.rancher.io/ +---- + +We will also create a Helm values file for NeuVector: +[,shell] +---- +cat << EOF > $CONFIG_DIR/kubernetes/helm/values/neuvector-values.yaml +controller: + replicas: 1 +manager: + enabled: false +cve: + scanner: + enabled: false + replicas: 1 +k3s: + enabled: true +crdwebhook: + enabled: false +EOF +---- + +Let's build the image: +[,shell] +---- +podman run --rm -it --privileged -v $CONFIG_DIR:/eib \ +registry.suse.com/edge/edge-image-builder:1.0.1 \ +build --definition-file eib-iso-definition.yaml +---- + +The output should be similar to the following: +[,console] +---- +Generating image customization components... +Identifier ................... [SUCCESS] +Custom Files ................. [SKIPPED] +Time ......................... [SKIPPED] +Network ...................... [SUCCESS] +Groups ....................... [SKIPPED] +Users ........................ [SUCCESS] +Proxy ........................ [SKIPPED] +Rpm .......................... [SKIPPED] +Systemd ...................... [SKIPPED] +Elemental .................... [SKIPPED] +Suma ......................... [SKIPPED] +Populating Embedded Artifact Registry... 100% (6/6, 20 it/min) +Embedded Artifact Registry ... [SUCCESS] +Keymap ....................... [SUCCESS] +Configuring Kubernetes component... +The Kubernetes CNI is not explicitly set, defaulting to 'cilium'. +Downloading file: rke2_installer.sh +Kubernetes ................... [SUCCESS] +Certificates ................. [SKIPPED] +Building ISO image... +Kernel Params ................ [SKIPPED] +Image build complete! +---- + +Once a node using the built image is provisioned, we can verify the NeuVector installation: + +[,shell] +---- +/var/lib/rancher/rke2/bin/kubectl get all -A --kubeconfig /etc/rancher/rke2/rke2.yaml +---- + +The output should be similar to the following, showing that everything has been successfully deployed: +[,console] +---- +NAME READY STATUS RESTARTS AGE +pod/neuvector-controller-pod-bc74745cf-x9fsc 1/1 Running 0 13m +pod/neuvector-enforcer-pod-vzw7t 1/1 Running 0 13m + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/neuvector-svc-admission-webhook ClusterIP 10.43.240.25 443/TCP 13m +service/neuvector-svc-controller ClusterIP None 18300/TCP,18301/TCP,18301/UDP 13m + +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +daemonset.apps/neuvector-enforcer-pod 1 1 1 1 1 13m + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/neuvector-controller-pod 1/1 1 1 13m + +NAME DESIRED CURRENT READY AGE +replicaset.apps/neuvector-controller-pod-bc74745cf 1 1 1 13m + +NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE +cronjob.batch/neuvector-updater-pod 0 0 * * * False 0 13m +---- + == Longhorn Installation [[longhorn-install]] The https://longhorn.io/docs/1.6.1/deploy/install/airgap/[official documentation] for Longhorn contains a `longhorn-images.txt` file which lists all the images required for an air-gapped installation.