Deploying vSphere Lifecycle Manager (LCI) in an Air-Gapped Environment

Added , By with No Comments

In a secure, air-gapped data center, the biggest hurdle is often getting modern cloud-native services into an environment that has zero internet connectivity. When working with vSphere Supervisor Services, specifically the Load Balancer Configuration Interface (LCI), we must rely on a “Sneakernet” or manual staging process using tools like imgpkg.

This guide walks through the process of exporting the LCI service bundle from the public Broadcom repository and importing it into your local Harbor registry.

The Workflow Overview

The process follows a simple three-step logic:

  1. Export: Download the bundle from the internet to a portable .tar file.
  2. Transfer: Move that file to your secure “Jump Server” or Photon OS machine inside the restricted network.
  3. Import: Push the bundle to your local Harbor registry so the vSphere Supervisor can consume it.

Step 1: Exporting from the Internet

First, on a machine with internet access, we use the Carvel tool imgpkg to pull the LCI bundle. We include the --cosign-signatures flag to ensure image integrity is maintained across the air-gap.

# Navigate to your working directory
cd "C:\Users\admin\Documents\vSphere Supervisor Services"

# Copy the LCI bundle to a local tar file
imgpkg copy -b projects.packages.broadcom.com/vsphere/iaas/lci-service/9.0.1/lci-service:9.0.1-1815f87b `
    --to-tar lci-v9.0.1-1815f87b.tar `
    --cosign-signatures

The output will show 4 images being exported into the tarball. Once completed, you will see a Succeeded message.

Step 2: Staging on the Internal Jump Server

After transferring the .tar file to your internal Photon OS machine (via SFTP or physical media), we need to set up our environment variables to point to the local Harbor registry.

# Define your local registry URL
export REGISTRY_URL="harbor1.test.com/supervisor-services"

# Verify the variable is set
printenv REGISTRY_URL

Step 3: Importing to Local Harbor

Now, we push the bundle from the .tar file into the internal registry. Note that since your local Harbor likely uses a private CA, we specify the path to the CA certificate.

# Push the bundle to the local repository
imgpkg copy --tar lci-v9.0.1-1815f87b.tar \
    --to-repo ${REGISTRY_URL}/lci \
    --registry-ca-cert-path /tmp/harbor-actual.crt

Step 4: Verification

To ensure the Supervisor Service is ready for activation, verify that all internal image references were rewritten correctly during the copy process.

# Describe the bundle in the local registry
imgpkg describe -b ${REGISTRY_URL}/lci:9.0.1-1815f87b \
    --registry-ca-cert-path /tmp/harbor-actual.crt

If successful, the output will list the images with their new local URLs:

  • harbor1.test.com/supervisor-services/lci@sha256:... (Signature)
  • harbor1.test.com/supervisor-services/lci@sha256:... (Image)