Installing Airgapped Omni
A tutorial on installing Omni in an airgapped environment.
Prerequisites
DNS server NTP server TLS certificates Installed on machine running Omni
genuuid
Used to generate a unique account ID for Omni.
Docker
Used for running the suite of applications
Wireguard
Used by Siderolink
Overview
Gathering Dependencies
In this package, we will be installing:
Gitea
Keycloak
Omni
To keep everything organized, I am using the following directory structure to store all the dependencies and I will move them to the airgapped network all at once.
NOTE: The empty directories will be used for the persistent data volumes when we deploy these apps in Docker.
Generate Certificates
TLS Certificates
This tutorial will involve configuring all of the applications to be accessed via https with signed .pem certificates generated with certbot. There are many methods of configuring TLS certificates and this guide will not cover how to generate your own TLS certificates, but there are many resources available online to help with this subject if you do not have certificates already.
Omni Certificate
Omni uses etcd to store the data for our installation and we need to give it a private key to use for encryption of the etcd database.
First, Generate a GPG key.
This will generate a new GPG key pair with the specified properties.
What's going on here?
quick-generate-keyallows us to quickly generate a new GPG key pair. -"Omni (Used for etcd data encryption) how-to-guide@siderolabs.com"is the user ID associated with the key which generally consists of the real name, a comment, and an email address for the user.rsa4096specifies the algorithm type and key size.certmeans this key can be used to certify other keys.neverspecifies that this key will never expire.
Add an encryption subkey
We will use the fingerprint of this key to create an encryption subkey.
To find the fingerprint of the key we just created, run:
Next, run the following command to create the encryption subkey, replacing $FPR with your own keys fingerprint.
In this command:
$FPRis the fingerprint of the key we are adding the subkey to.rsa4096andencrspecify that the new subkey will be an RSA encryption key with a size of 4096 bits.nevermeans this subkey will never expire.
Export the secret key
Lastly we'll export this key into an ASCII formatted file so Omni can use it.
--armoris an option which creates the output in ASCII format. Without it, the output would be binary.
Save this file to the certs directory in our package.
Create the app.ini File
Gitea uses a configuration file named app.ini which we can use to pre-configure with the necessary information to run Gitea and bypass the intitial startup page. When we start the container, we will mount this file as a volume using Docker.
Create the app.ini file
Replace the DOMAIN, SSH_DOMAIN, and ROOT_URL values with your own hostname:
NOTE: If running this in a production environment, you will also want to configure the database settings for a production database. This configuration will use an internal sqlite database in the container.
Gathering Images
Next we will gather all the images needed installing Gitea, Keycloak, Omni, and the images Omni will need for creating and installing Talos.
I'll be using the following images for the tutorial:
Gitea
docker.io/gitea/gitea:1.19.3Keycloakquay.io/keycloak/keycloak:21.1.1Omnighcr.io/siderolabs/omni:v0.31.0ghcr.io/siderolabs/imager:v1.4.5pull this image to match the version of Talos you would like to use. Talos
ghcr.io/siderolabs/flannel:v0.21.4ghcr.io/siderolabs/install-cni:v1.4.0-1-g9b07505docker.io/coredns/coredns:1.10.1gcr.io/etcd-development/etcd:v3.5.9registry.k8s.io/kube-apiserver:v1.27.2registry.k8s.io/kube-controller-manager:v1.27.2registry.k8s.io/kube-scheduler:v1.27.2registry.k8s.io/kube-proxy:v1.27.2ghcr.io/siderolabs/kubelet:v1.27.2ghcr.io/siderolabs/installer:v1.4.5registry.k8s.io/pause:3.6
NOTE: The Talos images needed may be found using the command
talosctl images. If you do not havetalosctlinstalled, you may find the instructions on how to install it here.
Package the images
Pull the images to load them locally into Docker.
Run the following command for each of the images listed above except for the Omni image which will be provided to you as an archive file already.
Verify all of the images have been downloaded
Save all of the images into an archive file.
All of the images can be saved as a single archive file which can be used to load all at once on our airgapped machine with the following command.
Here is an an example of the command used for the images in this tutorial:
Move Dependencies
Now that we have all the packages necessary for the airgapped deployment of Omni, we'll create a compressed archive file and move it to our airgapped network.
The directory structure should look like this now:
Create a compressed archive file to move to our airgap machine.
Now I will use scp to move this file to my machine which does not have internet access. Use whatever method you prefer to move this file.
Lastly, I will log in to my airgapped machine and extract the compressed archive file in the home directory
Log in Airgapped Machine
From here on out, the rest of the tutorial will take place from the airgapped machine we will be installing Omni, Keycloak, and Gitea on.
Gitea
Gitea will be used as a container registry for storing our images, but also many other functionalities including Git, Large File Storage, and the ability to store packages for many different package types. For more information on what you can use Gitea for, visit their documentation.
Install Gitea
Load the images we moved over. This will load all the images into Docker on the airgapped machine.
Run Gitea using Docker:
The app.ini file is already configured and mounted below with the
- vargument.
You may now log in at the https://${GITEA_HOSTNAME}:3000 to begin configuring Gitea to store all the images needed for Omni and Talos.
Gitea setup
This is just the bare minimum setup to run Omni. Gitea has many additional configuration options and security measures to use in accordance with your industry's security standards. More information on the configuration of Gitea can be found here.
Create a user
Click the Register button at the top right corner. The first user created will be created as an administrator - permissions can be adjusted afterwards if you like.
Create organizations
After registering an admin user, the organizations can be created which will act as the package repositories for storing images. Create the following organizations:
siderolabskeycloakcorednsetcd-developmentregistry-k8s-io-proxy
NOTE: If you are using self-signed certs and would like to push images to your local Gitea using Docker, you will also need to configure your certs.d directory as described here.
Push Images to Gitea
Now that all of our organizations have been created, we can push the images we loaded into our Gitea for deploying Keycloak, Omni, and storing images used by Talos.
For all of the images loaded, we first need to tag them for our Gitea.
For example, if I am tagging the kube-proxy image it will look like this:
NOTE: Don't forget to tag all of the images from registry.k8s.io to go to the registry-k8s-io-proxy organization created in Gitea.
Finally, push all the images into Gitea.
Keycloak
Install Keycloak
The image used for keycloak is already loaded into Gitea and there are no files to stage before starting it so I'll run the following command to start it. Replace KEYCLOAK_HOSTNAME and GITEA_HOSTNAME with your own hostnames.
Once Keycloak is installed, you can reach it in your browser at `https://${KEYCLOAK_HOSTNAME}:3000
Configuring Keycloak
For details on configuring Keycloak as a SAML Identity Provider to be used with Omni, follow this guide: Configuring Keycloak SAML
Omni
With Keycloak and Gitea installed and configured, we're ready to start up Omni and start creating and managing clusters.
Install Omni
To install Omni, first generate a UUID to pass to Omni when we start it.
Next run the following command, replacing hostnames for Omni, Gitea, or Keycloak with your own.
What's going on here:
--auth-auth0-enabled=falsetells Omni not to use Auth0.--auth-saml-enabledenables SAML authentication.--talos-installer-registry,--talos-imager-imageand--kubernetes-registryallow you to set the default images used by Omni to point to your local repository.--auth-saml-urlis the URL we saved earlier in the configuration of Keycloak.--auth-saml-metadatamay also be used if you would like to pass it as a file instead of a URL and can be used if using self-signed certificates for Keycloak.
Creating a cluster
Guides on creating a cluster on Omni can be found here:
Because we're working in an airgapped environment we will need the following values added to our cluster configs so they know where to pull images from. More information on the Talos MachineConfig.registries can be found here.
NOTE: In this example, cluster discovery is also disabled. You may also configure cluster discovery on your network. More information on the Discovery Service can be found here
Specifics on patching machines can be found here:
Closure
With Omni, Gitea, and Keycloak set up, you are ready to start managing and installing Talos clusters on your network! The suite of applications installed in this tutorial is an example of how an airgapped environment can be set up to make the most out of the Kubernetes clusters on your network. Other container registries or authentication providers may also be used with a similar setup, but this suite was chosen to give you starting point and an example of what your environment could look like.
Last updated