Air-Gapped Environments

This guide demonstrates how to download and package the Immuta Enterprise Helm chart and its dependencies for consumption on a separate network with no internet access.

Prerequisite

Skopeo installation

This guide utilizes the skopeo command to copy container images; ensure it's installed before proceeding. Refer to the skopeo documentation for further assistance.

Checklist

Skopeo

Skopeo is authenticated with Immuta's registry on the networked machine.
Skopeo is authenticated with the private registry on the air-gapped machine.

Helm

Helm is authenticated with Immuta's registry on the networked machine.

Download artifacts

This section demonstrates how to download the Helm chart and container images to your local machine. These artifacts will be packaged and transferred to the air-gapped environment later.

Upon completion of these steps, the saved artifacts can be found in local directory offline-kit.

Create a directory named offline-kit.
```
mkdir ./offline-kit
```

Download the Helm chart into directory offline-kit.

helm pull oci://ocir.immuta.com/stable/immuta-enterprise --destination ./offline-kit --version 2024.3.5

Extract file DIGESTS.md from the Helm chart archive.

tar --extract --gzip --strip-components=1 --directory=./offline-kit --file=./immuta-enterprise-*.tgz immuta-enterprise/DIGESTS.md

Open file ./offline-kit/DIGESTS.md. This file includes the name and digest of every container image referenced by the Helm chart.

Download each image listed in file DIGESTS.md using skopeo. Each image will be saved to directory offline-kit with the filename<name>-<tag>.tar.

read -r -p "Enter the container image to download (e.g., docker.io/hello-world:latest):" image && \
skopeo copy docker://"$image" docker-archive:"offline-kit/$(sed 's#.*/##; s#:#-#g' <<< "$image").tar"

Transfer artifacts

This section demonstrates how to push the previously archived container images to a private registry that's accessible from within your air-gapped environment.

The exact process for transferring files into an air-gapped network can vary significantly depending on your specific security policies and infrastructure.

Transfer directory offline-kit (created in the previous section) onto a machine that's within your air-gapped environment.

Push each image to your private registry using skopeo.

skopeo copy docker-archive:offline-kit/<name>-<tag>.tar docker://<private-registry-fqdn>/immuta/<name>:<tag>

Chart installation

A Helm chart can be referenced from a local file path, instead of remotely if desired. It is not necessary to reference it remotely. When referring to documentation, substitute any references to oci://ocir.immuta.com/stable/immuta-enterprise with the path to the unarchived (.tgz) chart file.

Edit the immuta-values.yaml to reference the private container registry and images.

Last updated 1 day ago