Skip to content

Airgapped installation - Example

Note

This guide is designed as an example it is not recommended for a production environment

Warning

This procedure and container images were correct as of March 2026 on release branch genesis3.0.0-beta.1-orion3.0.0-beta.1, see the latest deployment documentation for the most up to date images

This page is a full detailed guide on how to setup Orion in an airgapped environment from scratch.

Requirements

Before you get started, you must have the following available:

  • A host with internet access to host a container register
  • A git server to host helm charts
  • A host to install the Juno Orion software on

Gathering external resources

Prepare container images

This section will details the steps required to download and store the relevant container images required by Orion and its underlying software. Its worth noting that the Orion host will need direct access to the registry host

  1. Start a docker registry to store the downloaded container images in 
    docker run -d \
  -p 5000:5000 \
  --restart=always \
  --name registry \
  -v /mnt/registry:/var/lib/registry \
  registry:3
  2. Once the above is up and running, you can download and push images using the following bash script, save the contents to a file and run it from a server that has both access to the docker registry and the internet. You will need to adjust the value of LOCAL_REGISTRY to the address of your deployed server. The script makes use of a package called skopeo this is required to preserve sha values required by some deployments.

The below script should be saved into a file e.g. load_scripts.sh and then be made executable with chmod +x load_scripts.sh before being run ./load_scrips.sh. Please be aware the images used in the below script are used as an example, please refer to the latest deployment charts for the most up to date versions.

#!/bin/bash

# --- Pre-flight Check ---
if ! command -v skopeo &> /dev/null; then
    echo " Error: 'skopeo' is not installed or not in PATH."
    echo " Please install it using: sudo dnf install skopeo (Rhel) or sudo apt install skopeo (Ubuntu)"
    exit 1
fi

IMAGES=(
    # Juno images
    "docker.io/junoinnovations/genesis:v4.0.0-beta.1"
    "docker.io/junoinnovations/titan:v2.1.1"
    "docker.io/junoinnovations/terra:v2.1.0"
    "docker.io/junoinnovations/hubble:v5.0.0-beta.1"
    "docker.io/junoinnovations/kuiper:v4.0.0-beta.2"
    "docker.io/junoinnovations/rhea:v1.0.0"

    # Nginx Ingress images
    "registry.k8s.io/ingress-nginx/controller:v1.15.0"
    "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.8@sha256:d7e8257f8d8bce64b6df55f81fba92011a6a77269b3350f8b997b152af348dba"

    # ArgoCD images
    "quay.io/argoproj/argocd:v3.0.9"
    "ghcr.io/dexidp/dex:v2.41.1"
    "docker.io/library/redis:7.2.7-alpine"

    # k3s images
    "docker.io/rancher/mirrored-pause:3.6"
    "docker.io/rancher/mirrored-coredns-coredns:1.12.1"
    "docker.io/rancher/local-path-provisioner:v0.0.31"
    "docker.io/rancher/mirrored-metrics-server:v0.7.2"
    "docker.io/rancher/klipper-lb:v0.4.13"

    # (Example) Image used for LSIO webtop
    lscr.io/linuxserver/chrome:latest
)

LOCAL_REGISTRY="localhost:5000"

for IMAGE in "${IMAGES[@]}"; do
    echo "--------------------------------------------------------"
    echo "Processing: $IMAGE"

    if [[ "$IMAGE" == *"@sha256:"* ]]; then
        # We need to pull the sha but push the tag
        SRC_BASE=$(echo "$IMAGE" | cut -d':' -f1)
        DIGEST=$(echo "$IMAGE" | cut -d'@' -f2)
        SRC_REF="$SRC_BASE@$DIGEST"
        DEST_REF=$(echo "$IMAGE" | sed 's/@sha256:.*//')
    else
        # Standard tag-only image
        SRC_REF="$IMAGE"
        DEST_REF="$IMAGE"
    fi

    DEST_PATH=$(echo "$DEST_REF" | cut -d'/' -f2-)

    SRC_IMAGE="docker://$SRC_REF"
    DEST_IMAGE="docker://$LOCAL_REGISTRY/$DEST_PATH"

    echo "Source:      $SRC_IMAGE"
    echo "Destination: $DEST_IMAGE"

    skopeo copy \
        --dest-tls-verify=false \
        --multi-arch all \
        --preserve-digests \
        "$SRC_IMAGE" \
        "$DEST_IMAGE"

    if [ $? -eq 0 ]; then
        echo "Successfully synced!"
    else
        echo "ERROR: Failed to sync $IMAGE"
    fi
    echo ""
done

Prepare Git repos

The following repositories are required to be mirrored in a local git host somewhere available to your Orion install. The exact commands will be different depending on how your git server is setup, this script is provided but may not be relevant to your setup.

  1. "https://github.com/juno-fx/Orion-Deployment"
  2. "https://github.com/kubernetes/ingress-nginx"
  3. "https://github.com/juno-fx/Terra-Official-Plugins"
  4. "https://github.com/juno-fx/Genesis-Deployment"
#!/usr/bin/env bash
# Usage: ./mirror_repos.sh <TARGET_BASE_URL>
# e.g.   ./mirror_repos.sh git@gitlab.example.com:mygroup

set -euo pipefail

TARGET="${1:?Usage: $0 <target_base_url>}"
TARGET="${TARGET%/}"

REPOS=(
    "https://github.com/juno-fx/Orion-Deployment"
    "https://github.com/kubernetes/ingress-nginx"
    "https://github.com/juno-fx/Terra-Official-Plugins"
    "https://github.com/juno-fx/Genesis-Deployment"
)

WORK_DIR="/tmp/git-mirror"
mkdir -p "$WORK_DIR"

for URL in "${REPOS[@]}"; do
    NAME="$(basename "$URL")"
    DIR="$WORK_DIR/$NAME.git"

    echo ">>> $NAME"

    if [[ -d "$DIR" ]]; then
        git -C "$DIR" fetch --all --prune --tags
    else
        git clone --mirror "$URL" "$DIR"
    fi

    git -C "$DIR" push --mirror "$TARGET/$NAME.git"

    echo ""
done

echo "Done."

Download the Juno Oneclick installer and install wizard

Download the following and transfer them to your (future) Orion host. Take a note of the path(s) as they will be required during install

  • One click installer can be downloaded from this page
  • Install wizard can be downloaded by running the following command
curl -sL "$(curl -s https://api.github.com/repos/juno-fx/Juno-Bootstrap/releases/latest | grep browser_download_url | grep orion-install-helper | cut -d '"' -f 4)" > /tmp/orion-install-helper && chmod +x /tmp/orion-install-helper

No gateway configured

If your air gapped server is not configured with a network gateway then K3s may error during install as it uses this information to setup its internal networking. This can be resolved by creating a k3s config file prior to install.

File: /etc/rancher/k3s/config.yaml Contents: 

node-ip: 192.168.1.2        # Your actual node IP
cluster-cidr: 10.42.0.0/16
service-cidr: 10.43.0.0/16
flannel-iface: eth0         # Specify your interface explicitly

Running the wizard

During the running of the Oneclick install you will be prompted for information regarding your setup. This guide will assist you with answering those questions but there will be some situations where the answers supplied are not relevant to you.

1. Run the install script copied to the server in the previous step 

./orion-install-helper
The first section of the install script is concerned with collecting Installation information. Fill this out as needed

2. Confirm offline install

After confirming the install information is correct you will be prompted to decide if this is an offline install, here we choose [y] confirm offline

3. Chart URLS

You will now be asked for the chart URLs. These will be stored in your git server, copy the HTTP URL to the ingested git repo and enter it into the wizard. Confirm it is a git repo and enter the chart path as seen below.

git url

4. Cluster install

In this guide we will be selecting K3s to be installed as part of the setup. Select [2] at the "Choose Deployment Target" section

on prem k3s

5. Onceclick Installer

You will now be asked for the path to the Oneclick installer archive. Enter the full path

Installer path

Warning

If the path is invalid or the installer cannot access the archive you will be prompted again

6. Container Registry(s)

Next is the full path to the container registries. You are prompted for several but in this setup we can answer with the same URL for each one, this will be the path to the registry we setup at the beginning of this guide. By default the registry does not ask for username or password so we have left that blank here.

Mirror URL

7. Ready to install

If you have a separate disk you wish to store K3s images other than root enter it in the next step, in this guide we will accept the default You will be asked if you're ready to install, when selected the application will now be installed via a built in Ansible role. Congratulations on your new Juno Orion install!

Access the UI and set up Workloads

Access the Orion install web interface by any browser and log in using the credentials entered into the wizard at the beginning.

Projects

In order to create workloads you will need to setup a project, we will need to point this at the locally available git repo containing the Orion chart.

  1. In the Juno Orion portal, select "Projects" from the left hand menu
  2. Select "CREATE PROJECT"
  3. You will be presented with a form, input a name and a group ID as prompted and click "next"
  4. The next window is much longer and requires more input from us
    1. Change the "Orion Repository" to the locally cloned git repo
    2. Set the Orion Version to the latest Orion version e.g. v3.0.0-beta.1
  5. Click "deploy" when ready

For more information on project creation see the dedicated page on Projects

Terra plugins

In order to deploy plugins we need to setup the terra plugin system, again this will make use of a previously downloaded git repo

  1. In the left have side select the "App Store"
  2. Select "SOURCE REPOS" from the new window
  3. Click the "NEW SOURCE" button
  4. We are presented with a form to populate, complete and submit as follows
    1. URL should be set to the git fork completed earlier e.g. http://our-git-repo:3000/juno/terra-official-plugins
    2. We suggest using "main" as the "Ref"
    3. (Optional) if your git repository requires authentication then please populate the bottom two auth fields
  5. Once the repository has been installed the "STORE" should be populated with all the available plugins from Terra

For more information on Terra Plugins see the dedicated page on Terra

Workload Images

The workloads created by Terra plugins will be using standard containers that will need to be ingested into your container registry.

In this example we will be setting up the LSIO Webtop package. We assume a storage mount has already been created for this step, see here for further instructions on how to set this up.

1. (Optional) Adding lsio as a registry

For ease of use we will need to add "lsio" as a registry source in the k3s settings, this is only necessary if your registry is using HTTP and not HTTPS If you are using the k3s cluster installed via the bootstrap wizard then run the following command replacing the endpoint value with your registry value

 sudo jq '.mirrors["lscr.io"] = {"endpoint": ["http://YOUR_REGISTRY_HERE"]}' /etc/rancher/k3s/registries.yaml | sudo tee /etc/rancher/k3s/registries.yaml.tmp && sudo mv /etc/rancher/k3s/registries.yaml.tmp /etc/rancher/k3s/registries.yaml

Then restart k3s systemctl restart k3s 

systemctl restart k3s
This will need to be repeated on all k3s nodes

2. From the App store locate the LSIO Webtop plugin and install it, selecting a friendly name and clicking install

install app

3. Wait for the app to be ready by checking the "INSTALLS" tab

request waiting request done

4. Setup the workload
  1. Select the Workloads window from the left hand navigation bar and click "CREATE WORKLOAD"
  2. From the Version drop down select the lsio-webtop option
  3. Assign a group using the button and resulting form
  4. (Optional) If your registry is using HTTPS then you can update the "registry" text box with the URL of your container registry housing the image
  5. Click "Submit"

You can now deploy the LSIO workload on your air gapped system!

For more information on workloads see the dedicated page on Workloads