Skip to content

Punch AddsOn


Once your KAST is up and running, deploying a Punchplatform simply consists in uploading a few additional applications : the Punch AddsOn. The Docker images of those applications can be fetched online, or provided offline if your platform does not have Internet access.

The Punch AddsOn images make it possible to : - Launch Punchlines and Plans through the channectl command. - Benefit from the Punch Gateway services. - Benefit from the other Punch apps: injector, feedback UI etc..

Online Deployment

The images are hosted on the Thales Digital Factory repository and are available natively if your Kubernetes cluster has an online access.

GitLab secret

The Punch Console leverages Helm to fetch Punch AddsOn images. In Helm files, there is a secret to connect to GitLab registry and fetch images. It can be either a hash value, or a reference to a Kubernetes secrets file. Both are based on $HOME/.docker/config.json.

Here is how to generate the $HOME/.docker/config.json file for Thales Digital Factory GitLab : 1. Connect to Thales Digital Factory Gitlab. 2. Go to your profile / Access Tokens. 3. Generate a read_registry token and keep it somewhere safe. 4. Run docker login Use your username, and the previous token as password. 5. Check that you have $HOME/.docker/config.json generated. It is in /root/.docker/config.json if you had to run docker as sudoer.

Hash value

In some Helm files, the expected secret is a base64 value.

For instance, the $PUNCHPLATFORM_CONF_DIR/resources/injectors/kast/install_injector.yaml has a secrets.privateRegistryToken that needs to be replaced by your base64.

You can get your base64 value by running :

cat $HOME/.docker/config.json | base64

Kubernetes secret

In other Helm files, the expected secret is a Kubernetes secret file. For instance, the $PUNCHPLATFORM_CONF_DIR/tenants/kast/channels/syslog_to_kafka/.helm/platform.yaml has a global.imagePullSecret that needs to be replaces by a generated Kubernetes secret.

You can generate a Kubernetes secret by running :

kubectl create secret generic mypunchsecret --from-file=.dockerconfigjson=$HOME/.docker/config.json --namespace mynamespace
This will generate a Kubernetes secret named mypunchsecret in mynamespace. The secret must be generated in the same namespace as the Punch AddsOn deployment.

Offline Deployment

If your platform has no online access, you need to provide these Punch AddsOn images into your offline image registry. To ease that process, the Punch Console brings in all the Punch images as tarballs and provides a official tool to upload them in your remote offline registry.

The following command must be executed : --kube-host server1 --username username \
               --source-dir $PUNCHPLATFORM_CONF_DIR/../images \
               --registry kast-registry:30005

Once done, all the Punch images are reachable from your Kubernetes cluster.

Gateway Deployment

The Punch Gateway is a REST service provides several required services in particular it is in charge of distributing the various installed user packages (parsers, artifacts etc..) to starting pods.

It can also act as a proxy to expose some inner services to user or user applications in particular Kibana. When using a punch on top of a Kubernetes cluster, you need to deploy this component using the following helm command :

helm install gateway $PUNCHPLATFORM_CONF_DIR/resources/helm/gateway --create-namespace

Refer to the gateway documentation for a complete list of helm parameters.


If your Kubernetes cluster has no online access, you must upload the gateway image into your offline registry before deploying. Refer to this procedure.