Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Deploy a CTE for Kubernetes Volume

Deploying CTE for Kubernetes in an Airgapped Kubernetes Cluster using HELM

search

Deploying CTE for Kubernetes in an Airgapped Kubernetes Cluster using HELM

Prerequisites

On a system that has access to the internet and to an internal container registry:

  1. Install skopeo. Skopeo is a command-line utility (CLI) used to interact with local and remote container images and container image registries.

  2. Install jq. JQ is a lightweight and flexible command-line JSON processor.

  3. If the internal registry is private, and requires authorization to add/list images, then, before executing the script, create an authorization file to allow skopeo access to the internal registry:

    skopeo login <url-for-internal-registry[:port number]> --authfile ./docker_auth -u <username>

    Example

    skopeo login <k8s.gcr.io[:22]> --authfile ./docker_auth -u penderyn

    Note

    The name of the authfile must be docker_auth. If this is changed, then the name must be updated in the following script.

  4. Enter the password for the user when prompted.

  5. Copy and paste the following into a script and execute the script:

    #!/bin/bash

DOCKER_AUTH_JSON=./docker_auth
SRC_REGISTRY="docker.io/thalesciphertrust"
SRC_CTEK8S_NAME="${SRC_REGISTRY}/ciphertrust-transparent-encryption-kubernetes"
DEST_REGISTRY=<path to your registry such as example.com[:port]/my-internal-registry>

skopeo login ${DEST_REGISTRY}  --authfile ${DOCKER_AUTH_JSON} -u <username>

DEST_REGISTRY=`echo ${ DEST_REGISTRY} | sed -e "s/\/$//g"`
for VER in `skopeo list-tags docker://${SRC_CTEK8S_NAME} | jq '.Tags' | grep -vE "[\\|]" | sed -e s/[\",]//g` 
do

skopeo copy --all docker://${SRC_CTEK8S_NAME}:${VER} \
                                docker://${DEST_CTEK8S_NAME}:${VER} --authfile ${DOCKER_AUTH_JSON}
done

skopeo copy --all docker://k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.0.1 \
            docker://${DEST_REGISTRY}/csi-node-driver-registrar:v2.0.1 --authfile ${DOCKER_AUTH_JSON}

skopeo copy --all docker://k8s.gcr.io/sig-storage/csi-attacher:v3.3.0 \
            docker://${DEST_REGISTRY}/csi-attacher:v3.3.0 --authfile ${DOCKER_AUTH_JSON}

skopeo copy --all docker://k8s.gcr.io/sig-storage/csi-provisioner:v4.0.0 \
            docker://${DEST_REGISTRY}/csi-provisioner:v4.0.0 --authfile ${DOCKER_AUTH_JSON}

skopeo copy --all docker://k8s.gcr.io/pause:3.9 \
            docker://${DEST_REGISTRY}/pause:3.9 --authfile ${DOCKER_AUTH_JSON}

Deploying in an Airgapped Kubernetes Cluster

  1. Download CTE for Kubernetes deployment files, type:

    git clone https://github.com/thalescpl-io/ciphertrust-transparent-encryption-kubernetes.git

  2. Change to the CTE for Kubernetes directory, type:

    cd ciphertrust-transparent-encryption-kubernetes

  3. Edit the script variables to reflect your setup, type:

    vi deploy/kubernetes/1.5.0/values.yaml

    a. Replace docker.io/thalesciphertrust/ciphertrust-transparent-encryption-kubernetes with appropriate values for your environment: <example.com/my-internal-registry>/ciphertrust-transparent-encryption-kubernetes

    b. Replace registry.k8s.io/pause:3.9 with appropriate values for your environment: <example.com/my-internal-registry>/pause:3.9

    c. Replace registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 with appropriate values for your environment: <example.com/my-internal-registry>/csi-provisioner:v4.0.0

    d. Replace k8s.gcr.io/sig-storage/csi-attacher:v3.3.0 with appropriate values for your environment: <example.com/my-internal-registry>/csi-attacher:v3.3.0

    e. Replace k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.0.1 with appropriate values for your environment: <example.com/my-internal-registry>/csi-node-driver-registrar:v2.0.1

  4. Deploy the script, type:

    ./deploy.sh -t 1.5.0-latest --helm

On this page