Immuta Installation on k3s in Air Gapped environment
While the pattern in this article is useful for development and testing, Immuta does not recommend or support using a single server deployment in production.
Gathering Artifacts
Gather k3s, Elasticsearch, PostgreSQL and Immuta artifacts necessary for transfer to the destination network. This list is not intended to be exhaustive but is a decent minimal option. There are alternatives for Kubernetes, Elasticsearch and PostgreSQL that are not covered here that may suit individual use cases better.
The docker pull and docker save commands are used here in lieu of other commands like skopeo in order to easily preserve the container name/tag format for import into containerd.
IMMUTA_VERSION=2024.2.4
IMMUTA_USER=<username>
IMMUTA_PASSWORD=<password>
skopeo login https://ocir.immuta.com -u ${IMMUTA_USER} -p ${IMMUTA_PASSWORD}
export IMMUTA_IMAGES="audit-service audit-export-cronjob cache classify-service immuta-service"
for image in ${IMMUTA_IMAGES}; do
docker pull ocir.immuta.com/stable/${image}:${IMMUTA_VERSION}
docker save ocir.immuta.com/stable/${image}:${IMMUTA_VERSION} > ${image}-${IMMUTA_VERSION}.tar;
done
helm pull oci://ocir.immuta.com/stable/immuta-enterprise --version ${IMMUTA_VERSION} --username ${IMMUTA_USER} --password ${IMMUTA_PASSWORD}
Artifacts to be transferred to air gapped network
Transfer the files gathered in previous steps along with the additional files included at the bottom of this section to the air gapped deployment network. An example of this list is included for reference:
-rwxr-xr-x 1 ubuntu ubuntu 66359448 Jul 31 16:32 k3s
-rw-r--r-- 1 ubuntu ubuntu 154648289 Jul 31 16:33 k3s-airgap-images-amd64.tar.zst
-rwxr-xr-x 1 ubuntu ubuntu 36426 Aug 19 15:05 k3s-install.sh
-rw-r--r-- 1 ubuntu ubuntu 35150 Aug 19 15:18 immuta-enterprise-2024.2.4.tgz
-rw-r--r-- 1 ubuntu ubuntu 118565 Aug 19 17:26 pgo-5.6.0.tgz
-rw-r--r-- 1 ubuntu ubuntu 1469282304 Aug 20 11:35 audit-service-2024.2.4.tar
-rw-r--r-- 1 ubuntu ubuntu 546697216 Aug 20 11:35 audit-export-cronjob-2024.2.4.tar
-rw-r--r-- 1 ubuntu ubuntu 10576896 Aug 20 11:35 cache-2024.2.4.tar
-rw-r--r-- 1 ubuntu ubuntu 895760896 Aug 20 11:36 classify-service-2024.2.4.tar
-rw-r--r-- 1 ubuntu ubuntu 1136108032 Aug 20 11:36 immuta-service-2024.2.4.tar
-rw-r--r-- 1 ubuntu ubuntu 637336064 Aug 20 11:41 crunchy-postgres-16.3-1.tar
-rw-r--r-- 1 ubuntu ubuntu 156720128 Aug 20 11:42 postgres-operator-5.6.0.tar
-rw-r--r-- 1 ubuntu ubuntu 135928 Aug 20 11:48 eck-operator-2.14.0.tgz
-rw-r--r-- 1 ubuntu ubuntu 77628928 Aug 20 11:48 eck-operator-image-2.14.0.tar
-rw-r--r-- 1 ubuntu ubuntu 1266177024 Aug 20 11:49 elasticsearch-8.15.0.tar
-rw-r--r-- 1 ubuntu ubuntu 2438 Aug 20 13:48 postgres-operator-values.yaml
-rw-r--r-- 1 ubuntu ubuntu 194620928 Aug 20 14:26 pgbackrest-2.51-1.tar
-rw-r--r-- 1 ubuntu ubuntu 734 Aug 20 14:30 postgres-cluster.yaml
-rw-r--r-- 1 ubuntu ubuntu 527 Aug 20 14:59 elasticsearch.yaml
-rw-r--r-- 1 ubuntu ubuntu 1043 Aug 20 15:29 immuta-values.yaml
Deploying Kubernetes
Copy the k3s airgap images to the correct destination and run the install setting the option to bypass downloads:
Edit the immuta-values.yaml file template provided in the artifact gathering and transfer sections with the correct PostgreSQL and Elasticsearch credentials and then install with:
Forward the immuta-secure service port back to the localhost and validate connectivity. This can also be accessed via a web browser if the destination machine is not headless. Firewall ports may need to be opened otherwise: