Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters

Last Published:
Product(s): NetBackup (11.1.0.2)
  1. Introduction
    1. About Cloud Scale deployment
      1.  
        Decoupling of NetBackup web services from primary server
      2.  
        Decoupling of NetBackup Policy and Job Management from primary server
      3.  
        Decoupling of NetBackup Database Manager from primary server
      4.  
        Logging feature (fluentbit) in Cloud Scale
    2.  
      About NetBackup Snapshot Manager
    3.  
      Required terminology
    4.  
      User roles and permissions
  2. Section I. Configurations
    1. Prerequisites
      1.  
        Preparing the environment for NetBackup installation on Kubernetes cluster
      2.  
        Prerequisites for Snapshot Manager (AKS/EKS)
      3. Prerequisites for Kubernetes cluster configuration
        1.  
          Config-Checker utility
        2.  
          Data-Migration for AKS
        3.  
          Webhooks validation for EKS
      4. Prerequisites for Cloud Scale configuration
        1.  
          Cluster specific settings
        2.  
          Cloud specific settings
      5.  
        Prerequisites for deploying environment operators
      6.  
        Prerequisites for using private registry
    2. Recommendations and Limitations
      1.  
        Recommendations of NetBackup deployment on Kubernetes cluster
      2.  
        Limitations of NetBackup deployment on Kubernetes cluster
      3.  
        Recommendations and limitations for Cloud Scale deployment
    3. Configurations
      1.  
        Contents of the TAR file
      2.  
        Configuring the cloudscale-values.yaml file
      3.  
        Configuring an External Certificate Authority for Web UI port 443
      4. Loading docker images
        1.  
          Installing the docker images for NetBackup
        2.  
          Installing the docker images for Snapshot Manager
        3.  
          Installing the docker images and binaries for MSDP Scaleout
      5. Configuring NetBackup
        1. Primary and media server CR
          1.  
            After installing primary server CR
          2.  
            After Installing the media server CR
        2.  
          Elastic media server
    4. Configuration of key parameters in Cloud Scale deployments
      1.  
        Tuning touch files
      2.  
        Setting maximum jobs per client
      3.  
        Setting maximum jobs per media server
      4.  
        Enabling intelligent catalog archiving
      5.  
        Enabling security settings
      6.  
        Configuring email server
      7.  
        Reducing catalog storage management
      8.  
        Configuring zone redundancy
      9.  
        Enabling client-side deduplication capabilities
      10.  
        Parameters for logging (fluentbit)
      11.  
        Managing media server configurations in Web UI
  3. Section II. Deployment
    1. Deploying Cloud Scale
      1.  
        How to deploy Cloud Scale
      2.  
        Prerequisites for Cloud Scale deployment
      3.  
        Deploying the operators
      4. Deploying Cloud Scale using Helm chart
        1.  
          Installing Cloud Scale environment
        2. Single node Cloud Scale Technology deployment
          1.  
            Steps to deploy Cloud Scale in single node
      5.  
        Deploying Cloud Scale using kubectl plugin
      6.  
        Verifying Cloud Scale deployment
      7. Post Cloud Scale deployment tasks
        1.  
          Restarting Cloud Scale Technology services
  4. Section III. Monitoring and Management
    1. Monitoring NetBackup
      1.  
        Monitoring the application health
      2.  
        Telemetry reporting
      3.  
        About NetBackup operator logs
      4.  
        Monitoring Primary/Media server CRs
      5.  
        Expanding storage volumes
      6. Allocating static PV for Primary and Media pods
        1.  
          Expanding log volumes for primary pods
        2.  
          Recommendation for media server volume expansion
        3.  
          (AKS-specific) Allocating static PV for Primary and Media pods
        4.  
          (EKS-specific) Allocating static PV for Primary and Media pods
    2. Monitoring Snapshot Manager
      1.  
        Overview
      2.  
        Configuration parameters
      3.  
        Snapshot Manager manual certificate renewal in Cloud Scale
    3. Monitoring fluentbit
      1.  
        Monitoring fluentbit for logging
    4. Monitoring MSDP Scaleout
      1.  
        About MSDP Scaleout status and events
      2.  
        Monitoring with Amazon CloudWatch
      3.  
        Monitoring with Azure Container insights
      4.  
        The Kubernetes resources for MSDP Scaleout and MSDP operator
    5. Managing NetBackup
      1.  
        Managing NetBackup deployment using VxUpdate
      2.  
        Updating the Primary/Media server CRs
      3.  
        Migrating the cloud node for primary or media servers
      4.  
        Migrating cpServer controlPlane node
    6. Managing the Load Balancer service
      1.  
        About the Load Balancer service
      2.  
        Notes for Load Balancer service
      3.  
        Opening the ports from the Load Balancer service
      4.  
        Steps for upgrading Cloud Scale from multiple media load balancer to none
    7. Managing PostrgreSQL DBaaS
      1.  
        Changing database server password in DBaaS
      2.  
        Updating database certificate in DBaaS
    8. Managing logging
      1.  
        Viewing NetBackup logs
      2.  
        Extracting NetBackup logs
    9. Performing catalog backup and recovery
      1.  
        Backing up a catalog
      2. Restoring a catalog
        1.  
          Primary server corrupted
        2.  
          MSDP-X corrupted
        3.  
          MSDP-X and Primary server corrupted
  5. Section IV. Maintenance
    1. PostgreSQL DBaaS Maintenance
      1.  
        Configuring maintenance window for PostgreSQL database in AWS
      2.  
        Setting up alarms for PostgreSQL DBaaS instance
    2. Patching mechanism for primary, media servers, fluentbit pods, and postgres pods
      1.  
        Overview
      2.  
        Patching of primary containers
      3.  
        Patching of media containers
      4.  
        Patching of fluentbit collector pods
      5.  
        Update containerized PostgreSQL pod
    3. Upgrading
      1. Upgrading Cloud Scale Technology
        1.  
          Prerequisites for Cloud Scale Technology upgrade
        2.  
          Upgrade the cluster
        3. Upgrade Cloud Scale
          1.  
            Upgrade Cloud Scale using the kubectl plugin
          2.  
            Manual upgrade of Cloud Scale using the Superchart
        4.  
          Configuring NetBackup IT Analytics for NetBackup deployment
    4. Cloud Scale Disaster Recovery
      1.  
        Cluster backup
      2.  
        Environment backup
      3.  
        Cluster recovery
      4.  
        Cloud Scale recovery
      5.  
        Environment Disaster Recovery
      6.  
        DBaaS Disaster Recovery
    5. Uninstalling
      1.  
        Uninstalling Cloud Scale Technology
    6. Troubleshooting
      1. Troubleshooting AKS and EKS issues
        1.  
          View the list of operator resources
        2.  
          View the list of product resources
        3.  
          View operator logs
        4.  
          View primary logs
        5.  
          Socket connection failure
        6.  
          Resolving an issue where external IP address is not assigned to a NetBackup server's load balancer services
        7.  
          Resolving the issue where the NetBackup server pod is not scheduled for long time
        8.  
          Resolving an issue where the Storage class does not exist
        9.  
          Resolving an issue where the primary server or media server deployment does not proceed
        10.  
          Resolving an issue of failed probes
        11.  
          Resolving issues when media server PVs are deleted
        12.  
          Resolving an issue related to insufficient storage
        13.  
          Resolving an issue related to invalid nodepool
        14.  
          Resolve an issue related to KMS database
        15.  
          Resolve an issue related to pulling an image from the container registry
        16.  
          Resolving an issue related to recovery of data
        17.  
          Check primary server status
        18.  
          Pod status field shows as pending
        19.  
          Ensure that the container is running the patched image
        20.  
          Getting EEB information from an image, a running container, or persistent data
        21.  
          Resolving the certificate error issue in NetBackup operator pod logs
        22.  
          Pod restart failure due to liveness probe time-out
        23.  
          NetBackup messaging queue broker take more time to start
        24.  
          Host mapping conflict in NetBackup
        25.  
          Issue with capacity licensing reporting which takes longer time
        26.  
          Local connection is getting treated as insecure connection
        27.  
          Backing up data from Primary server's /mnt/nbdata/ directory fails with primary server as a client
        28.  
          Storage server not supporting Instant Access capability on Web UI after upgrading NetBackup
        29.  
          Taint, Toleration, and Node affinity related issues in cpServer
        30.  
          Operations performed on cpServer in cloudscale-values.yaml file are not reflected
        31.  
          Elastic media server related issues
        32.  
          Failed to register Snapshot Manager with NetBackup
        33.  
          Post Kubernetes cluster restart, flexsnap-listener pod went into CrashLoopBackoff state or pods were unable to connect to flexsnap-rabbitmq
        34.  
          Post Kubernetes cluster restart, issues observed in case of containerized Postgres deployment
        35.  
          Request router logs
        36.  
          Issues with NBPEM/NBJM
        37.  
          Issues with logging feature for Cloud Scale
        38.  
          The flexsnap-listener pod is unable to communicate with RabbitMQ
        39.  
          Job remains in queue for long time
        40.  
          Extracting logs if the nbwsapp or log-viewer pods are down
        41.  
          Helm installation failed with bundle error
        42.  
          Deployment fails with private container registry and Postgres fails to pull the images
      2. Troubleshooting AKS-specific issues
        1.  
          Data migration unsuccessful even after changing the storage class through the storage yaml file
        2.  
          Host validation failed on the target host
        3.  
          Primary pod goes in non-ready state
      3. Troubleshooting EKS-specific issues
        1.  
          Resolving the primary server connection issue
        2.  
          NetBackup Snapshot Manager deployment on EKS fails
        3.  
          Wrong EFS ID is provided in cloudscale-values.yaml file
        4.  
          Primary pod is in ContainerCreating state
        5.  
          Webhook displays an error for PV not found
        6.  
          Cluster Autoscaler initialization issue
        7.  
          Catalog backup job fails with an error (Status 9202)
      4.  
        Troubleshooting issue for bootstrapper pod
      5.  
        Troubleshooting issues for kubectl plugin
  6. Appendix A. CR template
    1.  
      Secret
    2. MSDP Scaleout CR
      1.  
        MSDP Scaleout CR template for AKS
      2.  
        MSDP Scaleout CR template for EKS
  7. Appendix B. MSDP Scaleout
    1.  
      About MSDP Scaleout
    2.  
      Prerequisites for MSDP Scaleout (AKS\EKS)
    3.  
      Limitations in MSDP Scaleout
    4. MSDP Scaleout configuration
      1.  
        Initializing the MSDP operator
      2.  
        Configuring MSDP Scaleout
      3.  
        Configuring the MSDP cloud in MSDP Scaleout
      4.  
        Using MSDP Scaleout as a single storage pool in NetBackup
      5.  
        Using S3 service in MSDP Scaleout
      6.  
        Enabling MSDP S3 service after MSDP Scaleout is deployed
    5.  
      Installing the docker images and binaries for MSDP Scaleout (without environment operators or Helm charts)
    6.  
      Deploying MSDP Scaleout
    7. Managing MSDP Scaleout
      1.  
        Adding MSDP engines
      2.  
        Adding data volumes
      3. Expanding existing data or catalog volumes
        1.  
          Manual storage expansion
      4.  
        MSDP Scaleout scaling recommendations
      5. MSDP Cloud backup and disaster recovery
        1.  
          About the reserved storage space
        2. Cloud LSU disaster recovery
          1.  
            Recovering MSDP S3 IAM configurations from cloud LSU
      6.  
        MSDP multi-domain support
      7.  
        Configuring Auto Image Replication
      8. About MSDP Scaleout logging and troubleshooting
        1.  
          Collecting the logs and the inspection information
    8. MSDP Scaleout maintenance
      1.  
        Pausing the MSDP Scaleout operator for maintenance
      2.  
        Logging in to the pods
      3.  
        Reinstalling MSDP Scaleout operator
      4.  
        Migrating the MSDP Scaleout to another node pool

Prerequisites for Cloud Scale deployment

Ensure that the following steps are performed before deploying the operators:

  1. Install cert-manager by using the following command:

    helm repo add jetstack https://charts.jetstack.io

    helm repo update jetstack

    helm upgrade -i -n cert-manager cert-manager jetstack/cert-manager \ --version 1.18.2 \ --set webhook.timeoutSeconds=30 \ --set installCRDs=true \ --wait --create-namespace

    For details, see cert-manager Documentation.

  2. Create NetBackup namespace by using the following command:

    kubectl create ns netbackup

  3. Install trust-manager by using the following command:

    kubectl create namespace trust-manager

    helm upgrade -i -n trust-manager trust-manager jetstack/trust-manager --set app.trust.namespace=netbackup --version v0.19.0 --wait

    For details, see trust-manager Documentation.

  4. (If using private registry) Create kubernetes secret for using the private registries as follows:

    Create operator namespace by using the following command:

    kubectl create ns netbackup-operator-system

    kubectl create secret docker-registry <secret-name> \ --namespace <namespace> \ --docker-server=<container-registry-name> \ --docker-username=<service-principal-ID> \ --docker-password=<service-principal-password>

    For example (AKS): kubectl create secret docker-registry demo-secret --namespace netbackup-operator-system --docker-server=cpautomation.azurecr.io --docker-username=c1d03169-6f35-4c29-b527-995bbad3b608 --docker-password=<password_here>

  5. (For Cloud Scale) Create kubernetes secret for using the private registries as follows:

    kubectl create secret docker-registry <secret-name> \ --namespace <namespace> \ --docker-server=<container-registry-name> \ --docker-username=<service-principal-ID> \ --docker-password=<service-principal-password>

    For example (AKS): kubectl create secret docker-registry demo-secret --namespace netbackup --docker-server=cpautomation.azurecr.io --docker-username=c1d03169-6f35-4c29-b527-995bbad3b608 --docker-password=<password_here>

Air-Gapped installation procedure for cert-manager and trust-manager in AKS

This section provides step-by-step instructions for deploying cert-manager and trust-manager in an air-gapped or partially air-gapped Azure Kubernetes Service (AKS) environment. It enables installation without direct internet access, using JFrog Artifactory as the container registry (adaptable for ACR or ECR). The tools are installed in separate namespaces (cert-manager and trust-manager) for compatibility, with trust-manager configured to manage trust bundles in the NetBackup namespace.

Prerequisites

  • Internet-connected and air-gapped environments

  • Secure file transfer method between environments

  • Access to a private container registry (for example, JFrog Artifactory)

  • Docker/Podman and Helm installed on both environments

  • kubectl configured for the AKS cluster

  • Registry credentials

Air-Gapped installation procedure

  1. Gather Helm charts locally (Internet-connected environment):

    Download the cert-manager and trust-manager charts:

    • # Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io --force-update

# Update your local Helm repository indexes
helm repo update

# Pull the cert-manager chart
helm pull jetstack/cert-manager --version v1.17.0 --untar --untardir ./cert-manager-chart

# Pull the trust-manager chart
helm pull jetstack/trust-manager --untar --untardir ./trust-manager-chart --replace

      This creates folders ./cert-manager-chart and ./trust-manager-chart containing the Helm chart files.

    • Identify the container images in each chart:

      • Method 1: Generate and examine the manifests:

        helm template ./cert-manager-chart/cert-manager --namespace cert-manager > cert-manager-manifest.yaml
helm template ./trust-manager-chart/trust-manager --namespace trust-manager > trust-manager-manifest.yaml

# Find all images used in the manifests
grep "image:" cert-manager-manifest.yaml
grep "image:" trust-manager-manifest.yaml

        Example output:

        # cert-manager images
image: "quay.io/jetstack/cert-manager-cainjector:v1.17.0"
image: "quay.io/jetstack/cert-manager-controller:v1.17.0"
image: "quay.io/jetstack/cert-manager-webhook:v1.17.0"
image: "quay.io/jetstack/cert-manager-startupapicheck:v1.17.0"

# trust-manager images
image: "quay.io/jetstack/trust-pkg-debian-bookworm:20230311.0"
image: "quay.io/jetstack/trust-manager:v0.16.0"

      • Method 2: Examine the values.yaml files directly:

        For cert-manager: Look for .image.repository, .image.tag, and so on.

        For trust-manager: Look for app.image.repository, app.image.tag, and so on.

        The default images are typically pulled from quay.io/jetstack/.

  2. Pull and save the images (Internet-connected environment):
    # Pull cert-manager images
docker pull quay.io/jetstack/cert-manager-controller:v1.17.0
docker pull quay.io/jetstack/cert-manager-webhook:v1.17.0
docker pull quay.io/jetstack/cert-manager-cainjector:v1.17.0
docker pull quay.io/jetstack/cert-manager-startupapicheck:v1.17.0

# Pull trust-manager images
docker pull quay.io/jetstack/trust-manager:v0.16.0
docker pull quay.io/jetstack/trust-pkg-debian-bookworm:20230311.0

# Save all images into a single tarball
docker save \
  quay.io/jetstack/cert-manager-controller:v1.17.0 \
  quay.io/jetstack/cert-manager-webhook:v1.17.0 \
  quay.io/jetstack/cert-manager-cainjector:v1.17.0 \
  quay.io/jetstack/cert-manager-startupapicheck:v1.17.0 \
  quay.io/jetstack/trust-manager:v0.16.0 \
  quay.io/jetstack/trust-pkg-debian-bookworm:20230311.0 \
  -o cert-manager-trust-manager-images.tar
  3. Copy the files to the offline/restricted host:

    • Transfer the image tarball:

      Transfer cert-manager-trust-manager-images.tar file to your air-gapped environment using an approved method (for example, SCP, secure file transfer, or physical media).

    • Transfer the Helm charts:

      Transfer the Helm charts to the air-gapped environment using one of the following approaches:

      • Option 1: Pack and transfer the extracted chart directories:

        # Create archive of the chart directories
tar -czf helm-charts.tar.gz ./cert-manager-chart ./trust-manager-chart

# Transfer helm-charts.tar.gz to the air-gapped environment
# Then on the air-gapped host:
tar -xzf helm-charts.tar.gz

      • Option 2: Create Helm package archives and transfer those:

        # Package the charts
helm package ./cert-manager-chart/cert-manager -d ./packages
helm package ./trust-manager-chart/trust-manager -d ./packages

# Transfer the ./packages directory to the air-gapped environment

        Use the same secure file transfer method as used for the container images.

  4. Load and push images into your private registry (Air-Gapped environment):
    # Load the images into Docker
docker load -i cert-manager-trust-manager-images.tar

# Login to your private Artifactory registry
# You'll be prompted to enter your password securely
# If using ACR/ECR replace the docker login command below with (Ex: az acr login -n myacr)
docker login my-artifactory.mycompany.com -u <your-username>

# Tag the images for your private registry (replace my-artifactory.mycompany.com with your registry URL)
docker tag quay.io/jetstack/cert-manager-controller:v1.17.0 \
  my-artifactory.mycompany.com/jetstack/cert-manager-controller:v1.17.0

docker tag quay.io/jetstack/cert-manager-webhook:v1.17.0 \
  my-artifactory.mycompany.com/jetstack/cert-manager-webhook:v1.17.0

docker tag quay.io/jetstack/cert-manager-cainjector:v1.17.0 \
  my-artifactory.mycompany.com/jetstack/cert-manager-cainjector:v1.17.0

docker tag quay.io/jetstack/cert-manager-startupapicheck:v1.17.0 \
  my-artifactory.mycompany.com/jetstack/cert-manager-startupapicheck:v1.17.0

docker tag quay.io/jetstack/trust-manager:v0.16.0 \
  my-artifactory.mycompany.com/jetstack/trust-manager:v0.16.0

docker tag quay.io/jetstack/trust-pkg-debian-bookworm:20230311.0 \
  my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm:20230311.0

# Push the images to your private registry
docker push my-artifactory.mycompany.com/jetstack/cert-manager-controller:v1.17.0
docker push my-artifactory.mycompany.com/jetstack/cert-manager-webhook:v1.17.0
docker push my-artifactory.mycompany.com/jetstack/cert-manager-cainjector:v1.17.0
docker push my-artifactory.mycompany.com/jetstack/cert-manager-startupapicheck:v1.17.0
docker push my-artifactory.mycompany.com/jetstack/trust-manager:v0.16.0
docker push my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm:20230311.0
  5. Create image pull secret and update Helm charts:

    • Create a kubernetes secret for registry authentication:

      # Create the cert-manager namespace if it doesn't exist yet
kubectl create namespace cert-manager --dry-run=client -o yaml | kubectl apply -f -

# Create a secret with your registry credentials
# Create secret for cert-manager
kubectl create secret docker-registry artifactory-registry-secret \
  --namespace cert-manager \
  --docker-server=my-artifactory.mycompany.com \
  --docker-username=<your-username> \
  --docker-password=<your-password> \
  --docker-email=<your-email>

# Create the same secret for trust-manager
kubectl create secret docker-registry artifactory-registry-secret \
  --namespace trust-manager \
  --docker-server=my-artifactory.mycompany.com \
  --docker-username=<your-username> \
  --docker-password=<your-password> \
  --docker-email=<your-email>

    • Update the Helm charts to use your private registry using one of the following options:

      • Option 1: Modify values.yaml files:

        For cert-manager, update the following sections in cert-manager-chart/cert-manager/values.yaml file:

        image:
  repository: my-artifactory.mycompany.com/jetstack/cert-manager-controller
  tag: v1.17.0
  # ...

webhook:
  image:
    repository: my-artifactory.mycompany.com/jetstack/cert-manager-webhook
    tag: v1.17.0
  # ...

cainjector:
  image:
    repository: my-artifactory.mycompany.com/jetstack/cert-manager-cainjector
    tag: v1.17.0
  # ...

  # Add imagePullSecrets
  imagePullSecrets:
  - name: artifactory-registry-secret
For trust-manager, update the following in trust-manager-chart/trust-manager/values.yaml:

app:
  image:
    repository: my-artifactory.mycompany.com/jetstack/trust-manager
    tag: v0.16.0
  trust:
    namespace: netbackup
  # ...

pkgImporter:
  image:
    repository: my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm
    tag: "20230311.0"

# Add imagePullSecrets
imagePullSecrets:
- name: artifactory-registry-secret

      • Option 2: Use --set parameters during installation:

        Instead of modifying the values.yaml files directly, you can use --set parameters during installation.

        For more information, see the commented lines in the step 6 below.

  6. Connect to and install on your AKS cluster (Air-Gapped environment):

    • Authenticate to your AKS cluster:

      Before installing Helm charts, ensure that your kubectl is properly configured to communicate with your AKS cluster:

      # If you have Azure CLI in your air-gapped environment
az login
az account set --subscription <your-subscription-id>
az aks get-credentials --resource-group <your-resource-group> --name <your-aks-cluster-name>

# OR if you've transferred a kubeconfig file
export KUBECONFIG=/path/to/your/kubeconfig

# Verify connectivity
kubectl cluster-info
kubectl get nodes

    • Install cert-manager:

      Based on how you transferred the Helm charts, use one of the following approaches:

      # Create cert-manager namespace kubectl create namespace cert-manager

      Option 1: 

      If you transferred the extracted chart directories
helm install cert-manager ./cert-manager-chart/cert-manager \
  --namespace cert-manager \
  --set crds.enabled=true
  # If you didn't modify values.yaml, add these overrides:
  # --set image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-controller \
  # --set image.tag=v1.17.0 \
  # --set webhook.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-webhook \
  # --set webhook.image.tag=v1.17.0 \
  # --set cainjector.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-cainjector \
  # --set cainjector.image.tag=v1.17.0 \
  # --set startupapicheck.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-startupapicheck \
  # --set startupapicheck.image.tag=v1.17.0 \
  # --set imagePullSecrets[0].name=artifactory-registry-secret

      Option 2: 

      If you transferred packaged charts (.tgz files)
helm install cert-manager ./packages/cert-manager-v1.17.0.tgz \
  --namespace cert-manager \
  --set crds.enabled=true
  # If you didn't modify values.yaml, add these overrides:
  # --set image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-controller \
  # --set image.tag=v1.17.0 \
  # --set webhook.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-webhook \
  # --set webhook.image.tag=v1.17.0 \
  # --set cainjector.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-cainjector \
  # --set cainjector.image.tag=v1.17.0 \
  # --set startupapicheck.image.repository=my-artifactory.mycompany.com/jetstack/cert-manager-startupapicheck \
  # --set startupapicheck.image.tag=v1.17.0 \
  # --set imagePullSecrets[0].name=artifactory-registry-secret

    • Install trust-manager:

      Based on how you transferred the Helm charts, use one of the following approaches:

      # Create trust-manager and netbackup namespace kubectl create namespace trust-manager kubectl create namespace netbackup

      Option 1: 

      If you transferred the extracted chart directories
helm install trust-manager ./trust-manager-chart/trust-manager \
  --namespace trust-manager \
  --set app.trust.namespace=netbackup \
  --wait
  # If you didn't modify values.yaml, add these overrides:
  # --set app.image.repository=my-artifactory.mycompany.com/jetstack/trust-manager \
  # --set app.image.tag=v0.16.0 \
  # --set pkgImporter.image.repository=my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm \
  # --set pkgImporter.image.tag=20230311.0 \
  # --set imagePullSecrets[0].name=artifactory-registry-secret

      Option 2: 

      If you transferred packaged charts (.tgz files)
helm install trust-manager ./packages/trust-manager-v0.16.0.tgz \
  --namespace trust-manager \
  --set app.trust.namespace=netbackup \
  --wait
  # If you didn't modify values.yaml, add these overrides:
  # --set app.image.repository=my-artifactory.mycompany.com/jetstack/trust-manager \
  # --set app.image.tag=v0.16.0 \
  # --set pkgImporter.image.repository=my-artifactory.mycompany.com/jetstack/trust-pkg-debian-bookworm \
  # --set pkgImporter.image.tag=20230311.0 \
  # --set imagePullSecrets[0].name=artifactory-registry-secret
  7. Verify the installation:
    # Check if cert-manager pods are running
kubectl get pods -n cert-manager

# Check if trust-manager pod is running
kubectl get pods -n trust-manager -l app=trust-manager