Install MSR on MKE 4k#
This guide describes how to deploy Mirantis Secure Registry (MSR) on Mirantis Kubernetes Engine (MKE) 4k using Envoy Gateway and the Kubernetes Gateway API.
Prerequisites#
Ensure that the following components are installed and configured before deploying MSR:
Prepare the Envoy Gateway Infrastructure#
Envoy Gateway requires a Gateway resource and a TLS certificate to terminate HTTPS traffic. If you are performing a proof-of-concept (PoC) or internal testing, you can generate a temporary self-signed certificate using these steps.
Enterprise deployments
For enterprise deployments, create the secret using a certificate signed by your organization's Trusted Certificate Authority (CA) or a public CA. Ensure the certificate includes the Fully Qualified Domain Name (FQDN) of your MSR instance in the Subject Alternative Name (SAN) field.
-
Create a namespace:
kubectl create namespace msr4 -
Create a Kubernetes TLS secret for the Envoy Gateway HTTPS listener to terminate TLS at the edge:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout msr.key -out msr.crt -subj "/CN=msr.example.com" kubectl create secret tls msr-tls-cert -n <MSR4 namespace> --cert=msr.crt --key=msr.key
Configure the Envoy Gateway#
Configure how Envoy Gateway is exposed externally.
-
Apply EnvoyProxy (NodePort Strategy) to create a NodePort service for Envoy Gateway.
Port
33002is used in the following example; you may substitute this with any available port within your allowed NodePort range.2. Apply the Gateway to trigger the deployment of the actual Envoy proxy pods:kubectl apply -n <MSR4 namespace> -f - <<EOF apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: msr-envoy-proxy namespace: <MSR4 namespace> spec: provider: type: Kubernetes kubernetes: envoyService: type: NodePort patch: type: StrategicMerge value: spec: externalTrafficPolicy: Cluster ports: - name: https-443 nodePort: 33002 port: 443 protocol: TCP targetPort: 10443 EOFkubectl apply -n <MSR4 namespace> -f - <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: msr-gateway namespace: <MSR4 namespace> spec: gatewayClassName: mke-gateway-ingress infrastructure: parametersRef: group: gateway.envoyproxy.io kind: EnvoyProxy name: msr-envoy-proxy listeners: - name: https protocol: HTTPS port: 443 tls: mode: Terminate certificateRefs: - name: [{name: msr-tls-cert}] namespace: <MSR4 namespace> allowedRoutes: namespaces: from: Selector selector: matchLabels: kubernetes.io/metadata.name: msr4 EOF
Deploy MSR with Gateway API#
Configure the MSR Helm chart to use the route exposure type so that MSR is
exposed through the Gateway API.
-
Prepare the
values.yamlfile:expose: type: route tls: enabled: false # TLS is handled by the Gateway route: parentRefs: - name: msr-gateway namespace: <MSR4 namespace> sectionName: <MSR4 nodeport> kind: Gateway hosts: - "<YOUR_INGRESS_HOSTNAME>" externalURL: https://<YOUR_INGRESS_HOSTNAME>:33002 -
Install the Helm chart:
helm install <MSR4 deployment name> oci://registry.mirantis.com/harbor/helm/msr --version <MSR version> -n <MSR4 namespace> -f values.yml
Configure Proxy Headers#
MSR runs behind a Gateway that terminates TLS, thus you need to configure proxy
headers so MSR can recognize the original HTTPS request and port 33002.
Apply a RequestHeaderModifier filter to the MSR HTTPRoute:
kubectl patch httproute <MSR4 httproute name> -n <MSR4 namespace> --type=json -p='[
{
"op": "add",
"path": "/spec/rules/0/filters",
"value": [{
"type": "RequestHeaderModifier",
"requestHeaderModifier": {
"set": [
{"name": "X-Forwarded-Proto", "value": "https"},
{"name": "X-Forwarded-Port", "value": "33002"}
]
}
}]
}
]'
Verify the Gateway Configuration#
-
Check the status of the
HTTPRouteto ensure the gateway has accepted it:kubectl get httproute <MSR4 httproute name> -n <MSR4 namespace> -o jsonpath='{.status.parents[0].conditions}' | jqThe output should include
"reason": "Accepted"and"status": "True". -
Open a web browser and navigate to
https://<YOUR_INGRESS_HOSTNAME>:33002to confirm that the service is accessible.