Install Portworx on EKS air-gapped cluster
Follow the instructions on this page to deploy Portworx and its required packages on an EKS air-gapped cluster using your private registry location.
Prerequisites
- You must have an AWS EKS cluster that meets the Portworx prerequisites.
- You must use one of the following disk types:
- GP2
- GP3
- IO1
- Recommended disk sizes:
- GP2: 150 (GB) size disk is needed as the minimum IOP requirement when running on AWS
- GP3 specify IOPS required from EBS volume and specify throughput for EBS volume
- IO1 specify IOPS required from EBS volume
- For production environments Portworx, Inc. recommends 3 Availability Zones (AZs).
- Portworx, Inc. recommends you to set Max storage nodes per availability zone.
- A container registry accessible from the nodes on which Portworx will be deployed. In the below example, AWS Elastic Container Registry (ECR) is being used.
- If using ECR, you must have AWS CLI installed and configured on your client machine.
- An AWS user-account identity that can push or pull images to the given container registry.
Configure your environment
Follow the steps in this section to configure your EKS environment before installing Portworx.
Create an IAM policy
Provide permissions for all instances in the autoscaling cluster by creating an IAM policy.
Perform the following steps from your AWS console:
Navigate to the IAM page on your AWS console, then select Policies under the Identity and Access Management (IAM) sidebar section and select the Create Policy button in the upper right corner:
Choose the JSON tab, then paste the following permissions into the editor, providing your own value for
Sidif applicable:{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:ModifyVolume", "ec2:DetachVolume", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumesModifications", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:DescribeInstances", "autoscaling:DescribeAutoScalingGroups" ], "Resource": [ "*" ] } ] }NOTE: These are the minimum permissions needed for storage operations for a Portworx cluster. For other IAM permissions required for other Portworx operations (such as backup and DR functionality), see the credentials reference section.Name and create the policy:
In the Roles section, search and select your node group NodeInstanceRole using your cluster name. The following example shows eksctl-victorpeksdemo2-nodegroup-NodeInstanceRole-M9QTT58HQ9Z as the nodegroup Instance Role:
NOTE: If there are more than one nodegroupNodeInstanceRolefor your cluster, attach the policy to thoseNodeInstanceRoles as well.Attach the previously created policy by selecting Attach policies from the Add permissions dropdown on the right side of the screen:
Under Other permissions policies, search for your policy name. Select your policy name and select the Attach policies button to attach it.
The policy you attached will appear under Permissions policies:
NOTE: Copy the ARN for the newly created policy. You will need to specify this value for yourNodeGroup(either within the AWS create-EKS/nodegroup section if using the AWS console, or in a configuration file if using theeksctl) for all nodes in your AWS cluster.
Get Portworx container images
Set an environment variable for the Kubernetes version you are using:
KBVER=$(kubectl version --short | awk -F'[v+_-]' '/Server Version: / {print $3}')Set an environment variable to the latest major Portworx version:
PXVER=<portworx-version>On an internet-connected host, download the air-gapped-install bootstrap script for the Kubernetes and Portworx versions that you specified:
curl -o px-ag-install.sh -L "https://install.portworx.com/$PXVER/air-gapped?kbver=$KBVER"Pull the container images required for the specified versions:
sh px-ag-install.sh pull
Set your container registry
In order to make the Portworx container images available in your air-gapped cluster, you need to have a container registry that the nodes can access. In the AWS environment, you can use the Elastic Container Registry (ECR) service. ECR is a repository for a single image, whereas Portworx consists of multiple images. Therefore, you must create a separate ECR repository for each image.
Log in to docker:
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.comRun the following command to create an ECR repository for each image. The following command will create repositories in the
us-west-2region, which are differentiated by thepxmirrorprefix. You must use the region where you are deploying your Portworx cluster in the following command:for images in $(curl -fsSL install.portworx.com/$PXVER/air-gapped | awk -F / '/^IMAGES="$IMAGES /{print $NF}' | cut -d: -f1); do aws ecr create-repository --repository-name pxmirror/$images --image-scanning-configuration scanOnPush=true --region us-west-2; doneYou need to press q after the creation of each repository until the command is completely executed.
Create the Kubernetes secret to pull the images in the same region:
kubectl create secret docker-registry ecr-pxmirror --docker-server XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com --docker-username=AWS --docker-password=$(aws ecr get-login-password --region us-west-2) -n kube-systemThe registry used in above command is:
XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/pxmirror, whereXXXXXXXXXXXXcorresponds to your AWS Account ID number.NOTE: Skip the above steps if you are not using the ECR registry.Push the container images to a private registry that is accessible to your air-gapped nodes. Do not include
http://in your private registry path:sh px-ag-install.sh push XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/pxmirror
Create a version manifest configmap for Portworx Operator
Download the Portworx version manifest:
curl -o versions "https://install.portworx.com/$PXVER/version?kbver=$KBVER"Create a configmap from the downloaded version manifest:
kubectl -n kube-system create configmap px-versions --from-file=versions
Install Portworx
Follow the instructions in this section to deploy Portworx.
Generate specs
Navigate to the PX-Central.
Select Portworx Enterprise from the product catalog.
On the Product Line page, choose any option depending on which license you intend to use, then select Continue to start the spec generator.
On the Basic page, ensure that the Use the Portworx Operator option is selected. For Portworx version, select the same version from the dropdown that you have set in the previous section. If you choose version 2.12, change the namespace to kube-system in the Namespace field. Select Built-in ETCD and click Next.
Select Cloud as your environment and then select AWS as your cloud platform. Keep the recommended default values for the Configure storage devices section and click Next.
Choose your network and click Next.
On the Customize page, for the Are you running on either of these? option, select Amazon Elastic Container Service for Kubernetes (EKS). Provide your internal registry path and the details for how to connect to your private registry in Registry And Image Settings.
Click the Finish button to create the specs.
Apply specs
Apply the Operator and StorageCluster specs you generated in the section above by performing the following steps:
Deploy the Operator:
kubectl apply -f 'https://install.portworx.com/<PXVER>?comp=pxoperator'serviceaccount/portworx-operator created podsecuritypolicy.policy/px-operator created clusterrole.rbac.authorization.k8s.io/portworx-operator created clusterrolebinding.rbac.authorization.k8s.io/portworx-operator created deployment.apps/portworx-operator createdDeploy the StorageCluster:
kubectl apply -f 'https://install.portworx.com/<PXVER>?operator=true&mc=false&kbver=&b=true&c=px-cluster-0d8dad46-f9fd-4945-b4ac-8dfd338e915b&stork=true&csi=true&mon=true&tel=false&st=k8s®=XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com&rsec=ecr-pxmirror&promop=true'storagecluster.core.libopenstorage.org/px-cluster-0d8dad46-f9fd-4945-b4ac-8dfd338e915b created
Verify your Portworx installation
Once you’ve installed Portworx, you can perform the following tasks to verify that Portworx has installed correctly.
Verify if all pods are running
Enter the following kubectl get pods command to list and filter the results for Portworx pods:
kubectl get pods -n kube-system -o wide | grep -e portworx -e pxportworx-api-774c2 1/1 Running 0 2m55s 192.168.121.196 username-k8s1-node0 <none> <none>
portworx-api-t4lf9 1/1 Running 0 2m55s 192.168.121.99 username-k8s1-node1 <none> <none>
portworx-api-dvw64 1/1 Running 0 2m55s 192.168.121.99 username-k8s1-node2 <none> <none>
portworx-kvdb-94bpk 1/1 Running 0 4s 192.168.121.196 username-k8s1-node0 <none> <none>
portworx-kvdb-8b67l 1/1 Running 0 10s 192.168.121.196 username-k8s1-node1 <none> <none>
portworx-kvdb-fj72p 1/1 Running 0 30s 192.168.121.196 username-k8s1-node2 <none> <none>
portworx-operator-58967ddd6d-kmz6c 1/1 Running 0 4m1s 10.244.1.99 username-k8s1-node0 <none> <none>
prometheus-px-prometheus-0 2/2 Running 0 2m41s 10.244.1.105 username-k8s1-node0 <none> <none>
px-cluster-1c3edc42-4541-48fc-b173-3e9bf3cd834d-9gs79 2/2 Running 0 2m55s 192.168.121.196 username-k8s1-node0 <none> <none>
px-cluster-1c3edc42-4541-48fc-b173-3e9bf3cd834d-vpptx 2/2 Running 0 2m55s 192.168.121.99 username-k8s1-node1 <none> <none>
px-cluster-1c3edc42-4541-48fc-b173-3e9bf3cd834d-bxmpn 2/2 Running 0 2m55s 192.168.121.191 username-k8s1-node2 <none> <none>
px-csi-ext-868fcb9fc6-54bmc 4/4 Running 0 3m5s 10.244.1.103 username-k8s1-node0 <none> <none>
px-csi-ext-868fcb9fc6-8tk79 4/4 Running 0 3m5s 10.244.1.102 username-k8s1-node2 <none> <none>
px-csi-ext-868fcb9fc6-vbqzk 4/4 Running 0 3m5s 10.244.3.107 username-k8s1-node1 <none> <none>
px-prometheus-operator-59b98b5897-9nwfv 1/1 Running 0 3m3s 10.244.1.104 username-k8s1-node0 <none> <none>Note the name of one of your px-cluster pods. You’ll run pxctl commands from these pods in following steps.
Verify Portworx cluster status
You can find the status of the Portworx cluster by running pxctl status commands from a pod. Enter the following kubectl exec command, specifying the pod name you retrieved in the previous section:
kubectl exec <pod-name> -n kube-system -- /opt/pwx/bin/pxctl statusDefaulted container "portworx" out of: portworx, csi-node-driver-registrar
Status: PX is operational
Telemetry: Disabled or Unhealthy
Metering: Disabled or Unhealthy
License: Trial (expires in 31 days)
Node ID: 788bf810-57c4-4df1-9a5a-70c31d0f478e
IP: 192.168.121.99
Local Storage Pool: 1 pool
POOL IO_PRIORITY RAID_LEVEL USABLE USED STATUS ZONE REGION
0 HIGH raid0 3.0 TiB 10 GiB Online default default
Local Storage Devices: 3 devices
Device Path Media Type Size Last-Scan
0:1 /dev/vdb STORAGE_MEDIUM_MAGNETIC 1.0 TiB 14 Jul 22 22:03 UTC
0:2 /dev/vdc STORAGE_MEDIUM_MAGNETIC 1.0 TiB 14 Jul 22 22:03 UTC
0:3 /dev/vdd STORAGE_MEDIUM_MAGNETIC 1.0 TiB 14 Jul 22 22:03 UTC
* Internal kvdb on this node is sharing this storage device /dev/vdc to store its data.
total - 3.0 TiB
Cache Devices:
* No cache devices
Cluster Summary
Cluster ID: px-cluster-1c3edc42-4541-48fc-b173-3e9bf3cd834d
Cluster UUID: 33a82fe9-d93b-435b-943e-6f3fd5522eae
Scheduler: kubernetes
Nodes: 3 node(s) with storage (3 online)
IP ID SchedulerNodeName Auth StorageNode Used Capacity Status StorageStatus Version Kernel OS
192.168.121.196 f6d87392-81f4-459a-b3d4-fad8c65b8edc username-k8s1-node0 Disabled Yes 10 GiB 3.0 TiB Online Up 2.11.0-81faacc 3.10.0-1127.el7.x86_64 CentOS Linux 7 (Core)
192.168.121.99 788bf810-57c4-4df1-9a5a-70c31d0f478e username-k8s1-node1 Disabled Yes 10 GiB 3.0 TiB Online Up (This node) 2.11.0-81faacc 3.10.0-1127.el7.x86_64 CentOS Linux 7 (Core)
192.168.121.191 a8c76018-43d7-4a58-3d7b-19d45b4c541a username-k8s1-node2 Disabled Yes 10 GiB 3.0 TiB Online Up 2.11.0-81faacc 3.10.0-1127.el7.x86_64 CentOS Linux 7 (Core)
Global Storage Pool
Total Used : 30 GiB
Total Capacity : 9.0 TiBThe Portworx status will display PX is operational if your cluster is running as intended.
Verify pxctl cluster provision status
Find the storage cluster, the status should show as
Online:kubectl -n kube-system get storageclusterNAME CLUSTER UUID STATUS VERSION AGE px-cluster-1c3edc42-4541-48fc-b173-3e9bf3cd834d 33a82fe9-d93b-435b-943e-6f3fd5522eae Online 2.11.0 10mFind the storage nodes, the statuses should show as
Online:kubectl -n kube-system get storagenodesNAME ID STATUS VERSION AGE username-k8s1-node0 f6d87392-81f4-459a-b3d4-fad8c65b8edc Online 2.11.0-81faacc 11m username-k8s1-node1 788bf810-57c4-4df1-9a5a-70c31d0f478e Online 2.11.0-81faacc 11m username-k8s1-node2 a8c76018-43d7-4a58-3d7b-19d45b4c541a Online 2.11.0-81faacc 11mVerify the Portworx cluster provision status. Enter the following
kubectl execcommand, specifying the pod name you retrieved in the previous section:kubectl exec <pod-name> -n kube-system -- /opt/pwx/bin/pxctl cluster provision-statusDefaulted container "portworx" out of: portworx, csi-node-driver-registrar NODE NODE STATUS POOL POOL STATUS IO_PRIORITY SIZE AVAILABLE USED PROVISIONED ZONE REGION RACK 788bf810-57c4-4df1-9a5a-70c31d0f478e Up 0 ( 96e7ff01-fcff-4715-b61b-4d74ecc7e159 ) Online HIGH 3.0 TiB 3.0 TiB 10 GiB 0 B default default default f6d87392-81f4-459a-b3d4-fad8c65b8edc Up 0 ( e06386e7-b769-4ce0-b674-97e4359e57c0 ) Online HIGH 3.0 TiB 3.0 TiB 10 GiB 0 B default default default a8c76018-43d7-4a58-3d7b-19d45b4c541a Up 0 ( a2e0af91-bb02-1574-611b-8904cab0e019 ) Online HIGH 3.0 TiB 3.0 TiB 10 GiB 0 B default default default
Create your first PVC
For your apps to use persistent volumes powered by Portworx, you must use a StorageClass that references Portworx as the provisioner. Portworx includes a number of default StorageClasses, which you can reference with PersistentVolumeClaims (PVCs) you create. For a more general overview of how storage works within Kubernetes, refer to the Persistent Volumes section of the Kubernetes documentation.
Perform the following steps to create a PVC:
Create a PVC referencing the
px-csi-dbdefault StorageClass and save the file:kind: PersistentVolumeClaim apiVersion: v1 metadata: name: px-check-pvc spec: storageClassName: px-csi-db accessModes: - ReadWriteOnce resources: requests: storage: 2GiRun the
kubectl applycommand to create a PVC:kubectl apply -f <your-pvc-name>.yamlpersistentvolumeclaim/example-pvc created
Verify your StorageClass and PVC
Enter the
kubectl get storageclasscommand:kubectl get storageclassNAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE px-csi-db pxd.portworx.com Delete Immediate true 43d px-csi-db-cloud-snapshot pxd.portworx.com Delete Immediate true 43d px-csi-db-cloud-snapshot-encrypted pxd.portworx.com Delete Immediate true 43d px-csi-db-encrypted pxd.portworx.com Delete Immediate true 43d px-csi-db-local-snapshot pxd.portworx.com Delete Immediate true 43d px-csi-db-local-snapshot-encrypted pxd.portworx.com Delete Immediate true 43d px-csi-replicated pxd.portworx.com Delete Immediate true 43d px-csi-replicated-encrypted pxd.portworx.com Delete Immediate true 43d px-db kubernetes.io/portworx-volume Delete Immediate true 43d px-db-cloud-snapshot kubernetes.io/portworx-volume Delete Immediate true 43d px-db-cloud-snapshot-encrypted kubernetes.io/portworx-volume Delete Immediate true 43d px-db-encrypted kubernetes.io/portworx-volume Delete Immediate true 43d px-db-local-snapshot kubernetes.io/portworx-volume Delete Immediate true 43d px-db-local-snapshot-encrypted kubernetes.io/portworx-volume Delete Immediate true 43d px-replicated kubernetes.io/portworx-volume Delete Immediate true 43d px-replicated-encrypted kubernetes.io/portworx-volume Delete Immediate true 43d stork-snapshot-sc stork-snapshot Delete Immediate true 43dkubectlreturns details about the StorageClasses available to you. Verify thatpx-csi-dbappears in the list.Enter the
kubectl get pvccommand. If this is the only StorageClass and PVC that you’ve created, you should see only one entry in the output:kubectl get pvc <your-pvc-name>NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE example-pvc Bound pvc-dce346e8-ff02-4dfb-935c-2377767c8ce0 2Gi RWO example-storageclass 3m7skubectlreturns details about your PVC if it was created correctly. Verify that the configuration details appear as you intended.