YouPrep documentationHelp centerGet a demo

โ›ด๏ธDeploy Toucan in Air-Gapped Environment

In this section, we will deploy Toucan in an air-gapped environment using Helm Charts. We'll assume this configuration:

  • Traffic is only exposed internally:

    • The machine can only be contacted through private networks (VPC or VPN).

    • The machine cannot be reached from the internet and is stricly blocked by the firewall.

  • A Private DNS is configured to forward auth-toucan.example.com and toucan.example.com to the machine IP.

This guide assumes a strict air-gapped environment:

  • At first, you have a networked environment. You have access to the internet and can download files to put on a USB stick.

  • Then, you deploy the Toucan Stack on your air-gapped environment.

NOTE: This guide helps you deploy a simple "one-shot" "all-in-one" Toucan Stack, which might not be suitable for production.

We heavily recommend in using an external PostgreSQL database as the one embedded might not be suitable for production. Please follow the following guide to connect to your external database: Toucan - External Database

Description and additional requirements

This guide does NOT cover the deployment of Kubernetes in an Air-Gapped environment. If you are interested, we recommend you to read the k3s - Air-Gap Install guide. We recommend using the Private Registry method.

In this guide, we plan to follow that method:

  1. In a networked environment, you have access to the internet and will download files.

  2. In an air-gapped environment, you have no access to the internet and will need to put these files on Kubernetes:

    1. Helm Charts will be hosted on the deployment server containing the tools for installing the Toucan Stack.

    2. The Docker images will be hosted on a local registry.

    3. The deployment will use that local registry to pull the images.

Therefore, you will need:

  • A storage to transfer files from the networked environment to the air-gapped environment. Recommended size is 10GB.

  • After uploading the container images in the local registry, container layers will be uncompressed. The registry will requires at least the double.

Preparations in the networked environment

1. Download the Private Registry

If you are using minikube, k3s, or another Kubernetes distribution, it's very possible there is already a private registry, or a way to load container images directly on the container runtime. You should check the documentation of your Kubernetes distribution.

If not, in this guide, we'll install zot as a private registry.

  1. Download the Helm Chart

  1. Download the container image:

2. Download Toucan-Stack

  1. Download the Helm Chart

  1. Download the container images:

You should have every files required for the air-gapped installation!

Installation in the air-gapped environment

1. Deploy the Private Registry

Since there is no registry to host the container registry image (chicken-egg problem), we need to deploy a private registry manually.

  1. Transfer the zot container image file directly on the Kubernetes node.

If you are in a multi-node setup, you should do this for all the nodes. Since the registry requires a volume, it is better to stick the registry to a single node using nodeSelectors and use a local-path/hostPath volume.

  1. Import the image in the container runtime:

You might need to pass --address to ctr since some distributions move the containerd.sock:

  • Minikube: /run/docker/containerd/containerd.sock

  • k0s: /run/k0s/containerd.sock

  1. Deploy the registry using Helm:

2. Transfer the images to the Private Registry

  1. Edit the /etc/docker/daemon.json to indicates that <node-0 ip>:32000 is not secured by TLS:

And run:

  1. Using the images you've pulled from earlier steps, tag them to the private registry:

If you don't remember which images you've pulled, you can use the following command to push all the images to the private registry:

Replace <node-0 ip> with the IP address of the node where you've deployed the registry.

3. Deploy Toucan Stack

1

Create a namespace

Create a Kubernetes namespace to deploy the Toucan Stack Helm charts in.

Namespaces are used to avoid name conflicts between different projects. Since we are deploying a stack of services, we can use the same namespace for all of them, and avoid conflicting with your own projects.

2

Deploy the Curity secret

You should have a JSON file in this format:

Copy the value from the License or Licence field, and create the secret with:

Replace <value> with your with the value from the JSON file, i.e. the License or Licence field.

3

Deploy the Helm charts

Since we are using Helm, we can patch the necessary values to inject the credentials and secrets. We also need to expose the service to the external network and secure it with TLS.

  1. Create the values file, which will override the default values.

  1. (optional) For strict air-gapped environments, assuming you have transferred the container images to your air-gapped container registry, add these lines to values.override.yaml override the registry:

  1. Add these lines to disable password checking since it requires an internet connection:

  1. Add this line to inject the Curity secret:

  1. Add this line to select your storage provisioner:

You can fetch the available storage classes with:

You should see something like this:

  1. (Optional) Override the volume size:

NOTE: This is only useful if you are using a storage provisioner which handles "sizing". The local-path-provisioner does NOT! So these values doesn't mean anything, but many cloud provider and block storage provisioners do.

  1. Configure TLS for the Toucan Stack:

SUGGESTION: We recommend using cert-manager to issue TLS certificates, which is able to rotatecertificates on a regular basis.

You can also use external-secrets, to fetch TLS certificates from a secretmanager like AWS Secrets Manager, Hashicorp Vault, etc.

Create these files:

Deploy the certificates with:

  1. Expose the Toucan Stack by adding these lines:

Annotations are used by controllers like cert-manager to trigger side effects.

  1. Lastly, you need to inject the CA's certificate to the internal services that uses toucan.example.com:

  1. At this point, your values.override.yaml should looks like (minus the volume size overrides):

  1. Deploy the Toucan Stack:

If the installation fails with:

You should check the health of the deployment. Use kubectl get <deployments/statefulsets/pods> -n toucan to check the status of the deployment. And use kubectl logs <pod-name> -c <container-name> -n toucan to check the logs of the deployment.

We highly recommend using a Kubernetes GUI for troubleshooting like for example Headlamp.

  1. To get the Admin password, run the following command:

  1. You should be able to access the Toucan Stack at https://toucan.example.com and login with the admin credentials. Enter [email protected] for the username and the password you got from the previous step.

Last updated

Was this helpful?