Pre-Installation Requirements for Air-Gapped Environments

This topic covers the essential preparation steps required before installing Portworx Backup in air-gapped environments.

Overview

Air-gapped installations require careful preparation of container images and registry configuration since the environment cannot access external repositories during installation.

Prerequisites

• (Mandatory) Ensure that you are aware of custom password policy

• (Optional) If you want to enable mTLS for Portworx Backup, make sure Istio or Linkerd is installed on the cluster where you want to deploy PXB with the following parameters set to true:

  • Istio:
    • meshConfig.defaultConfig.holdApplicationUntilProxyStarts=true
    • values.pilot.env.ENABLE_NATIVE_SIDECARS=true
  • Linkerd:
    • proxyInit.runAsRoot=true

• When multiple applications are configured to use the same base path (such as /), Istio cannot determine which service should handle incoming traffic. To avoid routing conflicts during the px-backup deployment, update the hostname using the istio.hostName helm parameter

Prepare air-gapped environments

If your cluster is non-airgapped, skip this section. If your cluster is air-gapped, you must pull the below Docker images to either your docker registry or your server. If you are using your own Prometheus and Alertmanager with Portworx Backup, you do not have to pull the last four images from the following list:

2.10.0

Image	Image path	Version
pxcentralOnpremApi	docker.io/portworx/pxcentral-onprem-api	2.10.0
pxcentralOnpremUiFrontend	docker.io/portworx/pxcentral-onprem-ui-frontend	2.10.0
pxcentralOnpremUiBackend	docker.io/portworx/pxcentral-onprem-ui-backend	2.10.0
pxcentralOnpremUiLhbackend	docker.io/portworx/pxcentral-onprem-ui-lhbackend	2.10.0
pxcentralOnpremPreSetup	docker.io/portworx/pxcentral-onprem-hook	2.10.0
pxcentralOnpremPostSetup	docker.io/portworx/pxcentral-onprem-post-setup	2.10.0
pxBackup	docker.io/portworx/px-backup	2.10.0
postgresql	docker.io/portworx/postgresql	17.4.0-debian-12-r19
keycloak	docker.io/portworx/keycloak	26.2.4
keycloakLoginTheme	docker.io/portworx/keycloak-login-theme	2.10.0
busybox	docker.io/portworx/busybox	1.35.0
mysql	docker.io/portworx/mysql	8.0.43
mongodb	docker.io/portworx/mongodb	8.0.12-debian-12-r0
mongodb7	docker.io/portworx/mongodb	7.0.15-debian-12-r2
mongodb6	docker.io/portworx/mongodb	6.0.13-debian-11-r21
mongodb5	docker.io/portworx/mongodb	5.0.24-debian-11-r20
kopiaExecutor	docker.io/portworx/kopiaexecutor	1.2.22
nfsExecutor	docker.io/portworx/nfsexecutor	1.2.22
filesystemCtl	docker.io/portworx/filesystemctl	1.2.22
pxBackupPrometheusImage	docker.io/portworx/prometheus	v3.6.0
pxBackupAlertmanagerImage	docker.io/portworx/alertmanager	v0.28.0
pxBackupPrometheusOperatorImage	docker.io/portworx/prometheus-operator	v0.85.0
pxBackupPrometheusConfigReloaderImage	docker.io/portworx/prometheus-config-reloader	v0.85.0
pxLicenseServer	docker.io/portworx/px-els	2.8.0
Stork	openstorage/stork	25.5.0
Command Executor	openstorage/cmdexecutor	25.5.0
NFS Executor	openstorage/nfsexecutor	1.2.22
Kopia Executor	openstorage/kopiaexecutor	1.2.22

note

1. Refer to the Install Stork in air-gapped environments section to know more about the Stork and other openstorage images in your air-gapped environment, before installing Portworx Backup.
2. If your application cluster is running in the IBM Cloud environment, ensure that the image repository path is set to icr.io/ext/portworx/stork:<supported-pxb-stork-version> before applying the stork-spec.yaml during Stork installation (without PXE).

Before you begin

To pull the above Docker images and push them to an internal registry:

1. Download the pxcentral-ag-install-backup.sh air-gapped bootstrap Portworx Backup install script.

   curl -o pxcentral-ag-install-backup.sh -L "https://install.portworx.com/pxcentral-air-gapped?px-backup=true"

   You can also download the install script for a specific release by specifying a version query. For example:

   curl -o pxcentral-ag-install-backup.sh -L "https://install.portworx.com/pxcentral-air-gapped?version=<Variable name = "pxbVer_2.10.0"/>&px-backup=true"

2. Provide execute permission for the install script:

   chmod +x pxcentral-ag-install-backup.sh

3. Pull the container images to your local setup using the pxcentral-ag-install-backup.sh script:

    ./pxcentral-ag-install-backup.sh pull

4. Push the images to a internal registry server, accessible by the air-gapped nodes. Replace <repo> with your registry location.

   ./pxcentral-ag-install-backup.sh push <repo>

5. (Optional) If you want to enable mTLS for Portworx Backup, label PXB deployed namespace:

• Istio

  • Istio normal mode:

    kubectl label namespace <pxb-namespace> istio-injection=enabled --overwrite

    This command annotates <pxb-namespace> to inject sidecar proxy required for mTLS.

    Here <pxb-namespace> is the namespace where you have deployed PXB.

  • Istio ambient mode:

    kubectl label namespace <pxb-namespace> istio.io/dataplane-mode=ambient --overwrite

    For OpenShift cluster only, run the following command to enable host routing:

    oc patch network.operator/cluster --type merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig":{"routingViaHost":true}}}}}'

• Linkerd:

  1. Annotate PXB deployed namespace to inform Linkerd to inject linkerd-proxy required for mTLS:

     kubectl annotate ns <pxb-namespace> linkerd.io/inject=enabled

  2. Annotate the namespace for Kubernetes native sidecar support so that Linkerd sidecar proxy container can run and shut down gracefully without causing any issues:

     kubectl annotate ns <pxb-namespace> config.alpha.linkerd.io/proxy-enable-native-sidecar=true

Configure external OIDC endpoints

If you enabled an external OIDC during the Portworx Backup installation, you must manually configure the redirect URI in your OIDC provider.

Refer to the Setup login redirects section of the Portworx Enterprise documentation for instructions.

Next Steps

After completing these pre-installation requirements, proceed to the Air-Gapped Installation Guide.