Air-gapped Installation Artifact Transfer

This article provides one possible way to download and package Immuta artifacts for consumption on a separate network with no Internet access. Adjust accordingly depending on your environment and target Immuta version.

Installing skopeo

The commands in this article copy the Immuta images from the registry to the local host and export to tarball using skopeo. Details on installing skopeo for the local platform can be found here:

Authenticate Skopeo to the Immuta Registry

skopeo login https://ocir.immuta.com -u <username> -p <password>

Copy images from Immuta Registry

The IMMUTA_LEGACY_IMAGES noted below are only required if the deployment still requires the Immuta Query Engine or Immuta Fingerprint service. If not, these can be omitted.

export IMMUTA_VERSION=2024.2.5
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
  skopeo copy docker://ocir.immuta.com/stable/${image}:${IMMUTA_VERSION} docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar;
done

Pull the Immuta Enterprise Helm Chart (IEHC)

Copy the snippet below and replace the placeholder text with the credentials provided to you by your customer success manager:

echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com

Download the IEHC associated with the current Immuta release

helm pull oci://ocir.immuta.com/stable/immuta-enterprise --version 2024.2.5

Pushing images to Private Registry

After transferring the Immuta container images and Helm chart to your air-gapped network, load them into the container registry there after authenticating.

export PRIVATE_REGISTRY=your.private-registry.com
export IMMUTA_VERSION=2024.2.5
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
  skopeo copy docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar docker://${PRIVATE_REGISTRY}/immuta/${image}:${IMMUTA_VERSION};
done

Installing from IEHC tarball

Be sure to override the image registry in the helm chart values overrides:

immuta-values.yaml

---
global:
  imageRegistry: your.private-registry.com
  imageRepositoryMap:
    immuta/immuta-service: immuta/immuta-service
    immuta/immuta-db: immuta/immuta-db
    immuta/immuta-fingerprint: immuta/immuta-fingerprint
    immuta/audit-service: immuta/audit-service
    immuta/audit-export-cronjob: immuta/audit-export-cronjob
    immuta/classify-service: immuta/classify-service
    immuta/cache: immuta/cache

The IEHC can be referenced via filename if there is no helm chart repository on the destination network:

helm upgrade --install immuta ./immuta-enterprise-2024.2.5.tgz -f immuta-values.yaml

PreviousImmuta Installation on k3s in Air Gapped environment

Last updated 4 months ago

Copy images from Immuta Registry

The IMMUTA_LEGACY_IMAGES noted below are only required if the deployment still requires the Immuta Query Engine or Immuta Fingerprint service. If not, these can be omitted.

export IMMUTA_VERSION=2024.2.5
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
  skopeo copy docker://ocir.immuta.com/stable/${image}:${IMMUTA_VERSION} docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar;
done

Pull the Immuta Enterprise Helm Chart (IEHC)

Copy the snippet below and replace the placeholder text with the credentials provided to you by your customer success manager:

echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com

Download the IEHC associated with the current Immuta release

helm pull oci://ocir.immuta.com/stable/immuta-enterprise --version 2024.2.5

Pushing images to Private Registry

After transferring the Immuta container images and Helm chart to your air-gapped network, load them into the container registry there after authenticating.

export PRIVATE_REGISTRY=your.private-registry.com
export IMMUTA_VERSION=2024.2.5
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
export IMMUTA_LEGACY_IMAGES="immuta-db immuta-fingerprint"
for image in ${IMMUTA_IMAGES} ${IMMUTA_LEGACY_IMAGES}; do
  skopeo copy docker-archive://${PWD}/${image}-${IMMUTA_VERSION}.tar docker://${PRIVATE_REGISTRY}/immuta/${image}:${IMMUTA_VERSION};
done

Installing from IEHC tarball

Be sure to override the image registry in the helm chart values overrides:

immuta-values.yaml

---
global:
  imageRegistry: your.private-registry.com
  imageRepositoryMap:
    immuta/immuta-service: immuta/immuta-service
    immuta/immuta-db: immuta/immuta-db
    immuta/immuta-fingerprint: immuta/immuta-fingerprint
    immuta/audit-service: immuta/audit-service
    immuta/audit-export-cronjob: immuta/audit-export-cronjob
    immuta/classify-service: immuta/classify-service
    immuta/cache: immuta/cache

The IEHC can be referenced via filename if there is no helm chart repository on the destination network:

helm upgrade --install immuta ./immuta-enterprise-2024.2.5.tgz -f immuta-values.yaml