Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Airgapped install support #175

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Airgapped install support #175

wants to merge 5 commits into from

Conversation

nbykov0
Copy link
Collaborator

@nbykov0 nbykov0 commented Jun 19, 2024

  • example Makefile and generated Dockerfile for packages/system/capi-operator
  • script for generating/updating a dockerfile during make update
  • script for pushing an image to a custom registry with make image

@kvaps please check if I'm moving in a right direction

@nbykov0 nbykov0 self-assigned this Jun 19, 2024
@nbykov0 nbykov0 linked an issue Jun 19, 2024 that may be closed by this pull request
Copy link
Member

@kvaps kvaps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, you can split this PR into three parts:

First part should provide automation for creating structure of the used images for every package by calling:

make update

The second one should provide unified makefile target to build all the images from images/ directory and output <image>.json and <image>.tag files:

make image

so every image can be builded separately:

make image-<image>

It should always output metadata and tag files with same name as image
I can help you with writing this target.

In the third it should substitute builded image metadata and tag into helm chart, so the charts should be modified or override the named template to putting correct image infromaton from these files:

{{- define "cilium.image" -}}
{{ .Files.Get "images/cilium.tag" | trim }}@{{ index (.Files.Get "images/cilium.json" | fromJson) "containerimage.digest" }}
{{- end -}}

This is a huge work :)



function with_helm() {
helm template . | awk '/^[ \t"-]*image["]*: [a-zA-Z0-9/:@"\.-]+$/{print $NF}' | sed 's/"//g' | \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This wont work, because we have to replace all the images with ours in the helm chart, the output of helm template . will always return our values. Try parsing upstream helm chart instead

packages/system/capi-operator/Makefile Outdated Show resolved Hide resolved
packages/system/capi-operator/Makefile Outdated Show resolved Hide resolved
scripts/build-images.sh Outdated Show resolved Hide resolved
@nbykov0
Copy link
Collaborator Author

nbykov0 commented Jun 20, 2024

I think I'll leave the PR as a place for duscussion, and then make separate ones with actual changes.

@nbykov0
Copy link
Collaborator Author

nbykov0 commented Jun 26, 2024

Next steps:

  • a script for pushing all czk images to a provate repo without changing digests (see crane)
  • make a global override for registry from czk configmap

kvaps added a commit that referenced this pull request Aug 7, 2024
Let's use approach suggested by @nbykov0 in
#175

We will only update values.yaml and do not store build json artifact

The reset charts include this change in
- #262
- #263
- #264
- #265

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
@RaSerge
Copy link

RaSerge commented Aug 19, 2024

Hello, @nbykov0!
I'm interested in adopt cozystack for my campus lab air-gapped installation. Yesterday i tested your solution and found that isn't easy to use (for me at least). It looks like i need to change every Makefile for system/core/etc components, right. Maybe you have ideas how to move that to upper level (something in scripts/dir) or to solve this issue more globally?

@nbykov0
Copy link
Collaborator Author

nbykov0 commented Aug 21, 2024

Maybe you have ideas how to move that to upper level (something in scripts/dir) or to solve this issue more globally?

Hi @RaSerge! Yeah, I also dislike how it goes.
Seems to me like there is no good way to solve this on the upper level for every component, as each one of those generate image names in different ways. I'm thinking of parsing every values.yaml with yq or so, and adding this to every Makefile.
If you have any ideas please let me know.

@RaSerge
Copy link

RaSerge commented Aug 22, 2024

My ideas:

  1. Use Fluxcd Kustomization to globally add prefix (local registry) to all images - modified images will be like a myregitry.local/ghcr.io/aenix-io etc)
  2. Run simple bash script with grep+sed at end of manifests build (target make manifests probably) to globaly replace external registries with local one.

Yesterday i found this helm plugin (it extracts images from charts).
https://github.com/nikhilsbhat/helm-images

  1. Use helm-images plugin for extract all images, run crane to copy this images to local registry, modify this plugin with replace functionality or just use bash with grep+sed to replace registries in found images with local one

@gecube
Copy link
Collaborator

gecube commented Aug 22, 2024

no need to rewrite image names. It could be achieved simpler by

  1. using harbor as local cache images
  2. or patching image names directly in the cluster with any kind of policy engine

@RaSerge
Copy link

RaSerge commented Aug 22, 2024

no need to rewrite image names. It could be achieved simpler by

1. using harbor as local cache images

2. or patching image names directly in the cluster with any kind of policy engine
  1. Looks good. i already tried variant with mirroring, it works fine, and .. we need to populate caching registry with images.
  2. Can you explain this solution, please

@gecube
Copy link
Collaborator

gecube commented Aug 22, 2024

Something like this

https://t.me/kubernetes_ru/838830

@nbykov0
Copy link
Collaborator Author

nbykov0 commented Aug 22, 2024

1. Looks good. i already tried variant with mirroring, it works fine, and .. we need to populate caching registry with images.

There is one more way by Talos itself, see
https://www.talos.dev/v1.7/talos-guides/configuration/pull-through-cache/

@nbykov0
Copy link
Collaborator Author

nbykov0 commented Aug 22, 2024

1. using harbor as local cache images
2. or patching image names directly in the cluster with any kind of policy engine

Well, it would work for sure, but to me it seems more like a workaround.

In case of a local cache I can almost feel all the concerns coming from security etc., who will notice images from public registries in private clusters :) And overriding image names on the fly might break image signing and all that.
I'll try to implement image names overides and stuff, but it will be done for every component, and by default all images will be replicated to cozystack repo, and a release will contain only them.

However, a pull-through/local cache is a needed feature for sure.
@RaSerge if it will work for you for now, maybe you could investigate that? I mean, a cache, and a way to upload unmodified images there. In this case you will not be not blocked in any way by this PR, and it would be a separate needed feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support air-gapped installation
4 participants