Skip to main content
Skip table of contents

vSphere FIPS Air-gapped: Create a CAPI VM Template

You must have at least one image before creating a new cluster. As long as you have an image, this step in your configuration is not required each time since that image can be used to spin up a new cluster. However, if you need different images for different environments or providers, you will need to create a new custom image.

Using KIB, you can create your VM template without requiring access to the internet by providing an additional --override flag.

  1. Assuming you have downloaded dkp-air-gapped-bundle_v2.8.1_linux_amd64.tar.gz, extract the tarball to a local directory:

    CODE
    tar -xzvf dkp-air-gapped-bundle_v2.8.1_linux_amd64.tar.gz && cd dkp-v2.8.1/kib
  2. You will need to fetch the distro packages as well as other artifacts. By fetching the distro packages from distro repositories, you get the latest security fixes available at machine image build time.

  3. In your download location, In your download location with internet access, you need to create an OS package bundle for the Target OS you use for the nodes in your DKP cluster. To create it, run the new DKP command create-package-bundle. This builds an OS bundle using the Kubernetes version defined in ansible/group_vars/all/defaults.yaml. Example command:

    CODE
    ./konvoy-image create-package-bundle --os redhat-8.4 --output-directory=artifacts

    NOTE: For FIPS, pass the flag: --fips
    NOTE: For RHEL OS, pass your RedHat subscription/licensing manager credentials: Example command:

    CODE
    export RHSM_ACTIVATION_KEY="-ci"
    export RHSM_ORG_ID="1232131"

    OR

    CODE
    export RHSM_USER=""
    export RHSM_PASS=""
  4. Follow the instructions to build a vSphere template below and if applicable, set the override --overrides overrides/offline.yaml flag described in Step 4 below.

Create a vSphere Template for Your Cluster from a Base OS Image

Using the base OS image created in a previous procedure, DKP creates the new vSphere template directly on the vCenter server.

  1. Set the following vSphere environment variables on the bastion VM host:

    CODE
    export VSPHERE_SERVER=your_vCenter_APIserver_URL
    export VSPHERE_USERNAME=your_vCenter_user_name
    export VSPHERE_PASSWORD=your_vCenter_password

     

  2. Copy the base OS image file created in the vSphere Client to your desired location on the bastion VM host and make a note of the path and file name.

  3. Create an image.yaml file and add the following variables for vSphere. DKP uses this file and these variables as inputs in the next step. To customize your image.yaml file, refer to this section: Customize your Image.
    ⚠️ NOTE: This example is Ubuntu 20.04. You will need to replace OS name below based on your OS. See other default YAML examples for copy and paste below last step.

    CODE
    ---
    download_images: true
    build_name: "ubuntu-2004"
    packer_builder_type: "vsphere" 
    guestinfo_datasource_slug: "https://raw.githubusercontent.com/vmware/cloud-init-vmware-guestinfo"
    guestinfo_datasource_ref: "v1.4.0"
    guestinfo_datasource_script: "{{guestinfo_datasource_slug}}/{{guestinfo_datasource_ref}}/install.sh"
    packer:
      cluster: "<VSPHERE_CLUSTER_NAME>"
      datacenter: "<VSPHERE_DATACENTER_NAME>"
      datastore: "<VSPHERE_DATASTORE_NAME>"
      folder: "<VSPHERE_FOLDER>"
      insecure_connection: "false"
      network: "<VSPHERE_NETWORK>"
      resource_pool: "<VSPHERE_RESOURCE_POOL>"
      template: "os-qualification-templates/d2iq-base-Ubuntu-20.04" # change default value with your base template name
      vsphere_guest_os_type: "other4xLinux64Guest"
      guest_os_type: "ubuntu2004-64"
      # goss params
      distribution: "ubuntu"
      distribution_version: "20.04"
    # Use following overrides to select the authentication method that can be used with base template
    # ssh_username: ""  # can be exported as environment variable 'SSH_USERNAME'
    # ssh_password: "" # can be exported as environment variable 'SSH_PASSWORD'
    # ssh_private_key_file = "" # can be exported as environment variable 'SSH_PRIVATE_KEY_FILE'
    # ssh_agent_auth: false  # is set to true, ssh_password and ssh_private_key will be ignored

  4. Create a vSphere VM template with your variation of the following command:

    CODE
    konvoy-image build images/ova/<image.yaml>

    Any additional configurations can be added to this command using --overrides flags as shown below:

    1. Any credential overrides: --overrides overrides.yaml

    2. for FIPS, add this flag: --overrides overrides/fips.yaml

    3. for air-gapped, add this flag: --overrides overrides/offline-fips.yaml

  5. The Konvoy Image Builder (KIB) uses the values in image.yaml and the input base OS image to create a vSphere template directly on the vCenter server. This template contains the required artifacts needed to create a Kubernetes cluster.
    When KIB provisions the OS image successfully, it creates a manifest file. The artifact_id field of this file contains the name of the AMI ID (AWS), template name (vSphere), or image name (GCP/Azure), for example:

    CODE
    {
          "name": "vsphere-clone",
          "builder_type": "vsphere-clone",
          "build_time": 1644985039,
          "files": null,
          "artifact_id": "konvoy-ova-vsphere-rhel-84-1.21.6-1644983717",
          "packer_run_uuid": "260e8110-77f8-ca94-e29e-ac7a2ae779c8",
          "custom_data": {
            "build_date": "2022-02-16T03:55:17Z",
            "build_name": "vsphere-rhel-84",
            "build_timestamp": "1644983717",
            [...]
          }
        }

    Recommendation: Now we can now see the template created in our vCenter, it is best to rename it to dkp-<DKP_VERSION>-k8s-<K8S_VERSION>-<DISTRO>, like dkp-2.4.0-k8s-1.24.6-ubuntu to keep templates organized.

  6. Next steps are to deploy a DKP cluster using your vSphere template.

Additional OS YAML file examples:

RHEL 8.6
CODE
---
download_images: true
build_name: "rhel-86"
packer_builder_type: "vsphere" 
guestinfo_datasource_slug: "https://raw.githubusercontent.com/vmware/cloud-init-vmware-guestinfo"
guestinfo_datasource_ref: "v1.4.0"
guestinfo_datasource_script: "{{guestinfo_datasource_slug}}/{{guestinfo_datasource_ref}}/install.sh"
packer:
  cluster: ""
  datacenter: ""
  datastore: ""
  folder: ""
  insecure_connection: "false"
  network: ""
  resource_pool: ""
  template: "base-rhel-8.6" # change default value with your base template name
  vsphere_guest_os_type: "rhel8_64Guest"
  guest_os_type: "rhel8-64"
  # goss params
  distribution: "RHEL"
  distribution_version: "8.6"
# Use following overrides to select the authentication method that can be used with base template
# ssh_username: ""  # can be exported as environment variable 'SSH_USERNAME'
# ssh_password: "" # can be exported as environment variable 'SSH_PASSWORD'
# ssh_private_key_file = "" # can be exported as environment variable 'SSH_PRIVATE_KEY_FILE'
# ssh_agent_auth: false  # is set to true, ssh_password and ssh_private_key will be ignored
Ubuntu 20.04
CODE
---
download_images: true
build_name: "ubuntu-2004"
packer_builder_type: "vsphere" 
guestinfo_datasource_slug: "https://raw.githubusercontent.com/vmware/cloud-init-vmware-guestinfo"
guestinfo_datasource_ref: "v1.4.0"
guestinfo_datasource_script: "{{guestinfo_datasource_slug}}/{{guestinfo_datasource_ref}}/install.sh"
packer:
  cluster: ""
  datacenter: ""
  datastore: ""
  folder: ""
  insecure_connection: "false"
  network: ""
  resource_pool: ""
  template: "base-ubuntu-20.04" # change default value with your base template name
  vsphere_guest_os_type: "other4xLinux64Guest"
  guest_os_type: "ubuntu2004-64"
  # goss params
  distribution: "ubuntu"
  distribution_version: "20.04"
# Use following overrides to select the authentication method that can be used with base template
# ssh_username: ""  # can be exported as environment variable 'SSH_USERNAME'
# ssh_password: "" # can be exported as environment variable 'SSH_PASSWORD'
# ssh_private_key_file = "" # can be exported as environment variable 'SSH_PRIVATE_KEY_FILE'
# ssh_agent_auth: false  # is set to true, ssh_password and ssh_private_key will be ignored
Rocky Linux 9.1
CODE
---
download_images: true
build_name: "rocky-91"
packer_builder_type: "vsphere" 
guestinfo_datasource_slug: "https://raw.githubusercontent.com/vmware/cloud-init-vmware-guestinfo"
guestinfo_datasource_ref: "v1.4.0"
guestinfo_datasource_script: "{{guestinfo_datasource_slug}}/{{guestinfo_datasource_ref}}/install.sh"
packer:
  cluster: ""
  datacenter: ""
  datastore: ""
  folder: ""
  insecure_connection: "false"
  network: ""
  resource_pool: ""
  template: "base-rocky-9.1" # change default value with your base template name
  vsphere_guest_os_type: "other4xLinux64Guest"
  guest_os_type: "rocky9-64"
  # goss params
  distribution: "rocky"
  distribution_version: "9.1"
# Use following overrides to select the authentication method that can be used with base template
# ssh_username: ""  # can be exported as environment variable 'SSH_USERNAME'
# ssh_password: "" # can be exported as environment variable 'SSH_PASSWORD'
# ssh_private_key_file = "" # can be exported as environment variable 'SSH_PRIVATE_KEY_FILE'
# ssh_agent_auth: false  # is set to true, ssh_password and ssh_private_key will be ignored

Next Step

vSphere FIPS Air-gapped: Create the Management Cluster

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.