When internet access is prohibited in or unavailable to your organization, you can deploy ArcGIS Enterprise on Kubernetes in a disconnected environment. To do so, you must create your organization's container registry, use offline tools to populate your container images, and configure the organization to use local resources.
Prepare for deployment
Before deploying ArcGIS Enterprise on Kubernetes for disconnected use, review the system requirements and steps to plan for deployment. You will also need access to each of the following:
- Internet access to obtain container images
- Credentials for the Esri Docker Hub repository
- Credentials for read and write access to your organization's container registry
- Docker Engine
- A storage device with 100 GB of free disk space to store downloaded images
Note:
If you want to use horizontal pod autoscaling, ensure your registry has the appropriate images.
Understand offline tools
The ArcGIS Enterprise on Kubernetes deployment package includes a set of tools that are used to pull images from the Esri Docker Hub repository to your local client machine so that you can work in a disconnected environment.
These offline tools are under setup/tools/registry-tools in the directory where you extracted the deployment package and include the following:
- create-offline-manifest.sh—Used to download the Esri-published version manifest file and import it into your organization.
- image-download.sh—Used to download container images to a storage device that you specify.
- image-upload.sh—Used to upload container images from the storage device to your container registry.
- image-transfer.sh—Used to transfer images directly between two registries. This is faster than using image-download.sh and image-upload.sh if the client workstation can access both registries.
More information is available in the Readme.md within the registry-tools folder.
Note:
To run offline tools, ensure you have the tar and gzip standard packages installed on your client machine.
Download images
To download the available images, complete the following steps from a client machine with internet access:
- On your Kubernetes client machine, open a terminal.
- Change directories to the /tools/registry-tools directory.
- In the terminal, run the image-download.sh script using the following command format:
./image-download.sh -r docker.io/esridocker -u <username> -p <password> -d </path/to/download/directory> -t <version_tag>
Note:
To find the version tag for a release, see the release notes.
- Alternatively, use the template properties file located in /setup/templates/registry-tools or create a *.properties file and include these parameters:
DOWNLOAD_REGISTRY="<docker.io/esridocker>" DOWNLOAD_USER="<username>" DOWNLOAD_PASS="<password>" DOWNLOAD_TAG="<version_tag>" DOWNLOAD_DIR="</path/to/download/directory>" ENCRYPTION_KEYFILE="</path/to/keyfile.txt>"
The encryption keyfile is a plain text file used for AES-256 encryption and decryption of passwords. The content of this file is text that you specify and should not contain passwords. This file should remain in a fixed location and the contents should not be changed. For example:
$ echo 'My Encryption Text!' >> /path/to/keyfile.txt
- To run the script using the properties file, use the following command:
./image-download.sh -f <*.properties>
- Alternatively, use the template properties file located in /setup/templates/registry-tools or create a *.properties file and include these parameters:
Note:
Because the script downloads all tagged images from the Esri repository, it takes some time to complete. If a download is interrupted, rerun the script to resume it.
Upload images
Once you've downloaded the images, copy them to a client machine with access to your container registry and complete the following steps:
- On your Kubernetes client machine, open a terminal.
- Change directories to the /tools/registry-tools directory.
- In the terminal, run the image-upload.sh script using the following command format:
./image-upload.sh -r <registry_host>/<organization> -u <username> -p <password> -d </path/to/download/directory> -t <version_tag>
Note:
Use the same version tag used to download images in the above steps.
- Alternatively, use the template properties file located in /setup/templates/registry-tools or create a *.properties file and include these parameters:
UPLOAD_REGISTRY="<registry_host>/<organization>" UPLOAD_USER="<username>" UPLOAD_PASS="<password>" UPLOAD_TAG="<version_tag>" DOWNLOAD_DIR="</path/to/download/directory>" ENCRYPTION_KEYFILE="</path/to/keyfile.txt>"
The encryption keyfile is a plain text file used for AES-256 encryption and decryption of passwords. The content of this file is text that you specify and should not contain passwords. This file should remain in a fixed location and the contents should not be changed. For example:
$ echo 'My Encryption Text!' >> /path/to/keyfile.txt
- To run the script using the properties file, use the following command:
./image-upload.sh -f <*.properties>
- Alternatively, use the template properties file located in /setup/templates/registry-tools or create a *.properties file and include these parameters:
Note:
Because the script uploads all tagged images to your container registry, it takes some time to complete. If an upload is interrupted, rerun the script to resume it.
Deploy
After you've uploaded images to your container registry, run the deployment script to deploy ArcGIS Enterprise on Kubernetes. The deployment script is interactive and prompts you for several parameters.
Note:
When specifying the registry host, you must specify the details for your container registry.Configure the organization
After you've run the deployment script, follow the steps to create an organization. These steps are the same for organizations with and without internet access.
Download and import version manifest
By default, ArcGIS Enterprise Administrator API uses a well-known URL to detect when container image updates are available. When your Kubernetes cluster is not connected to the internet, you must download this file and import it into your organization.
Use the create-offline-manifest.sh script to first download the Esri-published version manifest file and import it into your organization. Internet access is required when downloading the version manifest file.
- On your Kubernetes client machine, open a terminal.
- Change directories to the /tools/registry-tools directory.
- In the terminal, run the create-offline-manifest.sh script using the following command format:
./create-offline-manifest.sh -d /path/to/download/directory
- Once the download is complete, run the create-offline-manifest.sh script again using the following command format to import the version manifest file into your organization:
./create-offline-manifest.sh -i </path/to/download/directory/manifest.dat> -u <username> -p <password> -a https://organization_URL/context
- If you created an organization using the configure.sh script, perform the following command:
./create-offline-manifest.sh -i </path/to/download/directory/manifest.dat> -f ../configure/configure.properties
- If you created an organization using the configure.sh script, perform the following command:
Once the version manifest has been imported, you have completed the deployment steps. Next, you will configure the organization to use local resources where applicable.
Note:
To check that the version manifest has been imported, you can run the following command:kubectl get secret arcgis-version-manifest -n arcgis
Configure local resources
When the organization is disconnected from the internet, configure the organization to use local services and resources where applicable.
Configure custom basemaps
The organization is preconfigured with a collection of basemaps from ArcGIS Online. These basemaps are not supported for use in a disconnected environment. Instead, create your own custom basemaps and configure the organization to offer these basemaps in the basemap gallery.
See Customize basemaps for details on creating and configuring custom basemaps in your organization.
Configure utility services
By default, utility services are configured to use those from ArcGIS Online. To learn how to update the utility services to point to your own local services, see Configure utility services.
ArcGIS Living Atlas of the World content
ArcGIS Living Atlas of the World is a collection of ready-to-use geographic content available from ArcGIS Online. It is not supported in disconnected environments. To disable ArcGIS Living Atlas of the World content, see steps to disable or adjust other ArcGIS Online resources.
Disable external content
Because some Esri content requires external access to the internet, you must disable the content to prevent requests to ArcGIS Online resources. When you disable the content, a specific group of items is disabled:
- All content, including basemap items, owned by "esri_[lang]" that contains URLs to external sites. The items disabled will depend on the content languages enabled for your organization.
- All content owned by "esri" that contains URLs to external sites.
- All content owned by "esri_apps" that contains URLs to external sites.
To disable external content, complete the following steps:
- Sign in to the ArcGIS Enterprise Administrator API.
The URL is in the format https://organization.example.com/context/admin.
- Click System > Content > External Content > Update.
- Set Enable External Content to False.
- Click Update.
Once external content has been disabled, items that contain URLs to external sites will not be discoverable or returned in search results.
Disable or adjust other ArcGIS Online sources
Some functionality in the organization has been preconfigured to use services or content from ArcGIS Online. When working in disconnected environments, you can disable these services and content by adjusting the organization properties. Example properties include the following:
extentService: "<URL to local map service>",—The extent service is used to update or set the extent of a web map item on the Set Extent dialog box in the organization. By default, the extent service originates from ArcGIS Online. In a disconnected environment, you must configure your organization with a GIS Server tiled map service. The service must use the WGS84 geographic coordinate system with well-known ID (WKID) 4326.
gcsBasemapService: "<URL to local map service>",—The GCS basemap service is used as the basemap for OGC WMS services that do not support the Web Mercator coordinate system. By default, the GCS basemap service originates from ArcGIS Online. In a disconnected environment, you must configure your organization with a GIS Server map service. The service must use the WGS84 geographic coordinate system with well-known ID (WKID) 4326.
configurePortalAGOEnv: "www.arcgis.com",—Used to determine the proxy used for configured utility services. The default proxy for configured utility services is www.arcgis.com. In a disconnected environment, set this property to false.
portalAGOConfigEnabled: true,—Controls the display of the ArcGIS Online tab in the organization's Settings page. In a disconnected environment, set this property to false.
portalLivingAtlasConfigEnabled: true,—Together with the portalAGOConfigEnabled property, this property controls the display of the Configure Living Atlas Content section on the ArcGIS Online tab in the organization's Settings page. In a disconnected environment, set this property to false.
searchArcGISOnlineEnabled: true,—With this property, you can disable the option in Map Viewer Classic to search for layers in ArcGIS Online. The default is true. When disabled, the option to search for layers in ArcGIS Online is hidden from the Search for Layers dialog box in Map Viewer Classic. In a disconnected environment, set this property to false.
To learn more about the properties you can modify, see the Sharing API documentation and follow steps to set advanced portal options.
Upgrade or update
When a software update or upgrade is available, you must do the following:
- Prepare your organization's container registry with the container images from Esri
- Download the manifest from Esri and upload it into your organization. This will ensure ArcGIS Enterprise can discover new updates or upgrades that are available.
- Apply the update or upgrade to your organization