OpenShift Virtualization deployment

This guide describes how to deploy an Airlock Gateway VM on OpenShift Virtualization. The deployment process includes the following tasks:

Create a golden disk image for a specific Airlock Gateway release.
Select the VM instance type and preferences.
Create the VM resource template and refine it with networking and Cloud Init configuration.
Create the VM instance.
Verify the deployment.
Create a Service to expose the VM and enable access to the Configuration Center.

Unsupported and experimental features are listed at the end of this guide.

Scope and assumptions

This deployment guide assumes a sound understanding of managing and administering OpenShift Virtualization. It does not cover the following topics:

installing OpenShift Virtualization
general instructions or best practices for running virtual machine workloads

The target OpenShift cluster is assumed to be properly set up and sized to run virtual machine workloads.

Prerequisites

OpenShift version 4.21 or later
oc OpenShift CLI utility
virtctl utility compatible with the OpenShift version
- For more information, see Red Hat documentation for using CLI tools with OpenShift Virtualization.
tar utility, GNU version
gzip utility

Create the golden disk image

Download and prepare the disk image

Virtual machine images are available for all Airlock Gateway releases on the Airlock Gateway download page in Techzone. For OpenShift Virtualization, use the image labeled for the GCP cloud with the file ending .tar.gz.

To prepare the image:

Download the GCP image of the Airlock Gateway version to be deployed, e.g.:
Terminal box
```
airlock_IMG_x64_8.5.1.tar.gz
```
Extract the raw disk image from the archive and compress it again with gzip – e.g., for Airlock Gateway 8.5.1:

Terminal box

tar -xzf airlock_IMG_x64_8.5.1.tar.gz -O | gzip > airlock_IMG_x64_8.5.1.raw.gz

This command writes the prepared image to airlock_IMG_x64_8.5.1.raw.gz.

Create a DataSource for the golden image

Upload the disk image to a PersistentVolumeClaim (PVC) in the target namespace.
The following command creates a PVC named airlock-8-5-1-golden-image in the airlock-ns namespace and uploads the previously prepared image airlock_IMG_x64_8.5.1.raw.gz from the current directory:

Terminal box

virtctl -n airlock-ns image-upload pvc airlock-8-5-1-golden-image --force-bind --size=11Gi --image-path=./airlock_IMG_x64_8.5.1.raw.gz

Verify the PVC:

Terminal box

oc -n airlock-ns get pvc airlock-8-5-1-golden-image

Create a DataSource that references the uploaded image.
The following YAML creates a DataSource based on the previously created PVC in the same namespace:

Terminal box

apiVersion: cdi.kubevirt.io/v1beta1
kind: DataSource
metadata:
  name: airlock8-5-1
  namespace: airlock-ns
spec:
  source:
    pvc:
      name: airlock-8-5-1-golden-image
      namespace: airlock-ns

Select the VM instance type and preferences

To determine the installation profile for the virtual machine, consult Requirements and limitations.
The CPU and memory requirements of the Red Hat standard VM instance cluster types match the Airlock Gateway installation profiles as follows:
Instance type
Airlock Gateway profile
Recommended target disk size
u1.large
Small
80 GiB
u1.2xlarge
Medium
200 GiB
u1.4xlarge
Large
200 GiB
Use the standard Preference linux to create the VM resource template.

Instance type	Airlock Gateway profile	Recommended target disk size
`u1.large`	Small	80 GiB
`u1.2xlarge`	Medium	200 GiB
`u1.4xlarge`	Large	200 GiB

Create and refine the VM resource template

Create the basic VM resource template

Create an initial draft of the VM resource with virtctl:

Terminal box

virtctl -n airlock-ns create vm --instancetype u1.2xlarge --preference linux --name airlock-gateway --volume-import name:airlock-gateway-dv,size:200Gi,type:ds,src:airlock-ns/airlock8-5-1 > airlock-gateway-vm.yaml

This command generates a template and writes it to airlock-gateway-vm.yaml. It does not create the VM or any related OpenShift resources and defines the following configuration:

a VM named airlock-gateway in the airlock-ns namespace
instance type u1.2xlarge, which corresponds to the Medium profile
a DataVolume named airlock-gateway-dv with size:200Gi
a DataVolume source based on the previously prepared DataSource named airlock8-5-1

The generated airlock-gateway-vm.yaml template looks as follows:

Terminal box

apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  creationTimestamp: null
  name: airlock-gateway
  namespace: airlock-ns
spec:
  dataVolumeTemplates:
  - metadata:
      creationTimestamp: null
      name: airlock-gateway-dv
    spec:
      sourceRef:
        kind: DataSource
        name: airlock8-5-1
        namespace: airlock-ns
      storage:
        resources:
          requests:
            storage: 200Gi
  instancetype:
    name: u1.2xlarge
  preference:
    name: linux
  runStrategy: Always
  template:
    metadata:
      creationTimestamp: null
    spec:
      domain:
        devices: {}
        resources: {}
      terminationGracePeriodSeconds: 180
      volumes:
      - dataVolume:
          name: airlock-gateway-dv
        name: airlock-gateway-dv
status: {}

Before creating the VM, this template must be extended with the required networking and Cloud Init configuration, as described below.

Configure networking

Currently, only single-homed Airlock Gateway setups are supported on OpenShift Virtualization.

Add the following configuration to the generated VM resource template specifying the MAC address for which the Airlock Gateway license was issued:

Terminal box

spec:
  template:
    spec:
      domain:
        devices:
          autoattachPodInterface: false
          interfaces:
          - macAddress: '02:5f:ad:00:00:0c'
            masquerade: {}
            name: default
      networks:
      - name: default
        pod: {}

Configure Cloud Init

Use Cloud Init to configure the virtual machine during the first boot.

Prepare a Cloud Init configuration:

Terminal box

#cloud-config
hostname: airlock-gateway
create_hostname_file: true
fqdn: airlock.example.com
swap:
  size: 24G
  filename: /swap.img
runcmd: []
ssh_authorized_keys:
- <SSH-PUBLIC-KEY1>
- <SSH-PUBLIC-KEY2>

This configuration meets the following requirements:
- It defines the hostname and FQDN for the Airlock Gateway VM.
- It specifies the SWAP size for the selected installation profile, as described in Requirements and limitations.
- It includes the SSH public keys that are allowed to access the Airlock Gateway VM as root.
Add the prepared Cloud Init configuration to the VM resource template:

Terminal box

spec:
  template:
    spec:
      volumes:
      - cloudInitNoCloud:
            userData: |
              #cloud-config
              hostname: airlock-gateway
              create_hostname_file: true
              fqdn: airlock.example.com
              swap:
                size: 24G
                filename: /swap.img
              runcmd: []
              ssh_authorized_keys:
              - <SSH-PUBLIC-KEY1>
              - <SSH-PUBLIC-KEY2>
        name: cloudinitdisk

Create the VM instance

The final VM resource specification should now look similar to the following example:

Terminal box

apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  creationTimestamp: null
  name: airlock-gateway
  namespace: airlock-ns
spec:
  dataVolumeTemplates:
  - metadata:
      creationTimestamp: null
      name: airlock-gateway-dv
    spec:
      sourceRef:
        kind: DataSource
        name: airlock8-5-1
        namespace: airlock-ns
      storage:
        resources:
          requests:
            storage: 200Gi
  instancetype:
    name: u1.2xlarge
  preference:
    name: linux
  runStrategy: Always
  template:
    metadata:
      creationTimestamp: null
    spec:
      domain:
        devices:
          autoattachPodInterface: false
          interfaces:
          - macAddress: '02:5f:ad:00:00:0c'
            masquerade: {}
            name: default
        resources: {}
      networks:
      - name: default
        pod: {}
      terminationGracePeriodSeconds: 180
      volumes:
      - dataVolume:
          name: airlock-gateway-dv
        name: airlock-gateway-dv
      - cloudInitNoCloud:
            userData: |
              #cloud-config
              hostname: airlock-gateway
              create_hostname_file: true
              fqdn: airlock.example.com
              swap:
                size: 24G
                filename: /swap.img
              runcmd: []
              ssh_authorized_keys:
              - <SSH-PUBLIC-KEY1>
              - <SSH-PUBLIC-KEY2>
        name: cloudinitdisk
status: {}

Create the VM:
Terminal box
```
oc apply -f airlock-gateway-vm.yaml
```
Wait until the DataVolume and VM are ready:

Terminal box

oc wait --for=condition=Ready datavolume/airlock-gateway-dv --timeout=600s
oc wait --for=condition=Ready vm/airlock-gateway --timeout=600s

Verify the deployment

Connect to the virtual machine instance console and monitor the boot process with virtctl:

Terminal box

virtctl console -n airlock-ns airlock-gateway

After the machine has successfully booted, establish an SSH connection with virtctl and one of the configured SSH keys:

Terminal box

virtctl ssh -i /path/to/private/ssh-key -n airlock-ns -l root vm/airlock-gateway

Create a Service to expose the VM

If the VM must be reachable through Kubernetes networking, create a Service to expose the required ports. The virtual machine exposes four ports that can be made available by using a Service:

Port	Purpose
`tcp/8443`	Connections to the Configuration Center
`tcp/22`	SSH access
`tcp/80`	HTTP traffic
`tcp/443`	HTTPS traffic

The corresponding Service definition looks as follows:

Terminal box

apiVersion: v1
kind: Service
metadata:
  name: airlock-svc
  namespace: airlock-ns
spec:
  ports:
    - name: mgmt
      port: 8443
      protocol: TCP
      targetPort: 8443
    - name: ssh
      port: 22
      protocol: TCP
      targetPort: 22
    - name: https
      port: 443
      protocol: TCP
      targetPort: 443
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
  selector:
    vmi.kubevirt.io/id: airlock-gateway

In production environments, expose the Service by using the LoadBalancer service type or an OpenShift Route.

Restrictions

Unsupported features

The following features are not supported when running Airlock Gateway on OpenShift Virtualization:

running the VM on ARM nodes
active/passive setups that rely on Layer 2 connectivity for failover

Experimental features

The features listed below should work from a technical perspective, but have not been thoroughly tested on OpenShift Virtualization. They are considered experimental. There is no guarantee that a setup using these features can be successfully deployed on OpenShift. Contact the support team if one of these features is required:

multi-homed Airlock Gateway instances
dual-stack networking with IPv4 and IPv6 addresses
active/active deployments