If your Internet access or you have specific security restrictions, work with your infrastructure administrator to upload the NSX Application Platform Helm charts and Docker images to a private container registry that you can access and use to deploy the NSX Application Platform.

Note: The following steps were validated using a private Harbor container registry. If you are using another container registry, you might need to adjust some steps for that registry.
Your infrastructure administrator (or anyone who has access to the private container registry is installed) must perform the following steps.

Prerequisites

  • Important: If you are using a VMware TKG Cluster on Supervisor, do not use its embedded Harbor container registry for hosting the NSX Application Platform Helm charts and Docker images. Your infrastructure administrator must set up a separate Harbor container registry.
  • Beginning with NSX-T Data Center 3.2.3.1 release, the VMware-hosted NSX Application Platform registry and repository locations no longer support ChartMuseum-compatible private container registry, such as Harbor. If you need to continue using the ChartMuseum provided by Harbor, the Harbor version must be earlier than version 2.8.1.
  • For a production environment, your infrastructure administrator must also obtain a CA certificate (signed by a reputable public Certificate Authority) to configure HTTPS access to the private Harbor container registry that they installed. For more information, see the Configure HTTPS Access to Harbor web page.
  • Verify that approximately 150GB of hard disk is available for downloading and uploading the NSX Application Platform deployment bundle.
  • Ensure that your private Harbor registry certificate is added in your NSX Unified Appliance (UA) and used for the NSX Application Platform registry settings.
  • Ensure that the Helm tool is installed and configured correctly on the system for uploading the charts. See https://helm.sh/docs/intro/install/.
  • Ensure that the Docker tool is installed and configured correctly on the system that will be used for uploading the images.
  • Ensure that the same CA certificate used by your Harbor container registry is already installed in your Docker tool.
    Note: Skip this step if the trusted public CA certificate is used for the private Harbor registry.
    If you use the Photon OS, add a certificate in Docker. 
    cd /etc/pki/tls/certs

cp private_harbor_certificate .

systemctl restart docker

    If you use the Ubuntu OS, add a certificate in Docker.

    cd /etc/ssl/certs
cp private_harbor_certificate .

systemctl restart docker

  • If Photon OS is used, add an IP table rule for connectivity between the Docker containers.

    iptables -A INPUT -m iprange --src-range 172.17.0.1-172.17.0.255 -j ACCEPT

To retrieve the src range for the IP table rule, check the subnet of docker0 interface in the VM.
172.17.0.1/16 is the range in the example below,
root@photon [ ~ ]# ip a
docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:23:1c:de:57 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:23ff:fe1c:de57/64 scope link 
       valid_lft forever preferred_lft forever
  • Ensure that the Docker login to private Harbor registry is working. 
    docker login <private-docker-registry-url> --username <username> --password <password>

Procedure

  1. Download the NSX Application Platform deployment bundle from the Broadcom support portal for NSX 3.2.1.1 or later. Save the bundle to a system from which you can upload the Helm charts and Docker images to your private container registry.
    Use the NSX download page appropriate for the latest NSX Application Platform version available or the version to deploy.
  2. Extract the contents of the NSX Application Platform deployment bundle using the following command. The <version-number> is the specific version number and the build number of the bundle. For example, VMware-NSX-Application-Platform-4.2.0.0.0.59353010.tgz. 
    tar xvf VMware-NSX-Application-Platform-<version-number>.tgz

    This step might take several minutes to finish.

  3. Locate and edit the upload_oci_artifacts_to_private_harbor.sh file with a text editor.

    Use the upload_oci_artifacts_to_private_harbor.sh script file to upload the extracted NSX Application Platform Helm charts and Docker images.

    1. Set the DOCKER_REPO property to the URL for your private container registry.
      For example, DOCKER_REPO=harbor-repo.mycompany.com/nsx_intelligence
    2. Set the DOCKER_USERNAME property to the user name of the private container registry account.
    3. Set the DOCKER_PASSWORD property to the password of the private container registry account.
    4. Set the LOCAL_HOST_IP property to use the NSX Application Platform VM IP address in which the private Harbor upload script is run.
      For example, 20.20.0.100.
    5. Save the changes in the script file.
  4. Change the executable permission for the modified shell script file using one of the following commands, depending on the type of container registry you are using.
    For an OCI-compatible private container registry, use the following command. 
    chmod +x upload_oci_artifacts_to_private_harbor.sh
  5. Run the script file using the following command.
    For an OCI-compatible private container registry, use the following command. 
    ./upload_oci_artifacts_to_private_harbor.sh

Results

The system uploads the NSX Application Platform Helm charts and Docker images to your private container registry.

What to do next

The NSX enterprise administrator must continue to ensure that the prerequisites listed in NSX Application Platform Deployment Prerequisites are met before continuing with the NSX Application Platform deployment.