Airgapped installation

This page will guide you through the process of deploying Orion in an airgapped environment with no internet access.

After following the below instructions you will have a functioning deployment of Orion, enabling you to launch workstations on your on-prem infrastructure.

If you need to handle a big number of nodes or would like to automate the process, we maintain a set of Ansible Playbooks you can use to perform the deployments. We support both online & airgapped deployments within those.

The playbook repository contains instructions on how to get running with them. If you prefer to perform the installation without Ansible, continue with the guide below.

Requirements

Before you get started, you must have the following available:

• A Kubernetes cluster or hosts to provision it on. We heavily recommend our Quick Start Helper secript, which will bootstrap an airgapped cluster for you with correct settings.
• An OCI container image registry available and accessible from your cluster. Common choices are:
  • Harbor,
  • Private ECR Endpoints,
  • Gitea or GitLab's builtin registry
• Your nodes need access to your Git host, such as GitLab, GitHub Enterprise, Gitea, etc.
• The appropriate charts & images forked into your image registry - see Requirements - what you need to mirror/fork

Requirements - what you need to mirror/fork

Images

Before deploying, make sure you have all the images listed in our Image Guide. Those must be available from within your internal image registry, either as a copy or a proxied project (eg. Harbor's proxycache).

Access to your image registry

In most cases, you have 3 ways to make your images available:

1) Configure your runtime to perform all image pulls through your internal registry.

Most modern runtimes enable you to perform a "rewrite" of image pulls. That means that attempting to pull an image from docker.io will really go to your internal server, however Kubernetes must not be aware of this.

We recommend this method wherever possible - it is most reliable and requires no extra configuration changes for the applications themselves. When using our On-Prem helper script, you will be automatically prompted for the correct settings. The script will then take care of the setup for you.

We will focus on that option in this guide. Note this is also possible on many custom K8s distributions - while the guide won't cover them, you can find helpful details in your distro-specific documentation. Your registry can be both authenticated or unauthenticated - both options work.

• For k3s-based deployments, you can find a reference here
  • we configure this automatically for you if you use our helper script or Ansible deployments.
• For CRI-O based custom deployments, RedHat provides an excellent guide.
• For ContainerD based custom deploments, see the upstream docs

2) Using an unauthenticated, RO registry.

Assuming all you do is fork upstream images, an unauthenticated, RO proxy (such as one Harbor can provide) is a valid option. This still requires extra work - you'll need to adjust imagePullSecrets.

3) Populating your own imagePullSecrets

This takes the most work & maintenance from you, hence we recommend using rewrites instead when possible.

Helpful references

While this guide will focus on redirecting all image pulls to your registry via the runtime, in case that does not suit your environment, you'll need to set up and configure imagePullSecrets for both Argo, gpu-operator and our deployments.

You can find more details on how those work here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ The imagePullSecrets can then be passed in to respective charts, starting with argo and continuing with Juno-Bootstrap.

This is not necessary and is much simplified when using the Quick Start Helper secript.

Helm charts

To get Orion running in an airgapped environment, you must fork all Helm charts it depends on.

You can fork them either as git repositories or using OCI storage, as per Helm Documentation

We recommend Git repositories for:

• When you want the flexibility to quickly customize
• When you want to move fast
• When you are new to airgapped K8s deployments

OCI can be very fitting when you are looking to keep a more stringent & auditable release process for the charts and would like to work off of your established workflows. Many state-of-the-art approaches such as image signing can be reused for Helm, if your requirements dictate so.

Both approaches will work to deploy Orion.

Below you can find the charts that are necessary to get running:

• Orion Deployment - version/tag 1.1
• ingress-nginx - version 4.12.1
• gpu-operator - version v24.9.0

Performing the installation - Helper Script

Once you meet all of the above prerequisites, you are ready to go! From here, you can jump back into the Quick Start Guide and continue on with it.

If you are running a custom deployment and passing in the imagePullSecrets manually, refer to Juno-Bootstrap and its example values: https://github.com/juno-fx/Juno-Bootstrap/blob/main/values.yaml To get running, you would then install the deployment chart with your adjusted values.