Use a Private Registry

Instructions for setting up Verrazzano using a private container registry

Installing Verrazzano using a private Docker-compliant container registry requires the following:

  • Loading all required Verrazzano container images into your own registry and repository.
  • Installing the Verrazzano platform operator with the private registry and repository used to load the images.

You must have the following software installed:

The Verrazzano distribution contains Kubernetes manifests to deploy Verrazzano, client binaries, and various other utilities. These distributions are provided for Linux and MacOS operating systems on AMD and ARM architectures.

This distribution includes:

  • Verrazzano CLI
  • Installation Profiles
  • Helper scripts to download the images from the bill of materials (BOM) and to upload the Verrazzano images to a private registry
  • Helm charts for the Verrazzano platform operator
  • README.md which provides the layout of the distribution

Load the images

  1. Download the desired Verrazzano distribution from the GitHub releases page.

    a. In your browser, go to Verrazzano releases.

    b. Download the distribution TAR file, verrazzano-<major>.<minor>.<patch>-<operating system>-<architecture>.tar.gz, and the corresponding checksum file.

    c. In the downloaded directory, validate that the checksum and TAR files match. For example, if you have downloaded verrazzano-1.4.2-linux-amd64.tar.gz:

    $ sha256sum -c verrazzano-1.4.2-linux-amd64.tar.gz.sha256
    # Sample output
    verrazzano-1.4.2-linux-amd64.tar.gz: OK
    

    NOTE: Use the sha256sum command on Linux and shasum on MacOS.

    d. Expand the TAR file to access the release artifacts.

    The following example, extracts the distribution archive verrazzano-1.4.2-linux-amd64.tar.gz into the current directory.

    $ tar xvf verrazzano-1.4.2-linux-amd64.tar.gz
    

    After a successful extraction, the release artifacts will be under the verrazzano-1.4.2 directory.

    e. Define an environment variable DISTRIBUTION_DIR.

     $ DISTRIBUTION_DIR=<path to the current directory>/verrazzano-1.4.2
    
  2. Download the Verrazzano images defined in the BOM, ${DISTRIBUTION_DIR}/manifests/verrazzano-bom.json, using the script, ${DISTRIBUTION_DIR}/bin/vz-registry-image-helper.sh.

    $ sh ${DISTRIBUTION_DIR}/bin/vz-registry-image-helper.sh -b ${DISTRIBUTION_DIR}/manifests/verrazzano-bom.json -f ${DISTRIBUTION_DIR}/images  
    

    The previous command downloads all the images to the ${DISTRIBUTION_DIR}/images directory.

  3. Load the product images into your private registry.

    a. To log in to the Docker registry, run docker login <SERVER> with your credentials.

    b. For use with the examples in this document, define the following variables with respect to your target registry and repository: MYREG, MYREPO, VPO_IMAGE.

    These identify the target Docker registry and repository, and the Verrazzano platform operator image, as defined in the BOM file. For example, using a target registry of myreg.io and a target repository of myrepo/v8o:

    $ MYREG=myreg.io
    $ MYREPO=myrepo/v8o
    $ VPO_IMAGE=$(cat ${DISTRIBUTION_DIR}/manifests/verrazzano-bom.json | jq -r '.components[].subcomponents[] | select(.name == "verrazzano-platform-operator") | "\(.repository)/\(.images[].image):\(.images[].tag)"')
    

    c. Run the ${DISTRIBUTION_DIR}/bin/vz-registry-image-helper.sh script to push the images to the registry:
    $ sh ${DISTRIBUTION_DIR}/bin/vz-registry-image-helper.sh -t $MYREG -r $MYREPO -l ${DISTRIBUTION_DIR}/images

    d. Although most images can be protected using credentials stored in an image pull secret, some images must be public. Use the following commands to get the list of public images:

    • All the Rancher images in the rancher/additional-rancher subcomponent.

      $ cat ${DISTRIBUTION_DIR}/manifests/verrazzano-bom.json | jq -r '.components[].subcomponents[] | select(.name == "additional-rancher") | .images[] | "\(.image):\(.tag)"'
      
    • The Fluentd Kubernetes daemonset image.

      $ cat ${DISTRIBUTION_DIR}/manifests/verrazzano-bom.json | jq -r '.components[].subcomponents[].images[] | select(.image == "fluentd-kubernetes-daemonset") | "\(.image):\(.tag)"'
      
    • The Istio proxy image.

      $ cat ${DISTRIBUTION_DIR}/manifests/verrazzano-bom.json | jq -r '.components[].subcomponents[] |  select(.name == "istiod") | .images[] | select(.image == "proxyv2") | "\(.image):\(.tag)"'
      
    • The WebLogic Monitoring Exporter image.

      $ cat ${DISTRIBUTION_DIR}/manifests/verrazzano-bom.json | jq -r '.components[].subcomponents[].images[] | select(.image == "weblogic-monitoring-exporter") | "\(.image):\(.tag)"'
      
    • The Verrazzano platform operator image identified by $VPO_IMAGE, as defined previously.

    • For all the Verrazzano Docker images in the private registry that are not explicitly marked public, you will need to create the secret verrazzano-container-registry in the default namespace, with the appropriate credentials for the registry, identified by $MYREG.
      For example:

      $ kubectl create secret docker-registry verrazzano-container-registry \  
         --docker-server=$MYREG --docker-username=myreguser \  
         --docker-password=xxxxxxxx --docker-email=me@example.com
      

Install Verrazzano

  1. Install the Verrazzano platform operator using the image defined by $MYREG/$MYREPO/$VPO_IMAGE.

    $ helm template --include-crds ${DISTRIBUTION_DIR}/manifests/charts/verrazzano-platform-operator \
        --set image=${MYREG}/${MYREPO}/${VPO_IMAGE} --set global.registry=${MYREG} \
        --set global.repository=${MYREPO} --set global.imagePullSecrets={verrazzano-container-registry} | kubectl apply -f -
    
  2. Wait for the deployment of the Verrazzano platform operator.

    $ kubectl -n verrazzano-install rollout status deployment/verrazzano-platform-operator
    
    # Sample output
      deployment "verrazzano-platform-operator" successfully rolled out
    
  3. Confirm that the Verrazzano platform operator pod is running.

    $ kubectl -n verrazzano-install get pods
    
    # Sample output
      NAME                                            READY   STATUS    RESTARTS   AGE
      verrazzano-platform-operator-74f4547555-s76r2   1/1     Running   0          114s
    

The distribution archive includes the supported installation profiles under ${DISTRIBUTION_DIR}/manifests/profiles. Verrazzano supports customizing installation configurations. See Customize Verrazzano.

To create a Verrazzano installation using the provided profiles, run the following command:

$ kubectl apply -f $DISTRIBUTION_DIR/manifests/profiles/prod.yaml

For a complete description of Verrazzano configuration options, see the Reference API.

Configuring access to an insecure private registry

A private Docker registry is called an insecure registry when it is configured for access using a self-signed certificate or over an unencrypted HTTP connection. Depending on the platform, there could be some additional configuration required for installing Verrazzano with an insecure registry.

For example, for the Oracle Cloud Native Environment platform, insecure registries must be configured in /etc/containers/registries.conf as follows on the worker nodes:

[registries]
   [registries.insecure]
     registries = ["insecure-registry-1:1001/registry1","insecure-registry-2:1001/registry2"]