Skip to main content
Skip table of contents

Pre-provisioned Air-gapped FIPS: Configure Environment

In order to create a cluster in a Pre-provisioned Air-gapped environment with FIPS, you must first prepare the environment.

The instructions below outline how to fulfill the requirements for using pre-provisioned infrastructure when using air-gapped. In order to create a cluster, you must first setup the environment with necessary artifacts. All artifacts for Pre-provisioned Air-gapped need to get onto the bastion host. Artifacts needed by nodes must be unpacked and distributed on the bastion before other provisioning will work in the absence of an internet connection.

There is a new complete DKP air-gapped bundle available to download which contains all the DKP components needed for air-gapped installation. (i.e. dkp-air-gapped-bundle_v2.7.2_linux_amd64.tar.gz)

Setup Process:

  1. The bootstrap image must be extracted and loaded onto the bastion host.

  2. Artifacts must be copied onto cluster hosts for nodes to access.

  3. If using GPU, those artifacts must be positioned locally.

  4. Registry seeded with images locally.

Load the Bootstrap Image

  1. Assuming you have downloaded dkp-air-gapped-bundle_v2.7.2_linux_amd64.tar.gz from the download site mentioned above, extract the tarball to a local directory:

    CODE
    tar -xzvf dkp-air-gapped-bundle_v2.7.2_linux_amd64.tar.gz && cd dkp-v2.7.2
  2. Load the bootstrap image on your bastion machine:

    CODE
    docker load -i konvoy-bootstrap-image-v2.7.2.tar

Copy air-gapped artifacts onto cluster hosts

Using the Konvoy Image Builder, you can copy the required artifacts onto your cluster hosts.

  1. Assuming you have downloaded dkp-air-gapped-bundle_v2.7.1_linux_amd64.tar.gz , extract the tarball to a local directory:

    CODE
    tar -xzvf dkp-air-gapped-bundle_v2.7.1_linux_amd64.tar.gz && cd dkp-v2.7.1/kib
  2. The kubernetes image bundle will be located in kib/artifacts/images and you will want to verify image and artifacts.

    1. Verify the image bundles exist in artifacts/images:

      CODE
      $ ls artifacts/images/
      kubernetes-images-1.27.11-d2iq.1.tar kubernetes-images-1.27.11-d2iq.1-fips.tar
    2. Verify the artifacts for your OS exist in the artifacts/ directory and export the appropriate variables:

      CODE
      $ ls artifacts/
      1.27.11_centos_7_x86_64.tar.gz	    1.27.11_redhat_8_x86_64_fips.tar.gz			    containerd-1.6.28-d2iq.1-rhel-7.9-x86_64.tar.gz	  containerd-1.6.28-d2iq.1-rhel-8.6-x86_64_fips.tar.gz	pip-packages.tar.gz
      1.27.11_centos_7_x86_64_fips.tar.gz  1.27.11_rocky_9_x86_64.tar.gz			    containerd-1.6.28-d2iq.1-rhel-7.9-x86_64_fips.tar.gz  containerd-1.6.28-d2iq.1-rocky-9.0-x86_64.tar.gz
      1.27.11_redhat_7_x86_64.tar.gz	    1.27.11_ubuntu_20_x86_64.tar.gz			    containerd-1.6.28-d2iq.1-rhel-8.4-x86_64.tar.gz	  containerd-1.6.28-d2iq.1-rocky-9.1-x86_64.tar.gz
      1.27.11_redhat_7_x86_64_fips.tar.gz  containerd-1.6.28-d2iq.1-centos-7.9-x86_64.tar.gz	    containerd-1.6.28-d2iq.1-rhel-8.4-x86_64_fips.tar.gz  containerd-1.6.28-d2iq.1-ubuntu-20.04-x86_64.tar.gz
      1.27.11_redhat_8_x86_64.tar.gz	    containerd-1.6.28-d2iq.1-centos-7.9-x86_64_fips.tar.gz  containerd-1.6.28-d2iq.1-rhel-8.6-x86_64.tar.gz	  images
    3. For example, for RHEL 8.4 you would set:

      CODE
      export OS_PACKAGES_BUNDLE=1.27.11_redhat_8_x86_64_fips.tar.gz
      export CONTAINERD_BUNDLE=containerd-1.6.10-d2iq.1-rhel-8.4-x86_64.tar.gz
  3. Export the following environment variables, ensuring that all control plane and worker nodes are included:

    CODE
    export CONTROL_PLANE_1_ADDRESS="<control-plane-address-1>"
    export CONTROL_PLANE_2_ADDRESS="<control-plane-address-2>"
    export CONTROL_PLANE_3_ADDRESS="<control-plane-address-3>"
    export WORKER_1_ADDRESS="<worker-address-1>"
    export WORKER_2_ADDRESS="<worker-address-2>"
    export WORKER_3_ADDRESS="<worker-address-3>"
    export WORKER_4_ADDRESS="<worker-address-4>"
    export SSH_USER="<ssh-user>"
    export SSH_PRIVATE_KEY_FILE="<private key file>"

    SSH_PRIVATE_KEY_FILE must be either the name of the SSH private key file in your working directory or an absolute path to the file in your user’s home directory.

  4. Generate an inventory.yaml which is automatically picked up by the konvoy-image upload in the next step.

    CODE
    cat <<EOF > inventory.yaml
    all:
      vars:
        ansible_user: $SSH_USER
        ansible_port: 22
        ansible_ssh_private_key_file: $SSH_PRIVATE_KEY_FILE
      hosts:
        $CONTROL_PLANE_1_ADDRESS:
          ansible_host: $CONTROL_PLANE_1_ADDRESS
        $CONTROL_PLANE_2_ADDRESS:
          ansible_host: $CONTROL_PLANE_2_ADDRESS
        $CONTROL_PLANE_3_ADDRESS:
          ansible_host: $CONTROL_PLANE_3_ADDRESS
        $WORKER_1_ADDRESS:
          ansible_host: $WORKER_1_ADDRESS
        $WORKER_2_ADDRESS:
          ansible_host: $WORKER_2_ADDRESS
        $WORKER_3_ADDRESS:
          ansible_host: $WORKER_3_ADDRESS
        $WORKER_4_ADDRESS:
          ansible_host: $WORKER_4_ADDRESS
    EOF
  5. Upload the artifacts onto cluster hosts with the following command:

    CODE
    konvoy-image upload artifacts \
                  --container-images-dir=./artifacts/images/ \
                  --os-packages-bundle=./artifacts/$OS_PACKAGES_BUNDLE \
                  --containerd-bundle=artifacts/$CONTAINERD_BUNDLE \
                  --pip-packages-bundle=./artifacts/pip-packages.tar.gz

    KIB uses variable overrides to specify base image and container images to use in your new machine image. The variable overrides files for NVIDIA and FIPS can be ignored unless adding an overlay feature.

Next Step:

Pre-provisioned Air-gapped FIPS: Load the Registry

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.