Air-gapped Environments

Installing or upgrading kdb Insights Enterprise in an air-gapped environment requires some changes relative to performing these operations in an internet-enabled environment.

The steps are:

Install prerequisites in the air-gapped environment.
Host the required charts and images in accessible registries.
Update the install configuration to point at the accessible registries.

Prerequisites

The prerequisites are the same as a standard installation, however, you must ensure the required tools are available in the air-gapped environment.

Additionally, ensure you:

Read the CLI documentation for information on how to install the CLI in an air-gapped environment.

Hosting charts and images

The charts and images are usually downloaded from the internet at deployment time, in an air-gapped environment this isn't possible so they must be downloaded ahead of time and hosted in registries that are accessible from the air-gapped environment.

Charts

Ensure the kdb Insights Enterprise and kxi-operator charts are available on the air-gapped environment.

Download the insights and kxi-operator Helm charts on an internet-enabled machine. Version environment variables are set according to the state of kdb Insights Enterprise 1.18.0:

INSIGHTS_VERSION=1.18.0
OPERATOR_VERSION=1.18.0
MGMT_SVC_VERSION=1.1.0
INSIGHTS_ON_K8S_VERSION=1.1.28
CNPG_CHART_VERSION=0.25.0
KEYCLOAK_CHART_VERSION=7.1.8

helm repo add --username <USERNAME> kx-insights https://portal.dl.kx.com/assets/helm/
<enter password>
helm fetch kx-insights/insights --version $INSIGHTS_VERSION
helm fetch kx-insights/kxi-operator --version $OPERATOR_VERSION
helm fetch kx-insights/kxi-management-service --version $MGMT_SVC_VERSION
helm fetch kx-insights/insights-on-k8s --version $INSIGHTS_ON_K8S_VERSION
helm repo add cnpg https://cloudnative-pg.io/charts
helm fetch cnpg/cloudnative-pg --version $CNPG_CHART_VERSION
helm repo add codecentric https://codecentric.github.io/helm-charts
helm fetch codecentric/keycloakx --version $KEYCLOAK_CHART_VERSION

Push the downloaded tgz files to an internal helm repository accessible from the air-gapped environment:

HELM_REPO_URL=<INTERNAL_HELM_REPOSITORY_URL>

helm push insights-$INSIGHTS_VERSION.tgz $HELM_REPO_URL
helm push kxi-operator-$OPERATOR_VERSION.tgz $HELM_REPO_URL
helm push kxi-management-service-$MGMT_SVC_VERSION.tgz $HELM_REPO_URL
helm push insights-on-k8s-$INSIGHTS_ON_K8S_VERSION.tgz $HELM_REPO_URL
helm push cloudnative-pg-$CNPG_CHART_VERSION.tgz $HELM_REPO_URL
helm push keycloakx-$KEYCLOAK_CHART_VERSION.tgz $HELM_REPO_URL

Images

Retrieve a manifest of the images to download and host in an image repository that is accessible from the air-gapped environment.

This can be obtained from KX. An example manifest for kdb Insights Enterprise version 1.18.0:

Type	Repository	Name	Tag
docker	docker.io	alpine	3.22
docker	docker.io	alpine	3.22
docker	docker.io/istio	proxyv2	1.27.3
docker	docker.io/adorsys	keycloak-config-cli	5.9.0-19.0.3
docker	docker.io/bitnami	postgresql	15.0.0-debian-11-r1
docker	portal.dl.kx.com	curl-jq	2.0.2
docker	portal.dl.kx.com	kxi-acc-svc	1.11.0
docker	portal.dl.kx.com	kxi-api-gateway	1.14.1
docker	portal.dl.kx.com	kxi-client-controller	1.18.0
docker	portal.dl.kx.com	kxi-da-single	1.18.0
docker	portal.dl.kx.com	kxi-da	1.18.0
docker	portal.dl.kx.com	kxi-ent-srv	1.18.0
docker	portal.dl.kx.com	kxi-gui-app	1.18.0
docker	portal.dl.kx.com	kxi-gui-data	1.18.0
docker	portal.dl.kx.com	kxi-gui-gateway	1.18.0
docker	portal.dl.kx.com	kxi-gui-pdf	1.18.0
docker	portal.dl.kx.com	kxi-info-srv	1.1.0
docker	portal.dl.kx.com	kxi-ml	1.18.0
docker	portal.dl.kx.com	kxi-obs-srv	1.8.0
docker	portal.dl.kx.com	kxi-package-manager	1.18.0
docker	portal.dl.kx.com	kxi-rt	1.18.0
docker	portal.dl.kx.com	kxi-scratchpad-manager	1.18.0
docker	portal.dl.kx.com	kxi-scratchpad	1.18.0
docker	portal.dl.kx.com	kxi-sg-agg	1.18.0
docker	portal.dl.kx.com	kxi-sg-gw	1.18.0
docker	portal.dl.kx.com	kxi-sg-rc	1.18.0
docker	portal.dl.kx.com	kxi-sidecar	1.18.0
docker	portal.dl.kx.com	kxi-sm-dbm	1.18.0
docker	portal.dl.kx.com	kxi-sm-eod	1.18.0
docker	portal.dl.kx.com	kxi-sm-eoi	1.18.0
docker	portal.dl.kx.com	kxi-sm-single	1.18.0
docker	portal.dl.kx.com	kxi-sm	1.18.0
docker	portal.dl.kx.com	kxi-sp-controller	1.18.0
docker	portal.dl.kx.com	kxi-sp-coordinator	1.18.0
docker	portal.dl.kx.com	kxi-sp-python	1.18.0
docker	portal.dl.kx.com	kxi-sp-worker	1.18.0
docker	portal.dl.kx.com	kxi-operator	1.18.0
docker	portal.dl.kx.com	kxi-management-service	1.1.0
docker	portal.dl.kx.com	kxi-task-encryption-in-flight-deploy	1.1.28
docker	portal.dl.kx.com	kxi-task-cloudnative-pg-cnpg	1.1.28
docker	portal.dl.kx.com	kxi-task-cloudnative-pg-uninstall-cnpg-uninstall	1.1.28
docker	portal.dl.kx.com	kxi-task-keycloak-remove-kc-remove	1.1.28
docker	portal.dl.kx.com	kxi-task-kxi-management-insights-rollback	1.1.28
docker	portal.dl.kx.com	kxi-task-kxi-management-insights-rt-prepare-for-rollback	1.1.28
docker	portal.dl.kx.com	kxi-task-ingress-mgmt-configure-nginx	1.1.28
docker	portal.dl.kx.com	kxi-task-encryption-in-flight-deploy	1.1.28
docker	portal.dl.kx.com	kxi-task-backup-backup	1.1.28
docker	portal.dl.kx.com	kxi-task-validations-check-script	1.1.28
docker	portal.dl.kx.com	kxi-task-db-migration-migrate-db-postgresql	1.1.28
docker	portal.dl.kx.com	kxi-task-db-migration-migrate-db-kxi	1.1.28
docker	portal.dl.kx.com	kxi-task-db-migration-migrate	1.1.28
docker	ghcr.io/cloudnative-pg	cloudnative-pg	1.26.1
docker	ghcr.io/cloudnative-pg	postgresql	17.6-202511030807-standard-bullseye
docker	quay.io	keycloak	26.5.3

Install

Ensure you have read the standard install documentation before proceeding.

Ensure that all the charts and images are in accessible registries and that the prerequisites have been completed.
Open a command line window.

Add internal helm repository

helm repo add internal-repository $HELM_REPO_URL --username $HELM_REPO_USER --password $HELM_REPO_PASSWORD

Generate a values file by running:
```
kxi install setup
```

Edit the values file to reference the accessible image repository by merging the below with the generated values file and replacing IMAGE_REPOSITORY_URL with the appropriate URL.

global:
  image:
    repository: <IMAGE_REPOSITORY_URL>
cnpg-database:
  image: <IMAGE_REPOSITORY_URL>/postgresql:17.6-202511030807-standard-bullseye
cnpg-operator:
  private-registry:
    enabled: true
    chart-url: <CNGP_CHART_URL>
    pull-secret: internal-image-pull-secret
  version: 0.25.0
keycloak:
  private-registry:
    enabled: true
    host: <IMAGE_REPOSITORY_URL>
  image:
    repository: <IMAGE_REPOSITORY_URL>/keycloak
  auth:
    existingSecret: kxi-keycloak
keycloak-config-cli:
  image:
    repository: <IMAGE_REPOSITORY_URL>/keycloak-config-cli

Image tags

The image tags in the values above are for kdb Insights version 1.18.0. If you're installing a different version, these need to be updated to the appropriate version from the images manifest.

Image pull secret

cnpg-operator.private-registry.pull-secret has to point to an existing secret in the kxi-management namespace with type kubernetes.io/dockerconfigjson, which contains the credentials to the internal image repository.

Run the install command:

kxi install run --filepath values.yaml --version $INSIGHTS_VERSION --chart-repo-name internal-repository

Upgrade

Make sure you have read the standard upgrade documentation before proceeding.

Ensure that all the charts and images are in accessible registries and that the prerequisites have been completed. The versions you intend to upgrade to must be accessible.
Open a command line window.
Retrieve the previously used install configuration with:
```
kxi install get-values > $INSTALL_CONFIG_FILE
```
Update the resulting file to customize the install configuration upon upgrade, including version-specific upgrade considerations. In particular, ensure that all images reference the accessible image repository and the tags are the correct version for the upgrade based on the image manifest.

Run the upgrade command:

kxi install upgrade –filepath $INSTALL_CONFIG_FILE --version $INSIGHTS_VERSION --chart-repo-name internal-repository

Rollback

Make sure you have read the standard rollback documentation before proceeding.

Run kxi install history to review the release history and choose which revision you want to roll back to:

$ kxi install history --show-operator
REVISION    UPDATED                     STATUS              CHART                   APP VERSION DESCRIPTION
1           Tue Feb 28 14:10:03 2023    deployed            insights-1.16.0         1.16.0          Install complete
2           Tue Feb 28 14:16:41 2023    failed              insights-1.17.0-rc.60   1.17.0-rc.60    Upgrade "insights" failed: post-upgrade hooks failed: timed out waiting for the condition
3           Tue Feb 28 14:25:55 2023    failed              insights-1.4.0-rc.80    1.4.0-rc.80 Upgrade "insights" failed: post-upgrade hooks failed: timed out waiting for the condition

1           Tue Feb 28 14:09:52 2023    superseded  kxi-operator-1.16.1         1.16.1          Install complete
2           Tue Feb 28 14:15:37 2023    superseded  kxi-operator-1.17.0-rc.41   1.17.0-rc.41    Upgrade complete
3           Tue Feb 28 14:24:54 2023    superseded  kxi-operator-1.17.0-rc.41   1.17.0-rc.41    Upgrade complete

To see only kdb Insights Enterprise revisions, omit --show-operator

Ensure that version of the kxi-operator chart that you are rolling back to is available in internal-repository.

Run kxi install rollback with the chosen revisions:

$ kxi install rollback  $INSIGHTS_REVISION --operator-revision $OPERATOR_REVISION --operator-chart --chart-repo-name internal-repository
Rolling Insights back to version 1.16.0 and revision 1.
And operator back to version 1.16.1 and revision 1 [y/N]: y

Backing up assemblies
No assemblies to back up
...

No explicit revision

If you do not provide an explicit revision, kxi install rollback will choose the most recent one.

To rollback only kdb Insights Enterprise, omit --operator-revision