If your Kubernetes cluster does not have Internet access or you have specific security restrictions, work with your infrastructure administrator to upload the NSX Application Platform Helm charts and Docker images to a private container registry that you can access and use to deploy the NSX Application Platform.

Note: The following steps were validated using a private Harbor container registry. If you are using another container registry, you might need to adjust some steps for that registry.
Your infrastructure administrator (or anyone who has access to the TKG Cluster on Supervisor or upstream Kubernetes cluster in which the private container registry is installed) must perform the following steps.

Prerequisites

  • Your infrastructure administrator must install a private container registry, such as Harbor, with chart repository service. For details, see the Harbor Installation with Chart Repository Service webpage. They are going to use this private container registry to host the NSX Application Platform Helm charts and Docker images.
    Important: If you are using a VMware TKG Cluster on Supervisor, do not use its embedded Harbor container registry for hosting the NSX Application Platform Helm charts and Docker images. Your infrastructure administrator must set up a separate Harbor container registry.
  • Beginning with NSX-T Data Center 3.2.3.1 release, the VMware-hosted NSX Application Platform registry and repository locations no longer support ChartMuseum-compatible private container registry, such as Harbor. If you need to continue using the ChartMuseum provided by Harbor, the Harbor version must be earlier than version 2.8.1.
  • For a production environment, your infrastructure administrator must also obtain a CA certificate (signed by a reputable public Certificate Authority) to configure HTTPS access to the private Harbor container registry that they installed. For more information, see the Configure HTTPS Access to Harbor webpage.
  • Ensure that the Docker tool is installed and configured correctly on the system that will be used for uploading the images and charts. The Login succeeded must be displayed after running the following command.
    docker login <private-registry-URL> --username <private-registry-account-name> --password <private-registry-account-password>
  • Ensure that the same CA certificate used by your Harbor container registry is already installed in your Docker tool.
  • Ensure that the trust is established between your private Harbor CA certificate and your NSX Unified Appliance (UA).
  • Verify that the curl tool is installed on the system that will be used for uploading the images. Use the following command to verify. The curl version is displayed if the curl is installed.
    curl --version

Procedure

  1. Download the NSX Application Platform deployment bundle from the Broadcom support portal for NSX 3.2.1.1 or later. Save the bundle to a system from which you can upload the Helm charts and Docker images to your private container registry.
    Use the NSX download page appropriate for the latest NSX Application Platform version available or the version to deploy.
  2. Extract the contents of the NSX Application Platform deployment bundle using the following command. The <version-number> is the specific version number and the build number of the bundle. For example, VMware-NSX-Application-Platform-4.0.1.0.0.59353010.tgz.
    tar xvf VMware-NSX-Application-Platform-<version-number>.tgz

    This step might take several minutes to finish.

  3. Locate and edit the upload_oci_artifacts_to_private_harbor.sh file with a text editor. If you need to use a ChartMuseum-compatible private container registry, edit the upload_artifacts_to_private_harbor.sh script file.

    You use the upload_oci_artifacts_to_private_harbor.sh or the upload_artifacts_to_private_harbor.sh script file to upload the extracted NSX Application Platform Helm charts and Docker images.

    1. Set the DOCKER_REPO property to the URL for your private container registry.
      For example, DOCKER_REPO=harbor-repo.mycompany.com/nsx_intelligence
    2. Set the DOCKER_USERNAME property to the user name of the private container registry account.
    3. Set the DOCKER_PASSWORD property to the password of the private container registry account.
    4. Save the changes in the script file.
  4. Change the executable permission for the modified shell script file using one of the following commands, depending on the type of container registry you are using.
    For an OCI-compatible private container registry, use the following command.
    chmod +x upload_oci_artifacts_to_private_harbor.sh
    For a ChartMuseum-compatible private container registry, use the following command.
    chmod +x upload_artifacts_to_private_harbor.sh
  5. Run the script file using the following command.
    For an OCI-compatible private container registry, use the following command.
    ./upload_oci_artifacts_to_private_harbor.sh
    For a ChartMuseum-compatible private container registry, use the following command.
    ./upload_artifacts_to_private_harbor.sh

Results

The system uploads the NSX Application Platform Helm charts and Docker images to your private container registry.

What to do next

The NSX enterprise administrator must continue to ensure that the prerequisites listed in NSX Application Platform Deployment Prerequisites are met before continuing with the NSX Application Platform deployment.