Draft: Socialize potential changes to airgapped deployment docs
Hello all,
I've recently been working on deploying Big Bang in an airgapped environment for Lockheed Martin. I started with the current airgap readme doc and came up with our own documentation tweaked slightly for our environment. I have attempted to merge that back with the existing airgap readme doc here to try to make it easier to see the diffs. There may be some oddities as a result of this - if you spot any, please let me know and I'll try to clarify.
Some notes:
-
The new process is narrowly focused on just the deployment itself, and doesn't include standing up a Kubernetes cluster beforehand or fully cover the steps needed for a utility cluster/server from which to provide the git server and container registry we use later in the process.
-
It also assumes that an airgapped bundle is already available for the user. The folder structure you'll see here is the folder structure that comes out of LM's bundling pipeline, with the addition of a
git-server
container image and our fork of thetemplate
repo. Some of the instructions are customized very slightly (e.g., the/.git
URLs instead of the typical.git
URL) based on our specific git-server image instead of thegitshim
image, as that is not part of our bundling pipeline. -
As someone newer to the technologies used in this stack, knowing which option to choose when given a choice was somewhat confusing and took a little bit of time to process. For ease of use I streamlined the process to use only one option, but I'm open to bringing the choices back (perhaps in an advanced user section?).
-
The process definitely heavily relies on the use of the
template
repo to overlay customized values on top of the Big Bang charts. -
The process has only been tested on k3s so far.
-
This does not cover installation of BB addons or other 3rd party applications.
-
I re-use the
registry.sh
script currently stored in the bigbang repo (as creating x509 certs by hand is somewhat laborious). In the version seen here, I also tried to grab some instructions from the existing docs (such as the notes about elastic logging).
I think the single largest deviation in this process is the addition of a git ssh credential secret being added to the kustomize-controller
pod deployment for the flux install. I found that flux could not clone my template
repo containing my kustomizations without adding credentials to the git-server to the pod's environment. If this is incorrect, or there's an alternative approach that is less invasive, I would love to hear about it.
Shoutouts to @cassiesouza, Omar Hasan, and Rocco Altier at Lockheed Martin for working on a forked version of this repo: https://repo1.dso.mil/platform-one/big-bang/customers/template/-/tree/main/ to prepare baseline templates for my use! We are going to see if there are any changes to the template
repo that we can contribute back as well.
Please let me know if you have any comments or suggestions!