Immuta in an Air-Gapped Environment

This page provides one possible way to download and package Immuta artifacts for consumption on a separate network with no Internet access.

export IMMUTA_VERSION=2024.2.18
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
  skopeo copy docker://ocir.immuta.com/stable/${image}:${IMMUTA_VERSION} docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar;
done

Copy the snippet below and replace the placeholder text with the credentials provided by your Immuta representative:
```
echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com
```

Download the IEHC for the current Immuta release:

helm pull oci://ocir.immuta.com/stable/immuta-enterprise --version 2024.2.18

export PRIVATE_REGISTRY=your.private-registry.com
export IMMUTA_VERSION=2024.2.18
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
  skopeo copy docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar docker://${PRIVATE_REGISTRY}/immuta/${image}:${IMMUTA_VERSION};
done

helm upgrade --install immuta ./immuta-enterprise-2024.2.18.tgz -f immuta-values.yaml

Prerequisite

Skopeo installation

Checklist

Skopeo

Skopeo is authenticated with Immuta's registry on the networked machine.
Skopeo is authenticated with the private registry on the air-gapped machine.

Helm

Helm is authenticated with Immuta's registry on the networked machine.

Download artifacts

This section demonstrates how to download the Helm chart and container images to your local machine. These artifacts will be packaged and transferred to the air-gapped environment later.

Upon completion of these steps, the saved artifacts can be found in local directory offline-kit.

Create a directory named offline-kit.
```
mkdir ./offline-kit
```

Download the Helm chart into directory offline-kit.

helm pull oci://ocir.immuta.com/stable/immuta-enterprise --destination ./offline-kit --version 2024.3.9

Extract file DIGESTS.md from the Helm chart archive.

tar --extract --gzip --strip-components=1 --directory=./offline-kit --file=./immuta-enterprise-*.tgz immuta-enterprise/DIGESTS.md

Open file ./offline-kit/DIGESTS.md. This file includes the name and digest of every container image referenced by the Helm chart.

read -r -p "Enter the container image to download (e.g., docker.io/hello-world:latest):" image && \
skopeo copy docker://"$image" docker-archive:"offline-kit/$(sed 's#.*/##; s#:#-#g' <<< "$image").tar"

Transfer artifacts

This section demonstrates how to push the previously archived container images to a private registry that's accessible from within your air-gapped environment.

The exact process for transferring files into an air-gapped network can vary significantly depending on your specific security policies and infrastructure.

Transfer directory offline-kit (created in the previous section) onto a machine that's within your air-gapped environment.

skopeo copy docker-archive:offline-kit/<name>-<tag>.tar docker://<private-registry-fqdn>/immuta/<name>:<tag>

Chart installation

A Helm chart can be referenced from a local file path, instead of remotely if desired. It is not necessary to reference it remotely. When referring to documentation, substitute any references to oci://ocir.immuta.com/stable/immuta-enterprise with the path to the unarchived (.tgz) chart file.

PreviousGeneric Installation NextDeploy Immuta without Elasticsearch

Last updated 1 day ago

Was this helpful?