Installing Trident for Kubernetes from a Private Registry

To mitigate risks, many organizations today implement strict security policies. Those policies may limit direct internet access, blocking connections to public software repositories like container image registries. This can make it challenging to install software that assumes direct access to those repositories.

Containerized applications like Trident are usually packaged in images that are hosted in a public image registry, like Docker Hub. Under the hood, the Trident installer supplies deployment information like this to Kubernetes that specifies the precise image to use and where it can be found:

How does Kubernetes know where to get netapp/trident:18.10.0 from? The full image name specification includes the registry hostname. Docker Hub is simply implied if a hostname is not supplied, as shown here. Therefore, the above deployment specification will fail if the Kubernetes cluster does not have direct access to Docker Hub.

Most organizations that find themselves in this situation provide a private registry that they want their clusters to use instead. They expect their users to populate the registry themselves with the software they want to run.

And you can do that with Trident too! In fact, tridentctl has incorporated options to make it very easy to install from images in a private registry. Let’s walk through steps.

Prerequisites

We’re assuming that you have:

  • Met all of the Trident pre-requisites from the deployment guide
  • A private registry that you can push images to and that your Kubernetes cluster can pull from
  • nethost: A host with direct Internet access and Docker installed
  • kubehost: A host with Docker installed that has access to the private registry and admin access to the Kubernetes cluster via kubectl

The assumption we’re making is that you’re operating in a secure environment where you have one host ( nethost) that can do the downloading but you need to copy the downloaded artifacts to another host ( kubehost) in order to use them. If you have one host that can access the Internet, the Kubernetes cluster and the private registry, you can do all of this on one host.

Step 1: Download Trident

The first thing you need to do is download Trident’s installer tarball and the trident and etcd container images.

  • Download Trident’s installer.
  • Copy the installer package to kubehost.
  • Pull Trident’s container images. Note: If you are using an external etcd cluster, you don’t need to pull the etcd image.

    Make sure that you pull the right tags for the version of Trident you’re installing. The easiest way to determine the version of etcd that a version of Trident was qualified with is to look at the glide.yaml file (seen here on Github) for the Trident version that you’re installing.
  • Save the images in tar format.
  • Copy the images to kubehost.

Step 2: Push the images to your private registry

Next you need to take the container images that you copied to kubehost and get them into your private registry.

  • Load the container images into kubehost’s image cache.
  • Re-tag the container images in preparation for the push to your private registry.

    For example, if your private registry’s hostname is registry.local and it’s served on port 5000, you would run:
  • Push the container images to your private registry.

Step 3: Install Trident using the private registry

  • Unpack the installer that you copied in step 1.
  • Follow the standard deployment procedure. When you reach the install step, point it to your private images:

Go ahead and finish the deployment and you’ll see that you now have Trident up and running from a private registry. Congratulations!

Recap

We have demonstrated how you can install Trident for Kubernetes from a secure private registry. The Trident installer makes it easy to install in these scenarios by giving you extra options that make it easy to pull images from another repository.

If you have any questions or comments about what you’ve seen here, we’d love to hear from you! Please add a comment below, reach out to us on the #containers channel on Slack, or open a support case to let us know how we can help. Have a great day and Happy Holidays!

Jacob Andathethu on EmailJacob Andathethu on Linkedin
Jacob Andathethu
Technical Marketing Engineer at NetApp
A dynamic professional with over 13 years of experience working in Data Storage Industry [NetApp and Dell-EMC]
Currently working as a Technical Marketing Engineer for Open Ecosystem Products in NetApp (Docker,Docker Swarm,Kubernetes, OpenShift).

Leave a Reply