Version: Next 🚧

Airgapping NeuVector

Prerequisites

We need to install two tools to easily airgap everything for NeuVector...

Hauler - Airgap Swiss Army Knife
Helm - The Kubernetes Package Manager

# install hauler
curl -sfL https://get.hauler.dev | bash

# install helm
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

Fetch the Images and Helm Chart

In order to get the required container images and Helm chart for NeuVector, we are able to utilize hauler to easily fetch, package, and distribute all the bits. We can utilize commands or declarative manifests within hauler to do this using either method.

For Supported Customers...

If you are a Rancher Prime or Rancher Government Carbide customer, please make sure to use the commands that fetch all artifacts from the respective private registry. If you're a supported customer and do not know the correct <registry-url> for Prime or Carbide, please contact your respective support team!

Fetching with Commands

# set the neuvector version
export vNeuVector=5.4.2
export vNeuVectorHelm=2.8.4

# fetch the images
helm repo add neuvector https://neuvector.github.io/neuvector-helm
for image in $(helm template neuvector/core --version=${vNeuVector} | grep 'image:' | awk -F'"' '{print $2}' | sort -u); do
    hauler store add image "$image"
done

# fetch the images (for supported customers)
helm repo add neuvector https://neuvector.github.io/neuvector-helm
for image in $(helm template neuvector/core --version=${vNeuVector} | grep 'image:' | awk -F'"' '{print $2}' | sort -u); do
    hauler store add --registry <registry-url> image "$image"
done

# fetch the helm chart
hauler store add chart core --repo https://neuvector.github.io/neuvector-helm --version ${vNeuVectorHelm}

Fetching with Declarative Manifests

# set the neuvector version
export vNeuVector=5.4.2
export vNeuVectorHelm=2.8.4

# create the declarative manifest
cat << EOF >> hauler-neuvector-airgap.yaml
apiVersion: content.hauler.cattle.io/v1alpha1
kind: Charts
metadata:
  name: rancher-airgap-charts-neuvector
spec:
  charts:
    - name: core
      repoURL: https://neuvector.github.io/neuvector-helm
      version: ${vNeuVectorHelm}
---
apiVersion: content.hauler.cattle.io/v1alpha1
kind: Images
metadata:
  name: rancher-airgap-images-neuvector
spec:
  images:
    - name: neuvector/controller:${vNeuVector}
    - name: neuvector/enforcer:${vNeuVector}
    - name: neuvector/manager:${vNeuVector}
    - name: neuvector/scanner:latest
    - name: neuvector/updater:latest
EOF

# apply/fetch the declarative manifest
hauler store sync --files hauler-neuvector-airgap.yaml

# apply/fetch the declarative manifest (for supported customers)
hauler store sync --registry <registry-url> --files hauler-neuvector-airgap.yaml

Verify Fetching of the Images and Helm Chart

# verify everything has been fetched
root@hauler-neuvector-airgap hauler % hauler store info
+--------------------------------------------+-------+-------------+----------+----------+
| REFERENCE                                  | TYPE  | PLATFORM    | # LAYERS | SIZE     |
+--------------------------------------------+-------+-------------+----------+----------+
| hauler/core:2.8.4                          | chart | -           |        1 | 33.3 kB  |
| index.docker.io/neuvector/controller:5.4.2 | image | linux/amd64 |        7 | 255.8 MB |
|                                            | image | linux/arm64 |        7 | 244.9 MB |
| index.docker.io/neuvector/enforcer:5.4.2   | image | linux/amd64 |        7 | 248.2 MB |
|                                            | image | linux/arm64 |        7 | 236.6 MB |
| index.docker.io/neuvector/manager:5.4.2    | image | linux/amd64 |        8 | 215.7 MB |
|                                            | image | linux/arm64 |        8 | 223.3 MB |
| index.docker.io/neuvector/scanner:latest   | image | linux/amd64 |        5 | 260.5 MB |
|                                            | image | linux/arm64 |        5 | 256.3 MB |
| index.docker.io/neuvector/updater:latest   | image | linux/amd64 |        4 | 19.4 MB  |
|                                            | image | linux/arm64 |        4 | 27.5 MB  |
+--------------------------------------------+-------+-------------+----------+----------+
|                                                                     TOTAL   |  2.0 GB  |
+--------------------------------------------+-------+-------------+----------+----------+

Save the Images and Helm Chart

# save the images and chart to a haul (tarball)
hauler store save --filename neuvector.tar.zst

# verify the haul (tarball)
root@hauler-neuvector-airgap hauler % ls -lh
total 3724368
-rw-r--r--  1 root  staff   1.8G Dec  5 00:32 neuvector.tar.zst
drwxr-xr-x  6 root  staff   192B Dec  5 00:32 store

Now move `hauler` and `neuvector.tar.zst` to your airgapped environment...

Load the Images and Helm Chart

Once we are on our airgapped environment, use hauler to load the haul (tarball)...

# load the haul
hauler store load neuvector.tar.zst

# verify everything has been loaded
root@hauler-neuvector-airgap hauler % hauler store info
+--------------------------------------------+-------+-------------+----------+----------+
| REFERENCE                                  | TYPE  | PLATFORM    | # LAYERS | SIZE     |
+--------------------------------------------+-------+-------------+----------+----------+
| hauler/core:2.8.4                          | chart | -           |        1 | 33.3 kB  |
| index.docker.io/neuvector/controller:5.4.2 | image | linux/amd64 |        7 | 255.8 MB |
|                                            | image | linux/arm64 |        7 | 244.9 MB |
| index.docker.io/neuvector/enforcer:5.4.2   | image | linux/amd64 |        7 | 248.2 MB |
|                                            | image | linux/arm64 |        7 | 236.6 MB |
| index.docker.io/neuvector/manager:5.4.2    | image | linux/amd64 |        8 | 215.7 MB |
|                                            | image | linux/arm64 |        8 | 223.3 MB |
| index.docker.io/neuvector/scanner:latest   | image | linux/amd64 |        5 | 260.5 MB |
|                                            | image | linux/arm64 |        5 | 256.3 MB |
| index.docker.io/neuvector/updater:latest   | image | linux/amd64 |        4 | 19.4 MB  |
|                                            | image | linux/arm64 |        4 | 27.5 MB  |
+--------------------------------------------+-------+-------------+----------+----------+
|                                                                     TOTAL   |  2.0 GB  |
+--------------------------------------------+-------+-------------+----------+----------+

Copy or Serve Images and Helm Chart

Hauler is able to copy all contents to your existing registry or serve it's own registry...

Copy to Existing Registry

# set the registry url
export Registry=registry.example.com

# login to existing registry
hauler login registry.example.com -u bob -p haulin

# copy to existing registry
hauler store copy registry://${Registry}

Serve a Container Registry

# serve the registry
hauler store serve registry

Deploy with Helm

Once you have copied everything to your existing registry or served your own registry, you can install NeuVector as normal, with a few modified values to account for the airgapped environment. Please note you may need to adjust the below example for your environment.

# set registry url
export Registry=registry.example.com

# additional helm values
helm install ... --set registry=$Registry ...

Prerequisites​

Fetch the Images and Helm Chart​

For Supported Customers...​

Fetching with Commands​

Fetching with Declarative Manifests​

Verify Fetching of the Images and Helm Chart​

Save the Images and Helm Chart​

Now move hauler and neuvector.tar.zst to your airgapped environment...​

Load the Images and Helm Chart​

Copy or Serve Images and Helm Chart​

Copy to Existing Registry​

Serve a Container Registry​

Deploy with Helm​