diff --git a/.github/styles/config/vocabularies/Loft/accept.txt b/.github/styles/config/vocabularies/Loft/accept.txt
index 4aa488a9e..79fa44dcd 100644
--- a/.github/styles/config/vocabularies/Loft/accept.txt
+++ b/.github/styles/config/vocabularies/Loft/accept.txt
@@ -1,5 +1,5 @@
-AKS
-admin
+admin
+Alpine
ArgoCD
AWS
[aA]pplication
@@ -13,10 +13,11 @@ CRD
CronJob
CustomResourceDefinition
DaemonSet
-[eE]mail
[dD]eployment
DevSpace
DNS
+[eE]mail
+FIPS
[Ee][Kk][Ss]
GitOps
GCP
@@ -52,3 +53,4 @@ vCluster
Velero
VolumeAttachment
YAML
+yaml
diff --git a/vcluster/_partials/deploy/fips-config.mdx b/vcluster/_partials/deploy/fips-config.mdx
index 9d43199ef..cce8eacbc 100644
--- a/vcluster/_partials/deploy/fips-config.mdx
+++ b/vcluster/_partials/deploy/fips-config.mdx
@@ -11,18 +11,11 @@ controlPlane:
coredns:
embedded: true
distro:
- k8s: # FIPS support is only available for the k8s distribution
- version: v1.28.14
+ k8s: # FIPS support is only available for the K8s distribution
enabled: true
- apiServer:
- image:
- repository: loft-sh/kubernetes-fips
- controllerManager:
- image:
- repository: loft-sh/kubernetes-fips
- scheduler:
- image:
- repository: loft-sh/kubernetes-fips
+ image:
+ repository: loft-sh/kubernetes-fips
+ tag: v1.28.14
hostPathMapper:
enabled: true
statefulSet:
diff --git a/vcluster/deploy/security/fips.mdx b/vcluster/deploy/security/fips.mdx
index 48ec2165a..56ed9d977 100644
--- a/vcluster/deploy/security/fips.mdx
+++ b/vcluster/deploy/security/fips.mdx
@@ -1,5 +1,5 @@
---
-title: FIPS 140-2 Enablement
+title: FIPS 140-2 enablement
sidebar_label: FIPS 140-2
sidebar_position: 7
sidebar_class_name: pro
@@ -9,32 +9,30 @@ import ProAdmonition from '../../_partials/admonitions/pro-admonition.mdx'
-The National Institute of Standards and Technology (NIST) develops Federal
+The [National Institute of Standards and Technology (NIST)](https://www.nist.gov/federal-information-processing-standards-fips) develops Federal
Information Processing Standards (FIPS) to ensure the security and
interoperability of computer systems used by the U.S. government.
FIPS 140-2 is a U.S. Federal Government security standard used to approve
-cryptographic modules. This document explains how vCluster Pro and all its components
+cryptographic modules. This document explains how vCluster and all its components
are built with FIPS-validated cryptographic libraries.
## Use of FIPS compatible Go toolchain
-vCluster Pro is written in [Go](https://go.dev/), and the FIPS-compliant builds
+vCluster is written in [Go](https://go.dev/), and the FIPS-compliant builds
are compiled using the `GOEXPERIMENT=boringcrypto` environment variable.
This directs the Go compiler to replace the standard Go crypto libraries with the
[FIPS-validated BoringCrypto](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407)
module by Google.
-See GoBoring's [readme](https://go.dev/src/crypto/internal/boring/README) for
-more details.
+For more details, see the GoBoring [README](https://go.dev/src/crypto/internal/boring/README).
NIST validates [Google's BoringCrypto](https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md)
modules on a wide range of systems.
### FIPS support in vCluster components
-Most of the components used in vCluster are statically compiled with the
-boringcrypto Go compiler. vCluster, from a components perspective, contains
-multiple sub-components it depends on.
+Most components used in vCluster are statically compiled with the BoringCrypto-enabled Go compiler.
+From a component perspective, vCluster includes multiple sub-components it depends on.
The list below contains components built in a FIPS-compliant manner:
@@ -47,28 +45,28 @@ The list below contains components built in a FIPS-compliant manner:
:::caution
-vCluster Pro currently does not provide FIPS-compliant builds of
+vCluster currently does not provide FIPS-compliant builds of
CoreDNS or Helm. One must use the integrated CoreDNS feature
-of vCluster Pro.
+of vCluster.
:::
-### FIPS vCluster Pro Images
+### FIPS vCluster Images
-The vCluster Pro FIPS-compliant images can be found in our [GitHub Container Registry](https://github.com/loft-sh/vcluster-pro/pkgs/container/vcluster-pro-fips).
+The vCluster FIPS-compliant images can be found in the vCluster [GitHub Container Registry](https://github.com/loft-sh/vcluster-pro/pkgs/container/vcluster-pro-fips).
-## Running vCluster FIPS-compliant
+## Run a FIPS-compliant vCluster
-To run vCluster in a FIPS environment, one has to reconfigure the
+To run vCluster in a FIPS environment, you must reconfigure the
repositories used to reference the FIPS images and enable CoreDNS.
The following is an example of a `vcluster.yaml` file that one can use to create
-a FIPS-compliant vCluster Pro instance.
+a FIPS-compliant vCluster instance:
```yaml
controlPlane:
advanced:
defaultImageRegistry: ghcr.io
- # uncomment to use virtual scheduler within vCluster
+ # Uncomment to use virtual scheduler within vCluster
# virtualScheduler:
# enabled: true
statefulSet:
@@ -82,7 +80,7 @@ controlPlane:
controllerManager:
image:
repository: loft-sh/kubernetes-fips
- # uncomment to use FIPS compliant virtual scheduler within vCluster
+ # Uncomment to use FIPS compliant virtual scheduler within vCluster
# scheduler:
# image:
# repository: loft-sh/kubernetes-fips
@@ -92,28 +90,29 @@ controlPlane:
etcd:
embedded:
enabled: true # The use of embedded etcd is recommended, yet optional
-# uncomment to use virtual scheduler within vCluster
+# Uncomment to use virtual scheduler within vCluster
# sync:
# fromHost:
# nodes:
# enabled: true
```
-And run:
+To create the FIPS-compliant vCluster instance, run:
```bash
vcluster create my-fips-vcluster -f vcluster.yaml
```
:::info
-If you wish to configure a different Kubernetes version in your virtual cluster
-than the current host cluster version, you can do so by setting the `controlPlane.distro.k8s.version`.
+
+To use a different Kubernetes version in your virtual cluster than the host cluster, set the `controlPlane.distro.k8s.version` field in your configuration:
```yaml
controlPlane:
distro:
k8s:
- version: v1.31.1 # or v1.28.14
+ image:
+ tag: v1.31.1 # or v1.28.14
```
:::
diff --git a/vcluster/deploy/topologies/air-gapped.mdx b/vcluster/deploy/topologies/air-gapped.mdx
index 76b51f064..11b46042e 100644
--- a/vcluster/deploy/topologies/air-gapped.mdx
+++ b/vcluster/deploy/topologies/air-gapped.mdx
@@ -1,8 +1,8 @@
---
-title: vCluster Pro air-gapped install
+title: Deploy vCluster in an air-gapped environment
sidebar_label: Air-gapped
sidebar_position: 5
-description: Learn how to install vCluster Pro in an air-gapped Kubernetes cluster without the vCluster Platform agent.
+description: Learn how to deploy vCluster in an air-gapped Kubernetes cluster.
sidebar_class_name: pro
---
@@ -16,241 +16,235 @@ import FipsConfig from '../../_partials/deploy/fips-config.mdx';
import LicenseKey from '../../_partials/deploy/license_key.mdx';
import ProAdmonition from '../../_partials/admonitions/pro-admonition.mdx';
-# vCluster Pro air-gapped install
+
+# Deploy vCluster in an air-gapped environment
-This document details the prerequisites and steps to install vCluster Pro into
-an `air-gapped` Kubernetes cluster without the platform agent running on the host
-cluster.
+This document explains how to deploy vCluster in environments without internet access, known as air-gapped environments.
## Prerequisites
-
- - `docker` (check with `docker version`)
- - An offline license key for vCluster Pro (provided by Loft)
+- OCI-compliant private registry with a `/charts` folder - A private registry accessible to both the Kubernetes host cluster and a separate, internet-connected machine.
+- An offline license key for vCluster - A LoftLabs license key is required to enable enterprise features.
:::info
:::
-- Optionally: private docker registry that the installer computer and the
-air-gapped Kubernetes cluster can access (e.g. x-private-registry:5000 or
-gcr.io/x-team)
-
- Example Local Registry Setup
-
- ### Local Docker Registry Configuration
-
- It is easy to setup a private Docker registry for testing purposes using KIND
- cluster. The
- following steps show how to set up a Docker registry locally:
-
- **Basic Setup**:
-Execute the [setup script](https://kind.sigs.k8s.io/docs/user/local-registry/) from the KIND webpage:
-
- **Verify & Use**:
- ```bash
- # Verify registry
- curl http://localhost:5001/v2/_catalog
- ```
-
+## Overview {#overview}
-### Download vCluster Helm chart
+When deploying vCluster, there are artifacts that are typically accessed using an internet connection, but without access to internet, these artifacts need to be available to the Kubernetes cluster through a private registry:
-Download the `vCluster` Helm chart from the Loft Helm repository.
+- **vCluster Helm chart** – Typically retrieved from the LoftLabs Helm chart repository.
+- **Container images referenced in the Helm chart** – Usually pulled from various public container registries.
-:::tip
-To retrieve all available versions of the vCluster Helm chart, run the following command:
-
-```bash title="Show latest 10 vCluster chart versions"
-helm repo update
-helm search repo loft/vcluster --versions | grep "^loft/vcluster" | head
-```
-:::
-
-```bash title="Download vCluster Helm chart"
-export CHART_VERSION="0.21.1" # Replace with the desired version
-curl -O https://charts.loft.sh/charts/vcluster-"${CHART_VERSION}".tgz
-```
-
-:::info
-The `vCluster` Helm chart is a tarball that contains all the necessary images
-to deploy the vCluster control plane.
-:::
-
-### Download and push required container images
-
-For clusters unable to pull images from Docker Hub, you need to push the
-platform images to your private registry. Each vCluster release includes a
-`images.txt` file that lists the necessary images.
+After populating your private registry with the artifacts, you'll create the configuration file (`vcluster.yaml`) of your vCluster. Finally, you'll prep your host cluster to deploy your vCluster.
:::warning
When using virtual clusters in air-gapped environments, the
`config.experimental.deploy.vcluster.helm` [configuration setting](/docs/vcluster/configure/vcluster-yaml/#experimental-deploy-vcluster) does not work with external Helm repositories since they cannot be accessed. This means custom Helm charts from repositories like `charts.bitnami.com` cannot be used for virtual cluster deployments.
:::
-Follow these instructions to download all vCluster images and import them to your private registry:
-
-
+## Populate images to a private registry {#populate-images-private-registry}
-Set environment variables for the setup process:
+Each vCluster release includes multiple assets to help you upload the images to your private registry.
- ```bash title="Export environment variables"
- export VCLUSTER_SERVICE="vcluster"
- export VCLUSTER_NAMESPACE="vcluster"
- export REGISTRY=ecr.io/myteam # This should be a prefix; do not include any LOFT_IMAGE paths
- ```
-
-
+- `images.txt` - The required images to run vCluster, which assumes using the default Kubernetes version.
+- `images-optional.txt` - An optional set of images to run vCluster using a different Kubernetes version.
+- `download-images.sh` - A bash script that quickly iterates over all the images files to pull them and package them into a tarball to a machine that has internet access.
+- `push-images.sh` - A bash script that takes the tarball generated from the download script to push them to your private registry.
- Retrieve the vCluster version and set the `VERSION` variable:
- ```bash title="Retrieve and set VERSION"
- CHART=$(kubectl get service "${VCLUSTER_SERVICE}" -n "${VCLUSTER_NAMESPACE}" -o jsonpath={.metadata.labels.chart})
- export VERSION=${CHART#vcluster-} # Remove 'vcluster-' prefix
- ```
-
-
- Set the `VERSION` variable to the latest vCluster version you want to install:
+### Prerequisites
+- Access to the internet
+- Ability to push to your OCI-compliant private registry
+- Logged in to GitHub Container Registry
+- `wget` installed
+- `docker` installed
- ```bash title="Set VERSION variable for fresh installation"
- export VERSION= # e.g., "0.21.1"
- ```
+### Pull and push images {#pull-push-images}
-
+
+
+
+ Set environment variables for the version of vCluster that you want to deploy and the private registry.
+
+ ```bash title="Export environment variables"
+ export VCLUSTER_VERSION=0.25.0 # Replace with the desired version
+ export REGISTRY=ecr.io/myteam # This should be a prefix; do not include any image paths
+ ```
+
+
-
-
+ Download the assets from the vCluster GitHub release and make the scripts executable.
+
+ :::note
+ The `images.txt` contains all distributions for the default Kubernetes version. You can edit the
+ file and remove the images for unused distributions.
+ :::
+
+ ```bash title="Download assets and prepare scripts"
+ wget https://github.com/loft-sh/vcluster/releases/download/v"${VCLUSTER_VERSION}"/images.txt
+ wget https://github.com/loft-sh/vcluster/releases/download/v"${VCLUSTER_VERSION}"/download-images.sh
+ wget https://github.com/loft-sh/vcluster/releases/download/v"${VCLUSTER_VERSION}"/push-images.sh
+
+ chmod +x ./download-images.sh
+ chmod +x ./push-images.sh
+ ```
+
+
-Download the `images.txt` file and the required scripts
-`download-images.sh` and `push-images.sh`, then make them executable.
+ Run `download-images.sh` to pull all images and create a tarball of the images.
+
+ ```bash title="Download and package images"
+ ./download-images.sh --image-list images.txt
+ ```
+
+ :::tip
+ Review the output to confirm all images were pulled successfully and packaged in the tarball.
+ :::
-:::tip
-Note that the
-`images.txt` contains all the distros and versions. You can edit the
-file and remove images you do not need.
-Each release also has a corresponding `vcluster-images-k8s-[version].txt` file,
-use it to download k8s distro images for the desired version.
-:::
+
+
-```bash title="Download and prepare scripts"
-wget https://github.com/loft-sh/vcluster/releases/download/v"${VERSION}"/images.txt
-wget https://github.com/loft-sh/vcluster/releases/download/v"${VERSION}"/download-images.sh
-wget https://github.com/loft-sh/vcluster/releases/download/v"${VERSION}"/push-images.sh
+ Run `push-images.sh` to upload all required images to your private registry.
+
+ ```bash title="Push images to private registry"
+
+ ./push-images.sh --registry ${REGISTRY}
+ ```
-chmod +x ./download-images.sh
-chmod +x ./push-images.sh
-```
+ :::note
+ When pushing images into your private registry, the public private registry is removed and only the repository and image name are pushed. This allows vCluster to set your private registry to use for all images used in deploying vCluster.
+ :::
+ **Optional**: If you want to deploy vCluster with a different Kubernetes version, download the `images-optional.txt` file. It contains additional container images required for that version, which you'll need to pull and push to your private registry.
+
+ :::note
+ The `images-optional.txt` contains multiple Kubernetes distributions and versions. You can edit the file and remove the images for the unused distributions and versions.
+ :::
-Run `download-images.sh` to download all images locally:
+ ```bash title "Pull, package, and push all optional images"
+ wget https://github.com/loft-sh/vcluster/releases/download/v${VCLUSTER_VERSION}/images-optional.txt
+
+ ./download-images.sh --image-list images-optional.txt --images vcluster-images-optional.tar.gz
+ ./push-images.sh --registry ${REGISTRY} --images vcluster-images-optional.tar.gz
+ ```
+
+
+
-```bash title="Download images"
-./download-images.sh --image-list images.txt
-```
+## Populate the vCluster Helm chart to a private registry {#populate-vCluster-Helm-chart-private-registry}
-:::tip
-This creates a tarball with all the images and push them to your private registry.
-:::
+You need to push the vCluster Helm chart to your OCI-compliant private registry.
-
+### Prerequisites
+
+- Access to the internet
+- Ability to push to your OCI-compliant private registry
+- `helm` installed: Helm v3.10+
+
+### Pull and push the vCluster Helm chart {#download-push-vCluster-Helm-chart}
+
+
-Run `push-images.sh` to push all downloaded images to your private registry:
+ **Optional**: If you haven’t already set the environment variables, set them now before continuing.
-```bash title="Push images to private registry"
-./push-images.sh --registry ${REGISTRY}
-```
+ ```bash title="Export environment variables"
+ export VCLUSTER_VERSION=0.25.0 # Replace with the desired version
+ export REGISTRY=ecr.io/myteam # A charts folder is expected
+ ```
-:::info
-vCluster prepends the image registry to all images used by vCluster, such as syncer and Kubernetes. For example, `registry.k8s.io/kube-apiserver:v1.30.2` becomes `my-private-registry:5000/vcluster/kube-apiserver:v1.30.2`.
+ :::note
+The private registry assumes having a `/charts` folder, which is where to push all the Helm charts.
:::
-
+
+
+Pull the vCluster Helm chart and push it into your private registry with the OCI protocol.
+ ```bash title="Pull and push the Helm chart to your private registry"
+ helm pull vcluster --repo https://charts.loft.sh --version ${VCLUSTER_VERSION}
+ helm push vcluster-${VCLUSTER_VERSION}.tgz oci://${REGISTRY}/charts
+ ```
+
-## Configure vCluster for air-gapped install
-The `vcluster.yaml` file holds your vCluster configuration and allows overriding the vCluster Helm chart default values.
+
-Edit your existing `vcluster.yaml` file or create a new one with the following content:
+## Configure vCluster {#configure-vCluster}
-:::tip
-To retrieve supported Kubernetes versions:
+The `vcluster.yaml` file contains all configuration settings for your vCluster deployment.
-```bash title="Show supported Kubernetes versions"
-curl http://"${REGISTRY}"/v2/kube-controller-manager/tags/list
-```
+### Use a private registry without credentials
-```bash title="create vcluster.yaml configuration"
-export KUBERNETES_VERSION="v1.31.1" # Replace with the desired version
-cat < vcluster.yaml
+Set the default private registry in the `vcluster.yaml` file.
+
+```yaml title="Setting the private registry"
controlPlane:
advanced:
- defaultImageRegistry: ${REGISTRY}
- distro:
- k8s:
- version: ${KUBERNETES_VERSION}
-EOF
+ defaultImageRegistry: ecr.io/myteam # Replace with your private registry
```
-:::info Example of a fully formed registry path
-If your `REGISTRY` is set to `ecr.io/myteam`, a fully formed registry path might look like:
-`ecr.io/myteam/ghcr.io/loft-sh/vcluster:0.21.0`
-:::
+### Use an authenticated private registry {#use-authenticated-private-registry}
+For registries that require authentication, create a Kubernetes secret in the namespace where you deploy the vCluster.
+Assign the secret as an image pull secret for the vCluster control plane to access required images.
-:::info Note on alpine image replacement
-The `alpine` image may be replaced with any similar image with the following `vcluster.yaml` configuration:
+Optionally, you can use the same image pull secret for workloads inside the vCluster that pull from the same registry.
-```yaml title="vcluster.yaml configuration for custom image"
-sync:
- toHost:
- pods:
- rewriteHosts:
- initContainer:
- image: your-registry/your-image:1.0.0
+```yaml title="Image pull secrets configuration"
+controlPlane:
+ advanced:
+ defaultImageRegistry: ecr.io/myteam # Replace with your private image registry
+ serviceAccount:
+ imagePullSecrets: # Uses credentials for the vCluster control plane
+ - name: registry-credentials-secret-name # Replace with the name of the secret deployed on the host cluster of where the vCluster is deployed
+ workloadServiceAccount: # Uses credentials for any workloads created in the vCluster
+ imagePullSecrets:
+ - name: registry-credentials-secret-name # Replace with the name of the secret deployed on the host cluster of where your vCluster is deployed
```
-The image that is used to replace the default image must be able to run the following command:
+### Use a non-default Kubernetes version
-```yaml
-Command: []string{"sh"},
-Args: []string{"-c", "sed -E -e 's/^(\\d+.\\d+.\\d+.\\d+\\s+)" + fromHost + "$/\\1 " + toHostnameFQDN + " " + toHostname + "/' /etc/hosts > /hosts/hosts"}
-```
-:::
+If you downloaded `images-optional.txt` to use a different Kubernetes version, configure vCluster to use that version in your deployment.
-## Optionally create image pull secret
+```yaml title="Specific Kubernetes version configuration"
+controlPlane:
+ distro:
+ k8s:
+ image:
+ tag: v1.31.1 # Replace with the Kubernetes version that you have chosen
+```
- The `imagePullSecrets` setting defines extra image pull secrets for the vCluster control plane `ServiceAccount`.
+### Replace the alpine image {#replace-Alpine-image}
-:::info
-This configuration is only necessary if your registry requires
-authentication.
-:::
+If you use the `sync.toHost.pods.rewriteHosts` feature, manually replace the full path of the [alpine image](https://hub.docker.com/_/alpine) with your private registry path.
+The `defaultImageRegistry` setting does not apply to this image.
-```yaml title="Image Pull Secrets configuration"
-controlPlane:
- advanced:
- serviceAccount:
- imagePullSecrets:
- - name-of-your-image-pull-secret
+```yaml title="Replace the alpine image"
+sync:
+ toHost:
+ pods:
+ rewriteHosts:
+ initContainer:
+ image: your-registry/library/alpine:3.20
```
-## Configure API key
+### Reference the license key {#reference-license-key}
-The `apiKey` provides a way to deploy vCluster with Pro features without the platform agent installed on the host cluster.
+The `apiKey` is required to reference the license key to enable enterprise features in vCluster.
:::note
-Although the config appears similar to when using the platform, the `apiKey` secret's actual value is your air-gapped license key.
+Although the config appears similar to when connecting a virtual cluster to the platform, the `apiKey` secret's actual value is your air-gapped license key.
:::
-```bash title="API Key configuration"
-cat < platform-api-key.yaml
+```bash title="API key configuration to activate enterprise features"
external:
platform:
apiKey:
@@ -265,101 +259,145 @@ external:
# Default enabled to create the necessary RBAC roles
# and role bindings in order to find the secret
createRBAC: true
-EOF
```
-## Deploy vCluster Pro
+## Deploy vCluster {#deploy-vcluster}
+
+### Prerequisites
+
+- The host cluster must have access to pull images from the private registry.
+
+
+### Set up the host cluster and deploy
-License Setup
+ On the host cluster, create the namespace for the vCluster, where the secrets and vCluster control plane pod are to be deployed.
-Create a Kubernetes `Secret` from the License Key provided by Loft in the `Namespace` where you are installing the air-gapped vCluster instance:
-
-:::tip
-License secret is already `base64` encoded.
-:::
+ ```bash title="Create vCluster namespace"
+ export VCLUSTER_NAMESPACE=vcluster-my-vcluster
+ kubectl create namespace ${VCLUSTER_NAMESPACE}
+ ```
-```bash title="Create Kubernetes Secret"
-#!/bin/bash
-
-# Set the license key as an environment variable (already base64 encoded)
-export VCLUSTER_LICENSE_KEY="YOUR_BASE64_ENCODED_LICENSE_KEY_HERE"
-
-# Optionally create the namespace
-kubectl create namespace vcluster-ns
-
-# Create secret
-kubectl create -f - <
+
+ Create the secret to validate the license.
+
+ Create a Kubernetes secret using the LoftLabs license key in the namespace where you deploy the vCluster.
+
+ :::note
+ The license secret is already base64-encoded.
+ :::
+
+ ```bash title="Create a Kubernetes secret for license Key"
+ # Set the license key as an environment variable (already base64 encoded)
+ export VCLUSTER_LICENSE_KEY="YOUR_BASE64_ENCODED_LICENSE_KEY_HERE"
+
+ # Create secret
+ kubectl create -f - <
-Configuration File
+ **Optional**: Create a secret to authenticate to your private registry.
+
+ If your private registry requires authentication, create a Kubernetes secret that stores your login credentials.
+ Place this secret in the same namespace where the vCluster is deployed so the control plane can pull the required container images.
+
+ ```bash title="Create Kubernetes secret for login credentials"
+ kubectl create -f - <
-Create a `vcluster.yaml` file (Helm chart values file) based on the configuration examples from above:
+
+ Review your `vcluster.yaml` file.
+
+ ```yaml title="vcluster.yaml configuration"
+ controlPlane:
+ advanced:
+ defaultImageRegistry: ecr.io/myteam # Replace with your private image registry
+ serviceAccount:
+ imagePullSecrets:
+ - name: registry-credentials-secret-name # Replace with the name of the registry credentials secret
+ workloadServiceAccount:
+ imagePullSecrets:
+ - name: registry-credentials-secret-name # Replace with the name of the registry credentials secret
+
+ external:
+ platform:
+ apiKey:
+ secretName: vcluster-platform-license-key
+ ```
-```yaml title="vcluster.yaml configuration"
-controlPlane:
- advanced:
- defaultImageRegistry: my-private-registry:5000/vcluster/
- serviceAccount:
- imagePullSecrets:
- - name-of-your-image-pull-secret
- backingStore:
- etcd:
- embedded:
- enabled: true
- coredns:
- embedded: true
+
+
+ Pull the vCluster Helm chart from the private registry.
+
+ ```bash title="Pull the Helm chart"
+ export VCLUSTER_VERSION=0.25.0 # Replace with the chart version that was pushed into your private registry
+ export REGISTRY=myecr.io/team # Replace with the private registry
+
+ ## Log in to the Helm registry if you haven't
+ helm registry login ${REGISTRY} \
+ --username myuser \
+ --password mypassword
+
+ helm pull oci://${REGISTRY}/charts/vcluster:${VCLUSTER_VERSION}
+ ```
+
+
-external:
- platform:
- apiKey:
- secretName: vcluster-platform-api-key
-```
+ Deploy vCluster into the namespace where you deployed the secrets.
-
+ ```bash title="Deploy vCluster with Helm"
+ export VCLUSTER_NAME="my-vcluster" # Replace with what you want to name your vCluster
+
+ helm upgrade --install "${VCLUSTER_NAME}" oci://${REGISTRY}/charts/vcluster:${VCLUSTER_VERSION} \
+ --version ${VCLUSTER_VERSION} \
+ --values vcluster.yaml \
+ --namespace ${VCLUSTER_NAMESPACE} \
+ ```
-
-Install vCluster Pro
+
+
-Use Helm to install the vCluster Pro instance into the `namespace` where you installed the license `secret`:
+## Air-gapped vCluster with FIPS images {#air-gapped-vCluster-FIPS-images}
-```bash title="Install vCluster Pro with Helm"
-export VCLUSTER_PRO_NAME="vcluster-pro"
-export VCLUSTER_PRO_NAMESPACE="vcluster-ns"
-helm upgrade --install "${VCLUSTER_PRO_NAME}" vcluster-${VERSION}.tgz \
- --version ${VERSION} \
- --values vcluster.yaml \
- --namespace ${VCLUSTER_PRO_NAMESPACE} \
-```
+To run vCluster in a FIPS-compliant environment, you must push FIPS-compliant images to your private registry.
-
+Push the following images, using the appropriate Kubernetes version as the tag.
+Tags are listed in the `images.txt` and `images-optional.txt` files.
-
-## Air-gapped vCluster Pro with FIPS images
+- `ghcr.io/loft-sh/vcluster-pro-fips`
+- `ghcr.io/loft-sh/kubernetes-fips`
-To run vCluster in a FIPS compliant environment, the `vcluster.yaml` needs to be configured to use the Loft GitHub Container Registry with the FIPS compliant images for the syncer (vCluster control plane `StatefulSet`) and the Kubernetes distro images and configured to use the vCluster Pro embedded CoreDNS.
-:::info
-Refer to the [FIPS configuration guide](/vcluster/deploy/security/fips) for more details.
+:::note
+The steps for [pulling, tagging, and pushing these images](#pull-push-images) are the same as for standard images. The only difference is that you reference the FIPS-compliant images instead.
:::
-The following is an example `vcluster.yaml` configuration of air-gapped vCluster Pro with FIPS compliant images and assumes you have created a `Secret` named `vcluster-platform-api-key` with the air-gapped license key provided by Loft in the same `Namespace` where you are deploying the vCluster instance
+For more details on FIPS, refer to the [FIPS configuration guide](/vcluster/deploy/security/fips).
+
+The following is an example `vcluster.yaml` configuration with the FIPS compliant images.
FIPS configuration