Running in air-gapped environments

edit

Running in air-gapped environments

edit

The ECK operator can be run in an air-gapped environment without access to the open internet when it is configured not to pull container images from docker.elastic.co.

By default ECK does not require you to specify the container image for each Elastic Stack application you deploy.

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 8.16.0
  # image: docker.elastic.co/elasticsearch/elasticsearch:8.16.0 
  nodeSets:
  - name: default
    count: 1
  # podTemplate:
  #   spec:
  #     imagePullSecrets: 
  #     - name: private-registry-credentials-secret

The ECK operator will set this value by default. You can explicitly set it to your mirrored container image when running in an air-gapped environment

You can provide credentials to your private container registry by setting the imagePullSecrets field through the spec.podTemplate section of your Elastic resource specification, check how to customize the Elastic resources Pods and how to setup a Secret containing your registry credentials.

ECK will automatically set the correct container image for each application. When running in an air-gapped or offline environment you will have to mirror the official Elastic container images in a private container image registry. To make use of your mirrored images you can either set the image for each application explicitly as shown in the preceding example or more conveniently override the default container registry as explained in the next section.

Use a mirrored image of the ECK operator

edit

To deploy the ECK operator in an air-gapped environment, you first have to mirror the operator image itself from docker.elastic.co to a private container registry, for example my.registry.

Once the ECK operator image is copied internally, replace the original image name docker.elastic.co/eck/eck-operator:2.15.0 with the private name of the image, for example my.registry/eck/eck-operator:2.15.0, in the operator manifests. When using Helm charts, replace the image.repository Helm value with, for example, my.registry/eck/eck-operator.

Override the default container registry

edit

When creating custom resources (Elasticsearch, Kibana, APM Server, Enterprise Search, Beats, Elastic Agent, Elastic Maps Server, and Logstash), the operator defaults to using container images pulled from the docker.elastic.co registry. If you are in an environment where external network access is restricted, you can configure the operator to use a different default container registry by starting the operator with the --container-registry command-line flag. Check Configure ECK for more information on how to configure the operator using command-line flags and environment variables.

The operator expects container images to be located at specific repositories in the default container registry. Make sure that your container images are stored in the right repositories and are tagged correctly with the Stack version number. For example, if your private registry is my.registry and you wish to deploy components from Stack version 8.16.0, the following image names should exist:

  • my.registry/elasticsearch/elasticsearch:8.16.0
  • my.registry/kibana/kibana:8.16.0
  • my.registry/apm/apm-server:8.16.0

Use a global container repository

edit

If you cannot follow the default Elastic image repositories naming scheme, you can configure the operator to use a different container repository by starting the operator with the --container-repository command-line flag. Check Configure ECK for more information on how to configure the operator using command-line flags and environment variables.

For example, if your private registry is my.registry and all Elastic images are located under the elastic repository, the following image names should exist:

  • my.registry/elastic/elasticsearch:8.16.0
  • my.registry/elastic/kibana:8.16.0
  • my.registry/elastic/apm-server:8.16.0

ECK Diagnostics in air-gapped environments

edit

The eck-diagnostics tool optionally runs diagnostics for Elastic Stack applications in a separate container that is deployed into the Kubernetes cluster.

In air-gapped environments with no access to the docker.elastic.co registry, you should copy the latest support-diagnostics container image to your internal image registry and then run the tool with the additional flag --diagnostic-image <custom-support-diagnostics-image-name>. To find out which support diagnostics container image matches your version of eck-diagnostics run the tool once without arguments and it will print the default image in use.