Install PXB on Airgapped Environments

This topic explains how you can install Portworx Backup in air-gapped environments. For installation through Argo CD, refer to Argo CD installation topic.

Install Portworx Backup in Air-gapped environments

Spec Details

Spec Details Tab

1. Access Portworx Central SpecGen.

2. Enter user credentials and make sure that you go through End-User License Agreement (EULA).

   If you are new to Portworx Central, click on Create account to generate your login credentials. You can also sign in with your organization’s OIDC identity provider, Google or Github account.

3. Click Sign In to access the Portworx Central portal.

4. On the home page, under Explore our Products, navigate to the Portworx Backup card. Then click Generate Backup Spec to open the Portworx Backup Install/upgrade page (Spec Details tab).

5. In the Spec Details tab provide the following values:

   
   
   1. Release Information

   • Backup Version: select the required version of Portworx Backup from the drop-down list

   • Namespace: provide the name of the namespace where you want an instance of Portworx Backup to be installed

   • Select your environment: choose On-Premises or Cloud based on your storage environment

   1. Configuration
   • StorageClass Name: name of the StorageClass, refer tooltip for more details
   note

   Defining the namespace and StorageClass is a one-time configuration step that should be completed during the initial installation. PVCs will be created using Namespace and StorageClass values you define in the SpecGen, and these values cannot be modified later during an upgrade.

   • Enable Rancher RBAC: select this checkbox if you are using Rancher for managing your Kubernetes clusters and want to enable Rancher's Role-Based Access Control (RBAC) for Portworx Backup. This feature can be enabled only if you have LDAP or PingIdentity as your identity provider. For more information, refer to PXB Rancher RBAC and Rancher RBAC.

   • Use your OIDC: select this checkbox only if your external authorization provider is Auth0 and key in the following fields:

     • Endpoint
     • Client ID
     • Client Secret

     These values can be fetched from the Auth0 web console. For more information on integrating external authorization providers, refer to Integrate Auth Providers

   • Use existing Prometheus: select this checkbox if you have to use your existing Prometheus stack to monitor Portworx Backup and enter the values for the following fields:

     • Prometheus Endpoint: enter details of the endpoint where your Prometheus is installed
     • Alertmanager Endpoint: enter details of the endpoint where your Alertmanager is installed
     • Prometheus secret name: enter secret name of your Prometheus stack
     • Alertmanager secret name: enter secret name of your Alertmanager
     • Use Custom email template from PX-Backup: select to upload Portworx Backup's custom email template to your pre-configured Alertmanager for email notifications

   • Proxy Configuration: select this checkbox if you have proxy server configured in your environment and enter the values for the following fields:

     • Unauthenticated: choose this if you have unauthenticated proxy server

       • HTTP Proxy: proxy server URL for http proxy
       • HTTPS Proxy: proxy server URL for https proxy
       • NO PROXY: comma separated list of hostnames IPs or domains that should bypass the proxy settings

     • Authenticated/CA: choose this option if your cluster is behind a proxy server with authentication or CA

       • Proxy configuration secret: name of the kubernetes proxy configuration secret created in pxb namespace holding the proxy configuration

   2. Custom Registry

      
      
      • Custom Image Repository Location: path of custom image repository. For more information, refer to Prepare air-gapped environment.
      • Image Pull Secret(s): create a secret in the following cases:
        • If image pulling from an internal repository requires credentials
        • If you were using docregistry-secret

   3. Database Credentials: This section configures database passwords for the various database components used by Portworx Backup. For more information on password guidelines, refer to Password Policy.

      • MySQL Root User Password: root password for MySQL database
      • Postgres User Password: password for PostgreSQL user
      • MongoDB PX-Backup User Password: password for MongoDB PX-Backup user
      • MongoDB Root User Password: root password for MongoDB database
      • MongoDB Replica Set Key: key for MongoDB replica set authentication
      • Encrypt MongoDB: select this checkbox to enable encryption at rest for MongoDB database
      • MongoDB Master Encryption Key: Master encryption key for MongoDB encryption at rest
      caution

      Safeguarding your encryption key is vital to prevent permanent data loss. If the key is lost, you will be unable to access your encrypted data, as it is the only means of decryption. Without it, the data is rendered completely inaccessible and cannot be recovered. Note that encryption keys cannot be rotated after they are set.

6. Click Next to navigate to Finish tab.

Navigate to the Finish tab at the top to execute few commands to complete the installation.

Finish

Finish Tab Installation

1. In the Finish tab:

Step 1

1. Copy the below yaml (command under Step 1) to your terminal and run to create a Kubernetes secret containing database credentials and configuration parameters for Portworx Backup components.

   pxc-credentials secret

   kubectl apply -f - <<EOF
   apiVersion: v1
   kind: Namespace
   metadata:
     name: <pxb-namespace>
   ---
   apiVersion: v1
   kind: Secret
   metadata:
     name: pxc-credentials
     namespace: <pxb-namespace>
   data:
     mongodb-px-backup-password: <base64-encoded-mongodb-password>
     mongodb-root-password: <base64-encoded-mongodb-root-password>
     mongodb-replica-set-key: <base64-encoded-mongodb-replica-set-key>
     mongodb-master-encryption-key: <base64-encoded-mongodb-master-encryption-key>
     postgresql-password: <base64-encoded-postgresql-password>
     mysql-password: <base64-encoded-mysql-password>
   EOF

The command creates the specified namespace (for example, central) and generates a pxc-credentials secret containing database passwords. All sensitive data is automatically base64-encoded for security, and the database credentials include password, replica set, and encryption key for MongoDB, only passwords for PostgreSQL and MySQL components of Portworx Backup.

Step 2

2. Execute the following command to add the helm repository to your cluster and update it:

   helm repo add portworx http://charts.portworx.io/ && helm repo update

Step 3

You can install Portworx Backup either with default options or with advanced options based on your environment. To install PXB with default options, go with Install using set command. For install with advanced options, go with Install using the values-px-central.yaml file.

Option 1: Install using the ‘set’ command

1. Optional If you are deploying PXB in a cluster with Istio or linkerd as service mesh, append istio.enabled=true (do not append istio.enabled=true if you have installed Istio in ambient mode) or linkerd.enabled=true at the end of the command provided under Install using the set command.
   

   note

   The hostName parameter is mandatory if multiple applications use the same prefix (/) and are using the Istio sidecar mode. To avoid routing conflicts during the PX-Backup deployment, update the host name by appending the istio.hostName in set parameter. For more information, refer to the Configure a dedicated hostname for Portworx Backup UI with Istio section.

   Sample command for istio enabled:

   helm install px-central charts/px-central --namespace central --version 2.10.0 --set persistentStorage.enabled=true,persistentStorage.storageClassName=”<storage-class-name>”,pxbackup.enabled=true,istio.enabled=true

   Note that all the parameters you have provided in the Spec Details tab get appended after --set in the command.

2. After you are done with providing and appending all the required parameters for installation, verify the command for accuracy.

3. Now copy and run the command in the terminal to install Portworx Backup.

OR

Option 2: Install using the values-px-central.yaml file

To install Portworx Backup with advanced options:

1. Click values-px-central.yaml file option provided under Install using the values-px-central.yaml file on the right of Step 2. This creates and downloads a values file named values-px-central.yaml with all your configuration overrides.

2. Rename this as values-px-central-<pxb-release-version>.yaml. Where <pxb-release-version> is the PXB version you want to install.

3. Set the values for the below keys as true based on the service mesh you have deployed in PXB cluster. Note that by default, istio.enabled and linkerd.enabled are set to false. Set istio.enabled to true only if you’re using the Istio sidecar.

   note

   The hostName parameter is mandatory if multiple applications use the same prefix (/) and are using the Istio sidecar mode. To avoid routing conflicts during the PX-Backup deployment, update the host name by using the istio.hostName Helm parameter. For more information, refer to the Configure a dedicated hostname for Portworx Backup UI with Istio section.

   istio:
     enabled: true
     hostName: ""
   linkerd:
     enabled: true

4. Save the yaml file for the changes made and validate the values.

5. Copy and execute the command under Install using the values-px-central.yaml file in your terminal to complete the installation:

   helm install px-central portworx/px-central --namespace central --create-namespace --version 2.10.0 -f values-px-central.yaml

6. From the instance where you run the helm3 command:

   1. Download the latest px-central package with the following command:

   curl -O https://raw.githubusercontent.com/portworx/helm/master/stable/px-central-.tgz

   2. Modify the Helm command generated in Step 7v to provide the helm package, instead of providing the repository. For example:

   helm install px-central portworx/px-central --namespace \<pxb-namespace\> --create-namespace --version <Variable name="pxbVer_2.10.0"/> -f values-px-central.yaml

   Sample command:

   helm install px-central px-central-2.10.0.tgz --namespace <pxb-namespace> --create-namespace --version 2.10.0 -f values-px-central.yaml

7. Click Finish after you complete the installation.

This activates the trial version of Portworx Backup. To upgrade to the enterprise version, apply a Portworx Backup license.

You can find more information about the Portworx Backup Helm chart in the helm section.

After you execute install command, Portworx Backup triggers health check to evaluate if your setup meets installation requirements. If the installation fails because of the failure in meeting the install requirements, Portworx Backup displays relevant error messages in the CLI. For more information, refer to health check and health check matrix.

Monitor Installation Completion

After running the helm install command, monitor the post-install hook to ensure successful deployment:

# Check post-install hook status
kubectl get pod --namespace <pxb-namespace> -ljob-name=pxcentral-post-install-hook -o wide | awk '{print $1, $3}' | grep -iv error

# Monitor until completion
kubectl get job pxcentral-post-install-hook -n <pxb-namespace> -w

Expected output:

pxcentral-post-install-hook-xxxxx Completed

Verify Pod Status

Ensure all Portworx Backup components are running:

kubectl get pods -n <pxb-namespace>

All pods should be in Running or Completed state.