Offline Pipelines for Airgapped Environments
Offline Pipelines are a solution for computer networks physically isolated from the Internet.
The pipelines require all artifacts, such as release files, Docker images and scripts, to be provided from within the airgapped environment. For this to happen they first have to be downloaded and packaged in an Internet connected network.
The offline pipelines implementation rely on Concourse's s3-resource to retrieve the required artifacts from an S3-compatible blobstore. There are many S3-compatible blobstores that can be used from within airgapped environments such as Minio and Dell EMC Elastic Cloud Storage.
The current implementation of these pipelines applies to airgapped environments where the internal S3 repository is bootstrapped by moving tar files previously packaged from another Internet connected environment. Also, it assumes the existence of one Concourse server in each environment to run the corresponding pipeline.
As illustrated in the diagram below, two pipelines are provided to help bootstrap the offline environment,
unpack-pcf-pipelines-combined, that are meant to be used to facilitate physical transfer of artifacts to the airgapped environment.
Pipelines execution flow
- Download artifacts from external sources, sign, package and upload them to S3 repository
- Move packaged artifacts to disconnect environment's S3 repository (manual or automated)
- Unpack artifacts, check their signature and setup offline
pcf-pipelineswith new artifacts
pcf-pipelinesare triggered upon existence of new artifacts in S3 repository
- PCF is deployed by
pcf-pipelinesin disconnected environment
create-offline-pinned-pipelines is used to:
- Pull all required resources (images, products and pipelines) from their locations on the Internet and package them
pcf-pipelinesto consume the resources from S3-compatible blobstore,
- Create an encrypted tarball with all resources, and a shasum manifest for each resource,
- Put the tarball to a location within S3 storage for it to be transferred to the airgapped environment.
unpack-pcf-pipelines-combined is used to:
- Download, decrypt, and extract the GPG-encrypted tarball into its components after it has transferred to the
pcf-pipelines-combined/path in S3-compatible store,
- Verify the
shasummanifest of the tarball contents,
- Put the tarball parts into their appropriate locations within the airgapped S3 storage for use by the pipelines.
From this point the
pcf-pipelines folder in the configured S3 bucket in the airgapped environment contains the pcf-pipelines tarball that can then be used to set a pipeline on an airgapped Concourse, in the same fashion as a standard
- The online environment must have access to Dockerhub and Pivnet
- Concourse 3.3.3+ in both online and airgapped environments
unpack-pcf-pipelines-combined to work there must be a single manual transfer of the czero-cflinuxfs2 tarball to the czero-cflinuxfs2 folder within the airgapped environment's S3 storage. Only after that is done can the
unpack-pcf-pipelines-combined pipeline be set and unpaused.