Skip to main content
pgAgroal Enterprise docs · Install air-gapped

pgAgroal Enterprise · How-to

Install air-gapped

Install pgAgroal Enterprise into an offline or private-registry environment without weakening provenance. You build a bundle on a connected host, verify it, carry it across the gap, import it to your registry, and install from there.

The bundle pins everything by digest and carries the artifacts, SBOMs, signatures, chart, dashboards, and policies needed for a complete install. This keeps the offline install traceable to source, aligned with our provenance and audit-readiness goals.

Prerequisites

Run the build step on a host that has network access to the source registry, and run the import step on a host that can reach your private registry.

  • docker and helm are required on both hosts.
  • syft and cosign are optional but recommended — when present, the bundle includes SBOMs and attestations.
  • skopeo is a fine registry-to-registry alternative to the docker save / load flow if you prefer it.

Build the bundle (online)

On the connected host, pin the image and operator by digest and run bundle.sh. This produces a single versioned tarball.

IMAGE_DIGEST=ghcr.io/elevarq/pgagroal-enterprise@sha256:... \
OPERATOR_DIGEST=ghcr.io/elevarq/pgagroal-enterprise-operator@sha256:... \
VERSION=1.0.0 \
deploy/airgap/bundle.sh
# -> pgagroal-enterprise-airgap-1.0.0.tar.gz

The tarball contains:

  • Image docker save tarballs, referenced by digest.
  • The packaged Helm chart and the GitOps manifests.
  • Grafana dashboards, Prometheus rules, and Kyverno policies.
  • SBOMs and attestations (when syft / cosign are present).
  • SECURITY.md, docs/compliance, and the CVE-response SLA.
  • A version-manifest.yaml and the import.sh script.

Verify before transferring

While the build host still has network access, verify the signatures and the SBOM attestation against the source registry. Do this before the bundle crosses the gap.

cosign verify ghcr.io/elevarq/pgagroal-enterprise@sha256:...
cosign verify-attestation --type spdxjson ghcr.io/elevarq/pgagroal-enterprise@sha256:...

Transfer and import (offline)

Carry the tarball across the gap, extract it, and from inside the extracted directory run import.sh with your registry. This loads the images, retags and pushes them to your registry, and pushes the Helm chart to oci://<registry>/charts.

REGISTRY=registry.internal.example.com/elevarq ./import.sh

Install from the private registry

Point the private-registry overlay at your registry and apply the GitOps Application or HelmRelease, or install the chart directly:

helm install pgagroal-enterprise oci://<registry>/charts/pgagroal-enterprise \
  -n pgagroal-system --create-namespace \
  -f deploy/gitops/overlays/private-registry-values.yaml

Then apply the Kyverno guardrails from policy/ and import the dashboards and rules from observability/.

Next steps

  • Install with Helm — the connected-install walkthrough the offline values mirror.
  • GitOps install — apply the Application or HelmRelease against your private registry.
  • How to buy — air-gapped delivery is part of the direct subscription.