Airgap Installation
Suitable for offline installation scenarios.
Prerequisites:
- Provide an intranet container registry, e.g. Harbor;
- Provide an intranet Git-based code repository, e.g. GitLab;
- Allow access from the Walrus server to the container registry and the code repository.
Preparing offline images
Retrieve the walrus-images.txt
, walrus-save-images.sh
and walrus-load-images.sh
files from Walrus Releases for downloading offline images and pushing them to the container registry.
- Use
walrus-save-images.sh
to download offline images on a Docker host with internet access:
bash walrus-save-images.sh --image-list walrus-images.txt
- Upload the saved offline image package
walrus-images.tar.gz
andwalrus-load-images.sh
to a Docker host that has access to the container registry. Usewalrus-load-images.sh
to upload the offline images. Taking Harbor as an example for the container registry (if not, ensure to create asealio
project in the container registry beforehand).
docker login registry.example.com --username admin --password Harbor12345
bash walrus-load-images.sh --registry registry.example.com --harbor-user admin --harbor-password Harbor12345
Preparing offline catalog
Fork or import all repositories from the Builtin catalog into the code repository.
You can refer to the following script to clone all repositories from walrus-catalog
in batches and upload them to the code repository. Each repository needs to correspond to a specific internal repository, such as a GitLab Project.
#!/bin/bash
# Walrus catalog org
ORG_NAME="walrus-catalog"
# Get all repos in the Walrus catalog org
REPOS=$(curl -s "https://api.github.com/orgs/$ORG_NAME/repos" | jq -r '.[] | select(.archived == false) | .name')
for REPO_NAME in $REPOS; do
# Clone repo
git clone "https://github.com/$ORG_NAME/$REPO_NAME"
done
echo "All done!"
Install Walrus
Standalone Installation
Update the image in Standalone Installation according to the intranet contianer registry. Additionally, add the environment variable SERVER_SETTING_IMAGE_REGISTRY
, pointing to the intranet container registry and the offline Deployer image.
sudo docker run -d --privileged --restart=always --name walrus \
-p 80:80 -p 443:443 \
-e SERVER_SETTING_IMAGE_REGISTRY='registry.example.com' \
registry.example.com/sealio/walrus:v0.6.0
If your container registry is a private registry that requiring authentication to pull images, additional configuration is needed. The steps are as follows.
For Standalone Installation of Walrus, the built-in K3s is used as the underlying runtime environment. If there is a need to configure K3s to pull images from a private registry, you should mount the registries.yaml
into the Walrus server.
- On the host where the Walrus server will run, create the
registries.yaml
:
mkdir -p /etc/walrus/k3s
vim /etc/walrus/k3s/registries.yaml
Fill in the following YAML content, replacing it with your container registry, username and password. If the private registry uses an untrusted TLS certificate, use the insecure_skip_verify
parameter to skip certificate verification. If not needed, simply remove it:
mirrors:
docker.io:
endpoint:
- "https://registry.example.com"
registry.example.com:
endpoint:
- "https://registry.example.com"
configs:
"registry.example.com":
auth:
username: xxxxxx # This is the registry username
password: xxxxxx # This is the registry password
tls:
insecure_skip_verify: true
- When running the Walrus, mount the
registries.yaml
into the Walrus server:
sudo docker run -d --privileged --restart=always --name walrus \
-p 80:80 -p 443:443 \
-e SERVER_SETTING_IMAGE_REGISTRY='registry.example.com' \
-v /etc/walrus/k3s/registries.yaml:/etc/rancher/k3s/registries.yaml \
registry.example.com/sealio/walrus:v0.6.0
- After the Walrus server is running, enter the Walrus container to verify if the private registry configuration is effective:
docker exec -it walrus bash
cat /var/lib/k3s/agent/etc/containerd/config.toml
For more details, refer to the official K3s documentation K3s Private Registry Configuration.
- Access the Walrus UI, and after the initial login, navigate to
https://<WALRUS_URL>/v1/settings
. Validate whether theImageRegistry
setting are effective.
High Availability Installation
Update the image in High Availability Installation according to the intranet contianer registry. Additionally, add the SERVER_SETTING_IMAGE_REGISTRY
environment variable to the Walrus deployment, pointing to the intranet container registry and the offline Deployer image.
vim walrus.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: walrus
namespace: walrus-system
spec:
...
template:
...
spec:
containers:
- name: walrus-server
image: sealio/walrus:v0.6.0
...
env:
- name: SERVER_SETTING_IMAGE_REGISTRY
value: registry.example.com
...
kubectl apply -f walrus.yaml
If your container registry is a private registry that requiring authentication to pull images, additional configuration is needed. The steps are as follows.
- To pull images from a private registry, Kubernetes requires credentials. First, create a credential secret:
kubectl create secret docker-registry registry-credential \
--docker-server=<your-container-registry> \
--docker-username=<your-name> \
--docker-password=<your-password> \
--docker-email=<your-email>
- Modify the YAML in High Availability Installation, add the
imagePullSecrets
to several Deployments,and then deploy Walrus following the steps for High Availability Installation. This ensures that kubelet can pull images from the private registry when creating Pods.
vim walrus.yaml
apiVersion: apps/v1
kind: Deployment
...
spec:
...
template:
...
spec:
containers:
...
imagePullSecrets:
- name: registry-credential
...
kubectl apply -f walrus.yaml
- Access the Walrus UI, and after the initial login, navigate to
https://<WALRUS_URL>/v1/settings
. Validate whether theImageRegistry
setting are effective.
Using intranet catalog
- Disable the built-in catalog:
Navigate to System Settings
-> Server Management
, edit Template Catalog Settings
, disable Use built-in catalog
and save.
- If the intranet catalog uses an untrusted TLS certificate, you can disable Walrus's certificate verification for catalogs (optional):
Navigate to System Settings
-> Server Management
, edit Certificate Settings
, enable Skip certificate authentication
and save.
- Remove the built-in catalog and add the intranet catalog:
Navigate to Operations
-> Catalogs
, check the builtin
catalog, and choose to delete it.
And then choose Add Catalog
, enter the catalog's name, description, source and choose type. For the source address, provide the complete git organization/group URL of the intranet catalog, such as https://github.com/walrus-catalog. Confirm and save.
Confirm that the intranet catalog is refreshing correctly. Navigate to Operations
-> Templates
and verify that the templates load successfully.
Note:
- OpenAI-related features (AI Draft Template) are not available in offline environments.
- If custom connectors are required, i.e., custom Terraform Providers, it's necessary to configure the mirror for the custom provider. Refer to
https://developer.hashicorp.com/terraform/cli/commands/providers/mirror
for guidance.