Deploy in air-gapped environments

This guide walks you through installing vCluster Platform and deploying virtual clusters in environments without internet access, referred to as air-gapped environments. It covers setting up a private OCI-compliant registry, populating it with container images and Helm charts, configuring vCluster Platform and agents to pull from the registry, and deploying virtual clusters securely and offline.

Overview

There are several artifacts that are typically accessed using an internet connection. To complete an air-gapped install, these artifacts need to be accessible by the Kubernetes cluster through a private registry.

• vCluster Platform Helm chart - This Helm chart is typically accessed through the LoftLabs charts repository and is used for installing vCluster Platform and connecting hosts (for example installing agents).
• vCluster Helm chart - This Helm chart is typically accessed through the LoftLabs charts repository and is used for deploying virtual clusters.
• Images used in the Helm charts - These images are typically accessed through different container registries.

After populating the registry with the artifacts, install vCluster Platform, connect host clusters and then deploy virtual clusters. Each step requires additional configuration to use your private registry.

Prerequisites

Ensure you have the following:

• Administrator access to a Kubernetes cluster: See Accessing Clusters with kubectl for more information. Your current kube-context must have administrative privileges, which you can verify with kubectl auth can-i create clusterrole -A

  info

  To obtain a kube-context with admin access, ensure you have the necessary credentials and permissions for your Kubernetes cluster. This typically involves using kubectl config commands or authenticating through your cloud provider's CLI tools.

• helm installed: Helm v3.10 is required for deploying the platform. Refer to the Helm Installation Guide if you need to install it.

• kubectl installed: Kubernetes command-line tool for interacting with the cluster. See Install and Set Up kubectl for installation instructions.

Registry prerequisites

• OCI-compliant private registry with a /charts folder - A private registry accessible to both the Kubernetes cluster for the platform and connected host clusters and a separate, internet-connected machine.

• Ability to push to your OCI-compliant private registry - Write access for uploading images and charts.

Licensing prerequisite

• A license key for vCluster Platform - A LoftLabs license key is required to install vCluster Platform.

info

Contact sales@loft.sh to purchase a license key or request a trial license key for offline use.

Internet access prerequisites

• Access to the internet - Required on the machine used for downloading and preparing artifacts.

• Logged in to GitHub Container Registry - Authentication for pulling images from public registries.

Kubernetes access prerequisite

• Administrator access to a Kubernetes cluster - Current kube-context must have administrative privileges, verifiable with kubectl auth can-i create clusterrole -A

Tooling prerequisites

• wget installed - For downloading release assets and scripts
• docker installed - For pulling, packaging, and pushing container images

Network and resource prerequisites

• Host cluster access to platform domain - Connected host clusters must reach the domain where vCluster Platform is hosted.

• vCluster Platform Pod Resource Requirements

  • Requests
    • memory: 256Mi
    • cpu: 200m
  • Limits
    • memory: 4Gi
    • cpu: 2

• Ensure that the required network ports are open.

  info

  The platform requires open ports for API extensions, webhooks, and cost monitoring. In the infrastructure of private Kubernetes clusters, ensure firewall rules allow traffic from the Kubernetes master to platform components.

  • 8443 – API service extension for cluster communication (v1.cluster.loft.sh)
  • 9443 – Webhook validation and enforcement (loft webhook)
  • 9444 – Management API for platform administration (v1.management.loft.sh)
  • 9090 – Prometheus metrics proxy for cost monitoring

  For more information, see Networking to learn about port and firewall rules.

Populate images to private registry

Each vCluster Platform GitHub release and vCluster GitHub release provides multiple release assets to help you upload images to a private registry. These assets include text files listing all necessary images and scripts to automate downloading (pulling) and pushing them.

Image text files

Each vCluster Platform release includes a file that lists all container images required for installing vCluster Platform:

• images.txt — Required images for installing vCluster Platform.

In vCluster releases v0.25.0 and later, two files list the container images needed to deploy a vCluster:

• images.txt — Required images for deploying vCluster with the default Kubernetes version.
• images-optional.txt - An optional set of images needed for additional features, including different Kubernetes distributions and versions.

In vCluster releases earlier than v0.25.0, a single file is provided:

• vcluster-images.txt — Required images for deploying vCluster with the default Kubernetes version.

Scripts to pull and push images

Both product releases contain one script which helps download and package the list of images and another script that pushes images to the private registry. The script from either release can be used to populate the registry.

The difference between the scripts in the different releases is the default name of the tarball that is created. These instructions override the defaults to ensure the correct image text file and tarball is created.

• download-images.sh - A bash script that quickly iterates over all the images files to pull them and package them into a tarball to a machine that has internet access.
• push-images.sh - A bash script that takes the tarball generated from the download script to push them to your private registry.

tip

Both releases include download-images.sh and push-images.sh, but you only need to download the scripts once.

Pull and push images for vCluster Platform

Download the required platform images from public registries and upload them to your private registry for air-gapped installation.

Populate the registry with images

Follow these steps to populate the registry with the required platform images.

1. Set environment variables for the version of vCluster Platform that you want to deploy and the private registry.

   Export environment variables

   export PLATFORM_VERSION=4.3.0 # Replace with desired version
   export REGISTRY=ecr.io/myteam # This should be a prefix; do not include any image paths

2. Download the assets from the vCluster Platform GitHub release and make the scripts executable.

   warning

   The images.txt contains a vcluster-pro image for the default vCluster version, but doesn't contain all the images required to deploy vCluster. An additional step is required to retrieve all vCluster images.

   Download assets and prepare scripts

   wget https://github.com/loft-sh/loft/releases/download/v${PLATFORM_VERSION}/loft-images.txt
   wget https://github.com/loft-sh/loft/releases/download/v${PLATFORM_VERSION}/download-images.sh
   wget https://github.com/loft-sh/loft/releases/download/v${PLATFORM_VERSION}/push-images.sh
   
   chmod +x ./download-images.sh
   chmod +x ./push-images.sh

3. Run download-images.sh to pull all images and create a tarball of the images.

   Review the output to confirm all images were pulled successfully and packaged in the tarball.

   Download and package images

   ./download-images.sh --image-list loft-images.txt --images loft-images.tar.gz

4. Run push-images.sh to upload all required images to your private registry.

   When pushing images to your private registry, references to the original (public) image registry are removed. Only the image name and repository are preserved. This enables vCluster to pull all images from your configured private registry.

   Push images to private registry

   ./push-images.sh --registry ${REGISTRY} --images loft-images.tar.gz

Pull and push images for vCluster

Populate the registry with the specific images needed for deploying vCluster:

1. Set environment variables for the version of vCluster that you want to deploy and the private registry.

   tip

   You can review the tag of the vcluster-pro image in images.txt to pick the default vCluster version.

   Export environment variables

   export VCLUSTER_VERSION=0.25.0 # Replace with desired version
   # Setting the REGISTRY environment is redundant from the steps in populating vCluster Platform images
   # export REGISTRY=ecr.io/myteam # This should be a prefix; do not include any image paths

2. Download the text files from the vCluster GitHub release.

   The images.txt or vcluster-images.txt files contain multiple Kubernetes versions and distributions. You can edit the file and remove the images for any unwanted versions and distributions.

   Download image text file for vCluster v0.25.0+ versions

   wget https://github.com/loft-sh/vcluster/releases/download/v${VCLUSTER_VERSION}/images.txt

   Download image text file for vCluster < v0.25.0 versions

   wget https://github.com/loft-sh/vcluster/releases/download/v${VCLUSTER_VERSION}/vClusterimages.txt

3. Optional: Download the scripts from the vCluster GitHub release and make them executable.

   note

   If you've already completed this as part of populating the platform images, you can skip this step.

   Download prepare scripts

    wget https://github.com/loft-sh/vcluster/releases/download/v${VCLUSTER_VERSION}/download-images.sh
    wget https://github.com/loft-sh/vcluster/releases/download/v${VCLUSTER_VERSION}/push-images.sh
    chmod +x ./download-images.sh
    chmod +x ./push-images.sh

4. Run download-images.sh to pull all images and create a tarball of the images.

   Review the output to confirm all images were pulled successfully and packaged in the tarball.

   Download and package images for vCluster v0.25.0+ versions

   ./download-images.sh --image-list images.txt --images vcluster-images.tar.gz

   Download and package images for vCluster < v0.25.0 versions

   ./download-images.sh --image-list vcluster-images.txt --images vcluster-images.tar.gz

5. Run push-images.sh to upload all required images to your private registry.

   Images are pushed to your private registry without public registry references, preserving only the repository and image name. You can configure vCluster to use your private registry for all deployments.

   Push images to private registry

   ./push-images.sh --registry ${REGISTRY} --images vcluster-images.tar.gz

6. Optional: If you want to deploy vCluster v0.25.0 or later with a different Kubernetes version, download the images-optional.txt file from the vCluster GitHub release. Additional container images for the version must be downloaded and uploaded to your private registry.

   The images-optional.txt contains multiple Kubernetes distributions and versions. You can edit the file and remove the images for the unwanted distributions and versions.

   wget https://github.com/loft-sh/vcluster/releases/download/v${VCLUSTER_VERSION}/images-optional.txt
   ./download-images.sh --image-list images-optional.txt --images vcluster-images-optional.tar.gz
   ./push-images.sh --registry ${REGISTRY} --images vcluster-images-optional.tar.gz

Populate the Helm charts to a private registry

You can push the following Helm charts to your OCI-compliant private registry:

• vCluster Platform Helm chart: The core chart for deploying the vCluster platform.
• Version-specific Helm charts: Charts required for each vCluster version you intend to deploy.
• Application Helm charts: Charts for applications you plan to deploy with vCluster. For more details, see the Apps documentation for details.
• Experimental configuration charts: Charts needed when using experimental.deploy.vcluster.helm configuration settings.

warning

This guide only includes detailed steps for pulling and pushing the vCluster Platform image and Helm chart.

Pull and push the vCluster Platform Helm chart

1. note

   If you haven’t already set the environment variables, set them now before continuing.

   The private registry requires a /charts folder, where you must push all Helm charts.

   Export environment variables

   export PLATFORM_VERSION=4.3.0 # Replace with desired version
   export REGISTRY=ecr.io/myteam # A charts folder is expected

2. Pull the platform Helm chart and push it to your private registry with the OCI protocol:

   Pull and push the Helm chart to your private registry

   helm pull vcluster-platform --repo https://charts.loft.sh --version ${PLATFORM_VERSION}
   helm push vcluster-platform-${PLATFORM_VERSION}.tgz oci://${REGISTRY}/charts

Pull and push the vCluster Helm chart

1. note

   If you haven’t already set the environment variables, set them before continuing.

   The private registry assumes having a /charts folder, which is where to push all the Helm charts.

   Export environment variables

   export VCLUSTER_VERSION=0.25.0 # Replace with desired version
   export REGISTRY=ecr.io/myteam # A charts folder is expected

2. Pull the vCluster Helm chart and push it into your private registry with the OCI protocol.

   Pull and push the Helm chart to your private registry

   helm pull vcluster --repo https://charts.loft.sh --version ${VCLUSTER_VERSION}
   helm push vcluster-${VCLUSTER_VERSION}.tgz oci://${REGISTRY}/charts

Configure and install vCluster Platform and agent

To install the platform and connect hosts, you must configure a vcluster-platform.yaml file. This YAML file is used as the values.yaml for the vCluster Platform Helm chart.

vCluster Platform and agent configuration

The vcluster-platform.yaml file contains all configuration settings for your vCluster Platform and connected hosts (agents) installation.

Reference the offline license key

Reference the license key so that the platform can start with all your enterprise features enabled.

Offline license configuration

env:
  LICENSE_KEY: "YOUR_LICENSE_KEY"

Use a private registry without credentials

• Set the image to be used by the vCluster Platform Helm chart to the image in the private registry.
• Set the default registry for pulling images used in installing vCluster Platform or connecting hosts (i.e. deploying agents).
• Set the default chart registry in the vcluster-platform.yaml as the default Helm repository when creating virtual clusters. This should prefix with oci:// to ensure it's being deployed using OCI protocol as well as the /charts folder.

Setting the image for vCluster Platform and the default private registry

image: ecr.io/myteam/loft-sh/vcluster-platform:<PLATFORM_VERSION> # Replace with the fully formed image name based on your private registry

env:
  DEFAULT_IMAGE_REGISTRY: ecr.io/myteam
  DEFAULT_VCLUSTER_CHART_REPO: oci://ecr.io/myteam/charts

# The agent values are needed to keep the agent up to date with the same settings
agentValues:
  env:
    DEFAULT_IMAGE_REGISTRY: ecr.io/myteam
    DEFAULT_VCLUSTER_CHART_REPO: oci://ecr.io/myteam/charts

Use an authenticated private registry

• Set the image to be used by the vCluster Platform Helm chart to the image in the private registry.
• Set the default registry for pulling images used in installing vCluster Platform or connecting hosts (i.e. deploying agents).
• Set the default chart registry in the vcluster-platform.yaml as the default Helm repository when creating virtual clusters. This should prefix with oci:// to ensure it's being deployed using OCI protocol as well as the /charts folder.
• For registries that require authentication, create a Kubernetes secret in the namespace where you deploy the vCluster Platform or agent.
• Reference the secret to use those credentials for the registries.

Setting the image for vCluster Platform and the default private registry

image: ecr.io/myteam/loft-sh/vcluster-platform:v<PLATFORM_VERSION> # Replace with the fully formed image name based on your private registry

env:
  DEFAULT_IMAGE_REGISTRY: ecr.io/myteam
  DEFAULT_VCLUSTER_CHART_REPO: oci://ecr.io/myteam/charts
  HELM_REGISTRY_CONFIG: /loft/helm/.dockerconfigjson

volumes:
  - name: helm-pull-secret
    secret:
      secretName: registry-credentials-secret-name # Replace with the name of the secret deployed on the host cluster of where the Platform is deployed

volumeMounts:
  - name: helm-pull-secret
    mountPath: /loft/helm
    readOnly: true

# The agent values are needed to keep the agent up to date with the same settings
agentValues:
  env:
    DEFAULT_IMAGE_REGISTRY: ecr.io/myteam
    DEFAULT_VCLUSTER_CHART_REPO: oci://ecr.io/myteam/charts
    HELM_REGISTRY_CONFIG: /loft/helm/.dockerconfigjson

  volumes:
  - name: helm-pull-secret
    secret:
      secretName: registry-credentials-secret-name # Replace with the name of the secret deployed on the host cluster of where the platform is deployed

  volumeMounts:
  - name: helm-pull-secret
    mountPath: /loft/helm
    readOnly: true

warning

This only configures the registry authentication for managing virtual clusters with Helm.

• See App Reference to configure the chart repository URL with username and password authentication.
• See experimental.deploy.vcluster.helm configuration to configure repository with username and password authentication.

Use different vCluster Platform login credentials

If the username and password are not set in your vcluster-platform.yaml, the default credentials are:

• Username: admin
• Password: my-password

Set different vCluster Platform login credentials

admin:
  create: true
  username: newadmin
  password: "newpassword"

Install the platform

It is recommended to install vCluster Platform on its own host cluster.

Install vCluster Platform

1. On the host cluster, create the namespace for the platform, where vCluster Platform and optionally login credentials are to be deployed in.

   Create vCluster Platform namespace

   export PLATFORM_NAMESPACE=vcluster-platform
   kubectl create namespace ${PLATFORM_NAMESPACE}

2. Optional: Create a Secret to authenticate to your private registry.

   If your private registry requires authentication, create a Kubernetes secret that stores your login credentials.

   Place this Secret in the same namespace where the vCluster Platform is deployed. There are multiple ways to create your registry credentials as a secret.

   For more information, see how to quickly create a Secret from your Docker login.

   Example of how to create a Kubernetes secret for login credentials

   kubectl create secret docker-registry registry-credentials-secret-name \
     --namespace ${PLATFORM_NAMESPACE} \
     --docker-server=<your-registry-server> \
     --docker-username=<your-username> \
     --docker-password=<your-password> \
     --docker-email=<your-email>

3. Deploy vCluster Platform into the same namespace.

   Deploy vCluster with Helm

   export PLATFORM_VERSION=4.3.0 # Replace with the chart version that was pushed into your private registry
   export REGISTRY=myecr.io/team # Replace with the private registry
   
   helm upgrade --install vcluster-platform oci://${REGISTRY}/charts/vcluster-platform:${PLATFORM_VERSION} \
     --version ${PLATFORM_VERSION} \
     --values vcluster-platform.yaml \
     --namespace ${PLATFORM_NAMESPACE}

Connect host clusters

After installing the platform, connect host clusters by deploying an agent on each host. The host clusters must be able to access the domain where vCluster Platform is hosted.

Deploying an agent is deploying the vCluster Platform Helm chart and vcluster-platform.yaml. The only difference is when deploying the vCluster Platform Helm chart is adding additional variables to figure out how to connect to the platform.

Deploy agents to connect host clusters

1. On the host cluster, create the namespace for the agent installation, where the agent and optionally login credentials are to be deployed in.

   Create vCluster Platform namespace

   export AGENT_NAMESPACE=vcluster-platform
   kubectl create namespace ${AGENT_NAMESPACE}

2. Optional: Create a Secret to authenticate with your private registry.

   If your private registry requires authentication, create a Kubernetes Secret that stores your login credentials. Place this secret in the same namespace where the agent is deployed. There are multiple ways to create your registry credentials as a Secret.

   For more details, see Create a Secret from your Docker login.

   Create a Kubernetes secret for login credentials example

   kubectl create secret docker-registry registry-credentials-secret-name \
     --namespace ${AGENT_NAMESPACE} \
     --docker-server=<your-registry-server> \
     --docker-username=<your-username> \
     --docker-password=<your-password> \
     --docker-email=<your-email>

3. Deploy the agent into the same namespace.

   Deploy vCluster with Helm

   export PLATFORM_VERSION=4.3.0 # Replace with the chart version that was pushed into your private registry
   export REGISTRY=myecr.io/team # Replace with the private registry
   
   export PLATFORM_DOMAIN=https://myvclusterplatform.com
   export PLATFORM_TOKEN=<YOUR_PLATFORM_ACCESS_TOKEN>
   
   helm upgrade --install vcluster-platform oci://${REGISTRY}/charts/vcluster-platform:${PLATFORM_VERSION} \
     --version ${PLATFORM_VERSION} \
     --values vcluster-platform.yaml \
     --namespace ${AGENT_NAMESPACE} \
     --set agentOnly=true \
     --set url=$PLATFORM_DOMAIN \
     --set token=$PLATFORM_TOKEN

Deploy virtual clusters in air-gapped environments

With your vCluster Platform now installed and configured for air-gapped environments, you can deploy virtual clusters. The platform automatically uses your configured private registry settings.

Choose the Right Guide

After you complete the platform setup, stay on this page if you need to complete additional platform configuration or proceed to the vCluster guide for deploying individual virtual clusters:

Continue with this platform air-gapped guide if you need to:

• Create virtual clusters and connect more host cluster agents without internet access.
• Configure additional platform-wide private registry settings.

Use the vCluster air-gapped deployment guide to:

• Create virtual clusters after the platform is set up.
• Review detailed vCluster configuration options for air-gapped environments.

Configure and deploy virtual clusters

Virtual cluster configuration

The vcluster.yaml file defines all configuration settings for your virtual cluster deployment.

Use a private registry without credentials

Set the default private registry that does not have authentication.

Setting the private registry

controlPlane:
 advanced:
   defaultImageRegistry: ecr.io/myteam # Replace with your private registry

Use an authenticated private registry

For registries that require authentication, create a Kubernetes secret in the namespace where you deploy the vCluster. Assign the secret as an image pull secret for the vCluster control plane to access required images.

Optionally, you can use the same image pull secret for workloads inside the vCluster that pull from the same registry.

Image pull secrets configuration

controlPlane:
  advanced:
    defaultImageRegistry: ecr.io/myteam # Replace with your private image registry
    serviceAccount:
      imagePullSecrets: # Uses credentials for the vCluster control plane
        - name: registry-credentials-secret-name # Replace with the name of the secret deployed on the host cluster of where the vCluster is deployed
    workloadServiceAccount: # Uses credentials for any workloads created in the vCluster
      imagePullSecrets:
        - name: registry-credentials-secret-name # Replace with the name of the secret deployed on the host cluster of where your vCluster is deployed

warning

When using virtual clusters in air-gapped environments, the config.experimental.deploy.vcluster.helm configuration setting does not work with external Helm repositories since they cannot be accessed. This means custom Helm charts from repositories like charts.bitnami.com cannot be used for virtual cluster deployments.

Use a non-default Kubernetes version

For vCluster v0.25.0+, if you downloaded images-optional.txt to use a different Kubernetes version, configure vCluster to use that version in your deployment.

Specific Kubernetes version configuration

controlPlane:
  distro:
    k8s:
      image:
        tag: v1.31.1 # Replace with the Kubernetes version that you have chosen

For other versions, refer to the vCluster docs on how to set your image versions.

Replace the alpine image

If you use the sync.toHost.pods.rewriteHosts feature, manually replace the full path of the alpine image with your private registry path. The defaultImageRegistry setting does not apply to this image.

Replace the alpine image

sync:
  toHost:
    pods:
      rewriteHosts:
        initContainer:
          image: ecr.io/myteam/library/alpine:3.20

Deploy vCluster through the platform

When deploying vCluster through the platform console, you must add your vcluster.yaml.

Use an authenticated private registry

If you are using a private registry with authentication, you must create a Kubernetes secret that stores your login credentials. Place this secret in the same namespace where the vCluster is deployed so the control plane can pull the required container images.

In the options for the config, there is a section called Host namespace, add the yaml for the secret in the Kubernetes objects section.

Kubernetes secret for login credentials

apiVersion: v1
kind: Secret
metadata:
  name: registry-credentials-secret-name
  namespace: ${VCLUSTER_NAMESPACE}
type: Opaque
data:
  # Credentials based on your private registry

Deploy vCluster using Helm

1. In the platform UI, create an access key to connect vCluster to the platform. Save the access key.

2. Create a Kubernetes secret using the access key in a namespace on the host cluster.

   Create platform API key namespace and secret for platform API key

    export APIKEY_NAMESPACE=api-key-namespace
    kubectl create namespace ${APIKEY_NAMESPACE}
   
   
    kubectl create -f - <<EOF
    apiVersion: v1
    kind: Secret
    metadata:
      name: vcluster-platform-api-key
      namespace: ${APIKEY_NAMESPACE}
    type: Opaque
    data:
      accessKey: # Access key from the platform UI
      host: # domain name of platform
      insecure: # ???
    EOF

3. Optional: Create a secret to authenticate to your private registry.

   If your private registry requires authentication, create a Kubernetes secret that stores your login credentials. Place this secret in the same namespace where the vCluster is deployed so the control plane can pull the required container images.

   Create Kubernetes secret for login credentials

   export VCLUSTER_NAMESPACE=vcluster-my-vcluster  # Replace with the name of the namespace you want to deploy your vCluster into
   kubectl create namespace ${VCLUSTER_NAMESPACE}
   
   kubectl create secret docker-registry registry-credentials-secret-name \
   --namespace ${VCLUSTER_NAMESPACE} \
   --docker-server=<your-registry-server> \
   --docker-username=<your-username> \
   --docker-password=<your-password> \
   --docker-email=<your-email>

4. Review your vcluster.yaml file.

   vcluster.yaml configuration

   controlPlane:
     advanced:
       defaultImageRegistry: ecr.io/myteam # Replace with your private image registry
       serviceAccount:
         imagePullSecrets:
           - name: registry-credentials-secret-name # Replace with the name of the registry credentials secret
       workloadServiceAccount:
         imagePullSecrets:
           - name: registry-credentials-secret-name # Replace with the name of the registry credentials secret
   
   external:
     platform:
       apiKey:
         namespace: api-key-namespace # Replace with the namespace that the secret of the access key was deployed in
         secretName: vcluster-platform-api-key # Replace with the name of the secret of the access key
         createRBAC: true # Sets up RBAC so that the vcluster can access the secret of the access key

5. Deploy vCluster.

   Deploy vCluster with Helm

   export VCLUSTER_NAME="my-vcluster" # Replace with what you want to name your vCluster
   export VCLUSTER_VERSION=0.25.0 # Replace with the chart version that was pushed into your private registry
   export REGISTRY=myecr.io/team # Replace with the private registry
   
   # Uncomment and create a namespace if you didn't already create one for a secret for the registry
   # export VCLUSTER_NAMESPACE=vcluster-my-vcluster  # Replace with the name of the namespace you want to deploy your vCluster into
   # kubectl create namespace ${VCLUSTER_NAMESPACE}
   
   helm upgrade --install "${VCLUSTER_NAME}" oci://${REGISTRY}/charts/vcluster:${VCLUSTER_VERSION} \
     --version ${VCLUSTER_VERSION} \
     --values vcluster.yaml \
     --namespace ${VCLUSTER_NAMESPACE}