Airgap Deployment

This page describes how to deploy and run Datasance PoT in air-gapped or restricted networks where Remote ControlPlane Controllers or Agents hosts cannot access the internet (or container registries) directly.

Overview

potctl allows users to deploy container images to edge nodes that cannot access the internet for pulling images.

warning

For airgap installations potctl assumes that your remote hosts already have container engine.

Remote ControlPlane

---
apiVersion: datasance.com/v3
kind: ControlPlane
metadata:
  name: remote
spec:
  iofogUser:
    name: Foo
    surname: Bar
    email: mail@example.com
    password:
  airgap: true   
  controllers:
  - name: remote-1
      host: 10.0.23.66
      ssh:
       user: admin
       keyFile: ~/.ssh/id_rsa
    # logLevel:
    # https:
    #   enabled: true
    #   caCert:
    #   tlsCert:
    #   tlsKey:
    # scripts:
    #   dir: /path-to-custom-scripts-dir
    #   deps:
    #     entrypoint: install_container_engine.sh
    #     args: []
    #   setEnv:
    #     entrypoint: set_env.sh
    #     args: []
    #   install:
    #     entrypoint: install_iofog.sh
    #     args:
    #       - ghcr.io/datasance/controller:3.5.7
    #   uninstall:
    #     entrypoint: uninstall_iofog.sh
    systemAgent:
      # scripts:
      #   dir: /path-to-custom-scripts-dir
      #   deps:
      #     entrypoint: install_container_engine.sh
      #     args: []
      #   install:
      #     entrypoint: install_iofog.sh
      #     args:
      #       - ghcr.io/datasance/agent:3.7.0
      #   uninstall:
      #     entrypoint: uninstall_iofog.sh
      #     args: []
      # config:
      #   deploymentType: container
      #   containerEngine: docker
      package:
        container:
          image: ghcr.io/datasance/agent:3.7.0
      config:
        deploymentType: container
        containerEngine: docker
        agentType: x86
        host: 192.168.139.148
  nats:
    enabled: true
  systemMicroservices:
    router:
      x86: ghcr.io/datasance/router:3.7.0
      arm: ghcr.io/datasance/router:3.7.0
    nats:
      x86: ghcr.io/datasance/nats:2.12.4
      arm: ghcr.io/datasance/nats:2.12.4
  auth:
    url: 
    realm: 
    ssl: "none"
    realmKey:
    controllerClient: pot-controller
    controllerSecret: ""
    viewerClient: ecn-viewer

You only need to set spec.airgap: true. potctl will download both Controller, Agent, Router, NATs, Debugger images and send them to the remote host over ssh and load the images on the remote host.

You must set system agent spec.systemAgent.config.agentType and spec.systemAgent.config.containerEngine, so potctl would know which image it needs to pull and send to the remote host.

You can check default airgap controller installation scripts Default AirGap Controller Installation Scripts.

You can check default airgap system agent installation scripts Default AirGap Agent Installation Scripts.

If you would like to customize installation scripts you can download and update them so potctlwould you your custom installation scripts.

Remote Agents

---
apiVersion: datasance.com/v3
kind: Agent
metadata:
  name: foo
spec:
  host: 192.168.139.148
  ssh:
    user: foo
    keyFile:  ~/.ssh/id_rsa
    port: 22
  airgap: true  
  package:
    container:
      image: ghcr.io/datasance/agent:3.7.0
  config:
    deploymentType: container
    containerEngine: docker
    agentType: arm
  # scripts:
  #   dir: /Users/emirhan/Documents/GitHub/demo.datasance.com/AWS/4-ControlPlanes/0-demo/agent/openwrt
  #   deps:
  #     entrypoint: install_deps.sh
  #   install:
  #     entrypoint: install_iofog.sh
  #     args:
  #       - ghcr.io/datasance/agent:3.7.0
  #   uninstall:
  #     entrypoint: uninstall_iofog.sh

You only need to set spec.airgap: true. potctl will download both Agent, Router, NATs, Debugger images and send them to the remote host over ssh and load the images on the remote host.

You must set system agent spec.config.agentType and spec.config.containerEngine, so potctl would know which image it needs to pull and send to the remote host.

You can check default airgap system agent installation scripts Default AirGap Agent Installation Scripts.

If you would like to customize installation scripts you can download and update them so potctlwould you your custom installation scripts.

OfflineImage for microservices

OfflineImage is the main mechanism for getting container images onto Agents that cannot pull from the internet:

1. On a machine that has registry access (and potctl), define an OfflineImage YAML with the image tags and the list of Agent names.
2. Run potctl deploy -f offline-image.yaml. potctl pulls the images locally, transfers them to each Agent via SSH, and loads them into the container runtime on the Agent. Catalog items are created with registry from_cache so applications can reference these images.
3. Use flags such as --no-cache and --transfer-pool as needed (see OfflineImage reference).

This flow avoids any need for the Agent to reach a registry; all image data is pushed from the machine running potctl to the Agents over SSH.

For OfflineImage YAML and CLI flags, see OfflineImage YAML Specification. For general deployment paths, see Platform Deployment Introduction.

See anything wrong with the document? Help us improve it!

Edit this page on GitHub!