The documentation below covers topics from the imgpkg air-gapped workflow docs more concisely in order to focus on applying these workflows to kapp-controller package repositories.
You have a PackageRepository in an imgpkg bundle format in an external OCI registry that you would like to move into an OCI registry in an air-gapped environment. Once relocated, you would like to deploy the bundle as part of a PackageRepository to a Kubernetes cluster.
In order to go through this process of moving an imgpkg bundle to an air-gapped environment, you will need to have imgpkg
installed. More information on installing Carvel tools, including
imgpkg, can be found here.
Copy PackageRepository bundle to new location ¶
Most of the steps documented for the imgpkg air-gapped workflow docs
still apply in the case of working with kapp-controller package repositories. A summary of these docs is that you will need to copy your package repository
imgpkg via one of the following options:
- Option 1: From a common location connected to both registries. This option is more efficient because only changed image layers will be transfered between registries.
- Option 2: With intermediate tarball. This option works best when registries have no common network access.
A summary of steps for relocating a package repository bundle to an air-gapped environment are documented for both options below:
- Get to a location that can access both registries. If there is no such location, you will have to use
- Authenticate with both source and destination registries
imgpkg copy -b index.docker.io/user1/simple-app-bundle:v1.0.0 --to-repo final-registry.corp.com/apps/simple-app-bundle
- Get to a location that can access the source registry
- Authenticate with the source registry
imgpkg copy -b index.docker.io/user1/simple-app-bundle:v1.0.0 --to-tar /tmp/my-image.tar
- Make sure the tar file is in a location that has access to the destination registry
- Authenticate with the destination registry
imgpkg copy --tar /tmp/my-image.tar --to-repo final-registry.corp.com/apps/simple-app-bundle
Use Relocated Bundle or Image with PackageRepository ¶
Once you have relocated the package repository bundle into the destination OCI registry in your air-gapped environment, you can now reference the relocated bundle in a PackageRepository definition:
--- apiVersion: install.package.carvel.dev/v1alpha1 kind: PackageRepository metadata: name: simple-package-repository spec: fetch: imgpkgBundle: image: final-registry.corp.com/apps/simple-app-bundle
In the event your PackageRepository needs authentication to pull the bundle, you can specify credentials via a
as shown below. The secret for the
secretRef property must be created in the
kapp-controller namespace for the PackageRepository
to use this secret. Supported secret keys are documented here. This authentication pattern will
change in the future as better workflows are proposed for kapp-controller.
--- apiVersion: install.package.carvel.dev/v1alpha1 kind: PackageRepository metadata: name: simple-package-repository spec: fetch: imgpkgBundle: image: final-registry.corp.com/apps/simple-app-bundle secretRef: name: my-registry-creds
After applying the PackageRepository definition above to your Kubernetes cluster, you will be able to check that the PackageRepository and its associated Packages were successfully deployed by checking the PackageRepository status:
$ kubectl get packagerepository/simple-package-repository
You will see a message of
Reconcile Succeeded in the
DESCRIPTION column of the output from
kubectl if the PackageRepository was deloyed
successfully. You can also run
kubectl get packages to see that all Packages were introduced successfully.