Immuta in an Air-Gapped Environment

This page provides one possible way to download and package Immuta artifacts for consumption on a separate network with no Internet access.

export IMMUTA_VERSION=2024.2.20
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
  skopeo copy docker://ocir.immuta.com/stable/${image}:${IMMUTA_VERSION} docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar;
done
  1. Copy the snippet below and replace the placeholder text with the credentials provided by your Immuta representative:

    echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com
  2. Download the IEHC for the current Immuta release:

    helm pull oci://ocir.immuta.com/stable/immuta-enterprise --version 2024.2.20
export PRIVATE_REGISTRY=your.private-registry.com
export IMMUTA_VERSION=2024.2.20
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
  skopeo copy docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar docker://${PRIVATE_REGISTRY}/immuta/${image}:${IMMUTA_VERSION};
done
helm upgrade --install immuta ./immuta-enterprise-2024.2.20.tgz -f immuta-values.yaml

Prerequisite

Skopeo installation

This guide utilizes the skopeo command to copy container images; ensure it's installed before proceeding. Refer to the skopeo documentation for further assistance.

Checklist

Skopeo

Helm

Download artifacts

This section demonstrates how to download the Helm chart and container images to your local machine. These artifacts will be packaged and transferred to the air-gapped environment later.

Upon completion of these steps, the saved artifacts can be found in local directory offline-kit.

  1. Create a directory named offline-kit.

    mkdir ./offline-kit
  2. Download the Helm chart into directory offline-kit.

    helm pull oci://ocir.immuta.com/stable/immuta-enterprise --destination ./offline-kit --version 2024.3.9
  3. Extract file DIGESTS.md from the Helm chart archive.

    tar --extract --gzip --strip-components=1 --directory=./offline-kit --file=./immuta-enterprise-*.tgz immuta-enterprise/DIGESTS.md
  4. Open file ./offline-kit/DIGESTS.md. This file includes the name and digest of every container image referenced by the Helm chart.

  5. Download each image listed in file DIGESTS.md using skopeo. Each image will be saved to directory offline-kit with the filename<name>-<tag>.tar.

    read -r -p "Enter the container image to download (e.g., docker.io/hello-world:latest):" image && \
    skopeo copy docker://"$image" docker-archive:"offline-kit/$(sed 's#.*/##; s#:#-#g' <<< "$image").tar"

Transfer artifacts

This section demonstrates how to push the previously archived container images to a private registry that's accessible from within your air-gapped environment.

The exact process for transferring files into an air-gapped network can vary significantly depending on your specific security policies and infrastructure.

  1. Transfer directory offline-kit (created in the previous section) onto a machine that's within your air-gapped environment.

  2. Push each image to your private registry using skopeo.

    skopeo copy docker-archive:offline-kit/<name>-<tag>.tar docker://<private-registry-fqdn>/immuta/<name>:<tag>

Chart installation

A Helm chart can be referenced from a local file path, instead of remotely if desired. It is not necessary to reference it remotely. When referring to documentation, substitute any references to oci://ocir.immuta.com/stable/immuta-enterprise with the path to the unarchived (.tgz) chart file.

Edit the immuta-values.yaml to reference the private container registry and images.

Last updated

Was this helpful?