VMware Cloud Director Container Service Extension 4.1 introduces the support for airgapped environments, and the use of local container registries.

Note: Only VMware Cloud Director Container Service Extension 4.1 provisioned clusters can operate successfully in airgapped environments. VMware Cloud Director Container Service Extension 4.1 does not support transforming pre-existing clusters from VMware Cloud Director Container Service Extension 4.0.x into airgapped clusters.
The following diagram details the VMware Cloud Director Container Service Extension 4.1 airgapped environment with a local container registry, and the service provider workflow. This is the default structure in VMware Cloud Director Container Service Extension 4.1.

Local Container Registry

Service providers set up system wide local container registries using Harbor that contain image files from VMware Public Harbor, that allow tenant users to operate VMware Cloud Director Container Service Extension 4.1 in an airgapped environment. This type of environment means tenant users can operate VMware Cloud Director Container Service Extension fully within the boundaries of their organization data center without the requirement of Internet access.

During the VMware Cloud Director Container Service Extension 4.1 server configuration workflow, service providers specify the local container registry URL in the Container Registry Settings tab of the Configure Settings for CSE Server section in Kubernetes Container Clusters 4.1 UI plug-in. Therefore, when tenant users attempt to create a Tanzu Kubernetes Grid cluster in the Kubernetes Container Clusters 4.1 UI plug-in, it instructs Kubernetes Cluster API Provider for VMware Cloud Director, the Bootstrap VM, control planes, and worker nodes within the cluster to use the specified local container registry. For more information on configuring the local container registry details, see Server Details. Service providers can also tailor private registries for organizations that allow organizations to control what files are published and accessible to their tenant users.

Create an Airgapped Environment

As as a service provider, you must perform the necessary steps to set up a VMware Cloud Director Container Service Extension airgapped environment, and create a local container registry for tenant users that contains the dependencies that VMware Cloud Director Container Service Extension requires to operate.

Prerequisites

  • Ensure you have Docker engine or cli, and imgpkg installed on your local machine.
  • Ensure the VMware Cloud Director Container Service Extension server, and the desired tenant data centers have access to the VMware Cloud Director public end point. This is necessary as the Bootstrap VM, Kubernetes Cloud Provider for VMware Cloud Director, Kubernetes Cluster API Provider for VMware Cloud Director, and Kubernetes Container Storage Interface driver for VMware Cloud Director make calls to it.
  • DNS server to resolve registry and VMware Cloud Director end point.
  • Provide a Local Container Registry URL for the Bootstrap VM and all other control plane or worker VM can pull images from. For more information, see Local Container Registry.
  • If the private registry is using self-signed certificates, update the Bootstrap VM and the Cluster Certificate section with the self-signed certificates. This step allows cluster virtual machines like Bootstrap VM and node VMs to trust the private registry. For more information, see Server Details.

    The following screenshot details the workflow to configure the container registry settings and certificates in Kubernetes Container Clusters UI plug-in for VMware Cloud Director:

    This screenshot details the container registry settings in the Kubernetes Container Cluster UI plug-in.
  • Ensure you have access to the Internet to download the VMware Cloud Director Container Service Extension binaries from http://projects.registry.vmware.com to your local machine.

Procedure

  1. Open Docker, and use the following command to pull the getting-started_airgapped image from http://projects.registry.vmware.com: 
    docker pull projects.registry.vmware.com/vmware-cloud-director/getting-started-airgapped:v0.1.0
  2. Expand the image to gain access to the scripts, and create a local directory: 
    docker create --name "temp_container" projects.registry.vmware.com/vmware-cloud-director/getting-started-airgapped:v0.1.0
docker export "temp_container" -o temp_container.tar
docker container rm "temp_container"
mkdir -p temp_container_fs
tar xvf temp_container.tar -C temp_container_fs
cd ./temp_container_fs/src/artifact
  3. In this directory, run the following script to publish the dependencies to an organization's local container registry. There is a strict dependency on the path of the registry as displayed below: 
    ./getting_started.sh "dependencies.txt" base.myregistry.company.com
    Note:
    • The default dependencies.txt inside the getting-started-airgapped image contains the complete list of containers that are necessary to use VMware Cloud Director Container Service Extension in an airgapped environment for Tanzu Kubernetes Grid 1.6.1, 2.1.1, and 2.2.0.
    • You can edit the dependencies.txt file to customize what components you want to download. You can supress the processing of an airgapped component by inserting a # in front of the corresponding line in dependencies.txt.
  4. It is necessary to upload Tanzu Core Packages from projects.registry.vmware.com to the local container registry. To do this, use the instructions from the appropriate Tanzu Kubernetes Grid release below:
    Note: In VMware Cloud Director Container Service Extension 4.1, there is a strict dependency on the path where the Tanzu Kubernetes Grid images are uploaded.
    • If the registry base is base.myregistry.company.com, the Tanzu Kubernetes Grid content should be uploaded into base.myregistry.company.com/tkg.
    • If the registry base is base.myregistry.company.com, the VMware Cloud Director images should be uploaded into base.myregistry.company.com/vmware-cloud-director.

      This implies that the sub-paths tkg and vmware-cloud-director must reside next to eachother.

Results

An airgapped environment is now set up so the organization can use VMware Cloud Director Container Service Extension without the requirement of Internet access with all the required resources in a local container registry.