Deploying microservice applications in secure, isolated environments (called “airgapped”) can be very difficult. This is because it involves many complex parts and steps. It’s even harder when using advanced tools, such as Instana to monitor and understand what’s happening in the system. But, with careful planning and a clear understanding of the process, it’s possible to make it work. In this article, we’ll break down the steps to install Instana in an airgapped environment and provide a simple, step-by-step guide to help you do it successfully.

Understanding airgapped environments

An airgapped environment is a network that is physically isolated from other networks, including the internet. This isolation is often employed for security reasons to make sure that the sensitive data and operations remain protected from external threats. However, this isolation also makes it more complicated to manage and update software, especially for applications that rely on many external components and need regular updates.

Challenges in airgapped deployments

1. Dependency management: Microservice applications typically depend on numerous external libraries, tools, and services. In an airgapped environment, these dependencies must be manually fetched and transferred.
2. Artifact transfer: All required artifacts, including container images, binaries, configuration files, and scripts must be securely and reliably transferred to the isolated network.
3. Complexity of installation: Advanced Monitoring Platforms, such as Instana have complex installation processes involving multiple components and configurations.

Prerequisites

Before the installation, it is crucial to gather and prepare all necessary components. This involves:

· Listing required artifacts: Identify all images, binaries, and other dependencies required for Instana Custom Edition that are mentioned in the following list:

- Instana Kubernetes plugin

- Helm charts of each datastore

- Instana and Datastore images

· Downloading artifacts: On a connected machine, download all listed artifacts.

· Transferring artifacts: Transfer these artifacts by using secure media, such as USB drives, or an approved host to connect with the airgapped environment.

Installation of airgapped environment for Instana Custom Edition

Step 1: Setting up the environment

a) Prepare the infrastructure: Make sure that the target environment has all required infrastructure, including Kubernetes clusters, storage, and networking. For more information, see Prerequisites.

b) Verify prerequisites: Make sure that all prerequisites for running Instana are met, including specific versions of Kubernetes, Helm, and other tools. Requirements for installation of Self-Hosted Custom Edition (Kubernetes or Red Hat OpenShift Container Platform).

Step 2: Getting artifact details

1. Obtain Instana kubectl plug-in: To download the plugin for the corresponding architecture, see Instana kubectl plug-in.

Example:

wget -O kubectl-instana-linux_ppc64le-release-273–0.tar.gz https://artifact-public.instana.io/artifactory/rel-generic-instana-virtual/infrastructure/kubectl/release-273/kubectl-instana-linux_ppc64le-release-273-0.tar.gz — http-user=_ — http-password=$DOWNLOAD_KEY

1. Collect Instana images details: Run the following command from any host machine to retrieve the Instana image details:

kubectl-instana versions list-images

1. Collect datastore image or Helm details : To view a list of all the datastore images and Helm charts, see the x86, Power, Z documentation.
2. Cert-Manager image (Optional) : Download this YAML file to obtain all the images.

Step 3: Uploading Docker Images to private registry

You need to manually upload all of Instana images to your private container registry. Uploading the images allow you to access and deploy the images within your environment without requiring an external network connection. When you host these images in a private registry, you make sure that the images are readily available for use.

1. Copy Instana plug-in: Transfer your Instana plug-in to the air-gapped environment.
2. Push images to local registry: If you use a local registry, you can do one of the following steps to push the loaded images to it:

- Copying images directly from the Instana repository.

Install skeopy : https://github.com/containers/skopeo/blob/main/install.md

skopeo copy — dest-tls-verify=false — src-creds=_:$DOWNLOAD_KEY — dest-creds=$YOUR_REGISTRY_USERNAME:$YOUR_REGISTRY_PASSWORD docker://<image_from_instana_repo> docker://<image_to_your_repo>

Example:

skopeo copy — dest-tls-verify=false — src-creds=_:downloadkey — dest-creds=user:pass docker://artifact-public.instana.io/backend/acceptor:3.285.642–0 docker://your.repo/backend/acceptor:3.285.642–0

- Download and copy images from the Instana repository and export the images as TAR archives.

docker login -u _ -p $DOWNLOAD_KEY artifact-public.instana.io

docker save -o <image_name_from_instana_repo>.tar <image_from_instana_repo>

- Then,you can copy each image tarball to your air-gapped environment and then push it to your repository using Docker.

docker login -u <your_internal_artifactory_username> -p <your_internal_artifactory_password> <your_internal_artifactory_endpoint>

docker load <image_name_from_instana_repo>.tar

docker tag <image_name_from_instana_repo> <image_to_your_repo>

docker push <image_to_your_repo>

NOTE: don’t change the actual name of the images (only artifactory url and subpath).

For example, if you run kubectl-instana versions list-images and the image name returned is artifact-public.instana.io/backend/acceptor:3.273.312–0, then you must push the image to your internal artifactory in the following format: <your_internal_artifactory_endpoint>/<subpath>/acceptor:<tag_of_image>.

For cert-manager images, when applying the cert-manager YAML, make sure to replace the image paths in the YAML file.

Step 3: Getting Helm Charts

1. Install Helm:

a) Run the following command to download helm:

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3

chmod 700 get_helm.sh

./get_helm.sh

b) Copy the following binary to your air-gapped host.

/usr/local/bin/helm

1. Obtain Instana Helm charts

a) Download the corresponding Helm charts from the Instana artifactory. For more information, see the x86, Power, Zdocumentation.

b) Copy the downloaded charts to your air-gapped host.

ls 
cass-operator-0.47.0.tgz ibm-clickhouse-operator-1.1.0.tgz
cert-manager-v1.13.2.tgz postgres-operator-1.10.1.tgz
cloudnative-pg-0.20.0.tgz strimzi-kafka-operator-helm-3-chart-0.45.0.tgzeck-operator-2.16.1.tgz 
zookeeper-operator-0.2.15.tgz

c) Optional: If you want to use the beeinstana component, download it.

helm pull instana/beeinstana-operator

Step 4: Deploying datastores

1. Follow offline installation steps for datastores

You can use the artifacts that are copied to the air-gapped environment, such as Helm charts and images.

For Datastore operators, you find the Helm install command, which references the corresponding .tgz file that is copied in Step 3. If any other image name is specified in the Helm install step, provide the appropriate path from your internal repository.

For the datastore deployment, in the offline installation steps, you must replace the fields in the relevant installation YAML (e.g., <internal-image-registry>) with the corresponding images that are copied to the internal repository in Step 3.
 https://www.ibm.com/docs/en/instana-observability/current?topic=stores-installing-third-party-data-store-operators

Optional: For more information about the usage of Beeinstana, see Using the BeeInstana Kubernetes Operator.

Step 5: Deploying Instana

1. Deploying Instana operator

a) Run the following command to create operator pull secrets:

kubectl create secret docker-registry instana-registry \
 - namespace=instana-operator \
 - docker-username=<your_internal_artifactory_username> \
 - docker-password=<your_internal_artifactory_password> \
 - docker-server=<your_internal_artifactory_endpoint>

b) Run the following command to create the operator values file, values.yaml:

image:
  registry: <your_internal_artifactory_endpoint>
  imagePullSecrets:
    - name: instana-registry

c) Run the following command to deploy the operator:

kubectl instana operator apply — values values.yaml — namespace=instana-operator

1. Deploying Instana core or units

To deploy Instana core and units, see Installing the Instana backend. When you create core.yaml, you can add the corresponding configuration in the core.spec to pull images from the internal repository.

For example, if you run kubectl-instana versions list-images and the image name returned is artifact-public.instana.io/backend/acceptor:3.273.312–0, and you pushed it to your internal artifactory with the format <your_internal_artifactory_endpoint>/<subpath>/acceptor:<tag_of_image>, then proceed as follows:

spec:
  imageConfig:
    registry: <your_internal_artifactory_endpoint>
    repository: <subpath>
    tag: <tag_of_image>

NOTE: you don’t need to add the image name for each image because all the core or units images follow the same format as specified above. The operator automatically picks it from the local repository by replacing the image name. Therefore, you only need to specify the image path and tag without name.

Proceed with the remaining steps available in the backend deployment documentation after this. Follow the instructions outlined in the documentation to complete the deployment process. Make sure to apply any additional configurations or commands as specified.

Conclusion

When you deploy Instana Custom Edition in an airgapped environment, you might face some significant challenges that need a structured approach to simplify the process. By meticulously gathering and transferring all necessary artifacts, setting up the environment correctly, and carefully following the installation steps, you can achieve a successful deployment.

#Kubernetes