To mitigate risks, many organizations today implement strict security policies. Those policies may limit direct internet access, blocking connections to public software repositories like container image registries. This can make it challenging to install software that assumes direct access to those repositories.
Containerized applications like Trident are usually packaged in images that are hosted in a public image registry, like Docker Hub. Under the hood, the Trident installer supplies deployment information like this to Kubernetes that specifies the precise image to use and where it can be found:
apiVersion: extensions/v1beta1 kind: Deployment ... containers: - name: trident-main image: netapp/trident:18.10.0 ...
How does Kubernetes know where to get
netapp/trident:18.10.0 from? The full image name specification includes the registry hostname. Docker Hub is simply implied if a hostname is not supplied, as shown here. Therefore, the above deployment specification will fail if the Kubernetes cluster does not have direct access to Docker Hub.
Most organizations that find themselves in this situation provide a private registry that they want their clusters to use instead. They expect their users to populate the registry themselves with the software they want to run.
And you can do that with Trident too! In fact,
tridentctl has incorporated options to make it very easy to install from images in a private registry. Let's walk through steps.
We're assuming that you have:
- Met all of the Trident pre-requisites from the deployment guide
- A private registry that you can push images to and that your Kubernetes cluster can pull from
- nethost: A host with direct Internet access and Docker installed
- kubehost: A host with Docker installed that has access to the private registry and admin access to the Kubernetes cluster via kubectl
The assumption we're making is that you're operating in a secure environment where you have one host (nethost) that can do the downloading but you need to copy the downloaded artifacts to another host (kubehost) in order to use them. If you have one host that can access the Internet, the Kubernetes cluster and the private registry, you can do all of this on one host.
Step 1: Download Trident
The first thing you need to do is download Trident's installer tarball and the trident and etcd container images.
- Download Trident's installer.
[user@nethost~]$ wget https://github.com/NetApp/trident/releases/download/v18.10.0/trident-installer-18.10.0.tar.gz
- Copy the installer package to kubehost.
- Pull Trident's container images. Note: If you are using an external etcd cluster, you don't need to pull the etcd image.
[user@nethost~]$ docker pull netapp/trident:18.10.0 [user@nethost~]$ docker pull quay.io/coreos/etcd:v3.3.9
Make sure that you pull the right tags for the version of Trident you're installing. The easiest way to determine the version of etcd that a version of Trident was qualified with is to look at the glide.yaml file (seen here on Github) for the Trident version that you're installing.
- Save the images in tar format.
[user@nethost~]$ docker save netapp/trident:18.10.0 > trident.tar [user@nethost~]$ docker save quay.io/coreos/etcd:v3.3.9 > etcd.tar
- Copy the images to kubehost.
Step 2: Push the images to your private registry
Next you need to take the container images that you copied to kubehost and get them into your private registry.
- Load the container images into kubehost's image cache.
[user@kubehost~]$ docker load < trident.tar [user@kubehost~]$ docker load < etcd.tar
- Re-tag the container images in preparation for the push to your private registry.
[user@kubehost~]$ docker tag netapp/trident:18.10.0 <registry hostname>:<registry port>/trident:18.10.0 [user@kubehost~]$ docker tag quay.io/coreos/etcd:v3.3.9 <registry hostname>:<registry port>/etcd:v3.3.9
For example, if your private registry's hostname is registry.local and it's served on port 5000, you would run:
[user@kubehost~]$ docker tag netapp/trident:18.10.0 registry.local:5000/trident:18.10.0 [user@kubehost~]$ docker tag quay.io/coreos/etcd:v3.3.9 registry.local:5000/etcd:v3.3.9
- Push the container images to your private registry.
[user@kubehost~]$ docker push <registry hostname>:<registry port>/trident:18.10.0 [user@kubehost~]$ docker push <registry hostname>:<registry port>/etcd:v3.3.9
Step 3: Install Trident using the private registry
- Unpack the installer that you copied in step 1.
[user@kubehost~]$ tar zxvf trident-installer-18.10.0.tar.gz
- Follow the standard deployment procedure. When you reach the install step, point it to your private images:
[user@kubehost trident-installer]$ ./tridentctl install -n trident --trident-image <registry hostname>:<registry port>/trident:18.10.0 --etcd-image <registry hostname>:<registry port>/etcd:v3.3.9 INFO Created installer service account. serviceaccount=trident-installer INFO Created installer cluster role. clusterrole=trident-installer INFO Created installer cluster role binding. clusterrolebinding=trident-installer INFO Created installer configmap. configmap=trident-installer INFO Created installer pod. pod=trident-installer INFO Waiting for Trident installer pod to start. INFO Trident installer pod started. namespace=trident pod=trident-installer INFO Starting storage driver. backend=/setup/backend.json WARN Could not determine controller serial numbers. API status: failed, Reason: Unable to find API: syser, Code: 13005 INFO Storage driver loaded. driver=ontap-nas INFO Starting Trident installation. namespace=trident INFO Created service account. INFO Created cluster role. INFO Created cluster role binding. INFO Created PVC. INFO Created PV. pv=trident INFO Waiting for PVC to be bound. pvc=trident INFO Created Trident deployment. INFO Waiting for Trident pod to start. INFO Trident pod started. namespace=trident pod=trident-6784ff7bbd-vzrvt INFO Waiting for Trident REST interface. INFO Trident REST interface is up. version=18.10.0 INFO Trident installation succeeded. INFO Waiting for Trident installer pod to finish. INFO Trident installer pod finished. namespace=trident pod=trident-installer INFO Deleted installer pod. pod=trident-installer INFO Deleted installer configmap. configmap=trident-installer INFO In-cluster installation completed. INFO Deleted installer cluster role binding. INFO Deleted installer cluster role. INFO Deleted installer service account.
Go ahead and finish the deployment and you'll see that you now have Trident up and running from a private registry. Congratulations!
We have demonstrated how you can install Trident for Kubernetes from a secure private registry. The Trident installer makes it easy to install in these scenarios by giving you extra options that make it easy to pull images from another repository.
If you have any questions or comments about what you've seen here, we'd love to hear from you! Please add a comment below, reach out to us on the #containers channel on Slack, or open a support case to let us know how we can help. Have a great day and Happy Holidays!