# Immuta in an Air-Gapped Environment

This page provides one possible way to download and package Immuta artifacts for consumption on a separate network with no Internet access.

<pre class="language-bash"><code class="lang-bash">export IMMUTA_VERSION=2024.2.20
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
<strong>export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
</strong><strong>for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
</strong>  skopeo copy docker://ocir.immuta.com/stable/${image}:${IMMUTA_VERSION} docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar;
done
</code></pre>

1. Copy the snippet below and replace the placeholder text with the credentials provided by your Immuta representative:

   ```bash
   echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com
   ```
2. Download the IEHC for the current Immuta release:

   ```bash
   helm pull oci://ocir.immuta.com/stable/immuta-enterprise --version 2024.2.20
   ```

```bash
export PRIVATE_REGISTRY=your.private-registry.com
export IMMUTA_VERSION=2024.2.20
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
  skopeo copy docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar docker://${PRIVATE_REGISTRY}/immuta/${image}:${IMMUTA_VERSION};
done
```

```bash
helm upgrade --install immuta ./immuta-enterprise-2024.2.20.tgz -f immuta-values.yaml
```

## Prerequisite

{% hint style="info" %}
**Skopeo installation**

This guide utilizes the `skopeo` command to copy container images; ensure it's installed before proceeding. Refer to the [skopeo documentation](https://github.com/containers/skopeo/blob/main/install.md) for further assistance.
{% endhint %}

### Checklist

#### Skopeo

* [ ] Skopeo is authenticated with Immuta's registry on the networked machine.
* [ ] Skopeo is authenticated with the private registry on the air-gapped machine.

#### Helm

* [ ] Helm is authenticated with Immuta's registry on the networked machine.

## Download artifacts

This section demonstrates how to download the Helm chart and container images to your local machine. These artifacts will be packaged and transferred to the air-gapped environment later.

{% hint style="info" %}
Upon completion of these steps, the saved artifacts can be found in local directory `offline-kit`.
{% endhint %}

1. Create a directory named `offline-kit`.

   ```bash
   mkdir ./offline-kit
   ```
2. Download the Helm chart into directory `offline-kit`.

   <pre class="language-bash"><code class="lang-bash"><strong>helm pull oci://ocir.immuta.com/stable/immuta-enterprise --destination ./offline-kit --version 2024.3.9
   </strong></code></pre>
3. Extract file `DIGESTS.md` from the Helm chart archive.

   ```bash
   tar --extract --gzip --strip-components=1 --directory=./offline-kit --file=./immuta-enterprise-*.tgz immuta-enterprise/DIGESTS.md
   ```
4. Open file `./offline-kit/DIGESTS.md`. This file includes the name and digest of every container image referenced by the Helm chart.
5. Download each image listed in file `DIGESTS.md` using [skopeo](https://github.com/containers/skopeo). Each image will be saved to directory `offline-kit` with the filename`<name>-<tag>.tar`.

   <pre class="language-sh"><code class="lang-sh"><strong>read -r -p "Enter the container image to download (e.g., docker.io/hello-world:latest):" image &#x26;&#x26; \
   </strong>skopeo copy docker://"$image" docker-archive:"offline-kit/$(sed 's#.*/##; s#:#-#g' &#x3C;&#x3C;&#x3C; "$image").tar"
   </code></pre>

## Transfer artifacts

This section demonstrates how to push the previously archived container images to a private registry that's accessible from within your air-gapped environment.

{% hint style="info" %}
The exact process for transferring files into an air-gapped network can vary significantly depending on your specific security policies and infrastructure.
{% endhint %}

1. Transfer directory `offline-kit` (created in the previous section) onto a machine that's within your air-gapped environment.
2. Push each image to your private registry using [skopeo](https://github.com/containers/skopeo).

   <pre class="language-bash"><code class="lang-bash"><strong>skopeo copy docker-archive:offline-kit/&#x3C;name>-&#x3C;tag>.tar docker://&#x3C;private-registry-fqdn>/immuta/&#x3C;name>:&#x3C;tag>
   </strong></code></pre>

## Chart installation

{% hint style="info" %}
A Helm chart can be referenced from a local file path, instead of remotely if desired. It is not necessary to reference it remotely. When referring to documentation, substitute any references to `oci://ocir.immuta.com/stable/immuta-enterprise` with the path to the unarchived (`.tgz`) chart file.
{% endhint %}

Edit the `immuta-values.yaml` to reference the [private container registry and images](https://documentation.immuta.com/2024.2/self-managed-deployment/configure/private-container-registries).