Skip to main content

Install on Airgap

Requirements

Before starting the installation, ensure to review the system and network requirements, and download your license.

Helm-based installation

Currently, deployment of the app using Helm charts supports only Helm CLI and ArgoCD.

Accessing and Downloading the GitGuardian Helm Chart

⚠️ Ensure you're using the latest version of helm.

  1. Login to Helm chart registry: The Helm chart is available in the Replicated private registry. Use the password provided by the GitGuardian team. Log in with this command (replace email with the one given to GitGuardian):
helm registry login registry.replicated.com --username your.name@yourcompany.com
  1. Download Helm chart locally: After logging in, download and extract the GitGuardian Helm chart into a local directory (e.g., /home/user) using:
cd /home/user
helm fetch oci://registry.replicated.com/gitguardian/gitguardian

Download GitGuardian Images

tip

GitGuardian images are accessible through the Replicated proxy registry. To learn how to connect it to a Harbor or JFrog Artifactory instance for pull-through image caching, visit Using a Registry Proxy for Helm Air Gap Installations.

You may get current versions in values reference documentation.

Below is a list of images to download and upload to your private image registry:

Image TypeRepository and Image NameLatest ReleaseRelease N-1Release N-2
Frontproxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/prm-static-chainguard2025.6.02025.5.02025.4.1
Backendproxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/prm-app-chainguard2025.6.02025.5.02025.4.1
Helm Toolingproxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/prm-helm-tooling2025.6.02025.5.02025.4.1
Machine Learningproxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/ml-secret-engine-app-chainguard202506182025052020250425
Replicated SDKproxy.replicated.com/proxy/gitguardian/docker.io/replicated/replicated-sdk1.6.01.5.31.5.1
Used for Custom CAproxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/bashlatestN/AN/A
ggscoutproxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/ggscout/chainguard0.17.50.16.60.16.4
fluent-bitproxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/fluent-bit4.0.34.0.04.0.0
lokiproxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/loki3.5.13.4.33.4.3
minioproxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/minio-bitnami0.202505240.202504080.20250408

Retrieve your License ID from your license file, where it's labeled as licenseID. Use this ID to authenticate with the GitGuardian image repository by executing the command below. Replace <your_licenseID> with your actual License ID.

LICENSE_ID="<your_licenseID>";
echo "{\"auths\": {\"proxy.replicated.com\": {\"auth\": \"$(echo -n "${LICENSE_ID}:${LICENSE_ID}" | base64)\"}, \"registry.replicated.com\": {\"auth\": \"$(echo -n "${LICENSE_ID}:${LICENSE_ID}" | base64)\"}}}" > ~/.docker/config.json

Example on how to download the images with docker pull with the latest release:

docker pull proxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/prm-static-chainguard:2025.6.0
docker pull proxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/prm-app-chainguard:2025.6.0
docker pull proxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/prm-helm-tooling:2025.6.0
docker pull proxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/ml-secret-engine-app-chainguard:20250618
docker pull proxy.replicated.com/proxy/gitguardian/docker.io/replicated/replicated-sdk:1.6.0
docker pull proxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/bash:latest
docker pull proxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/ggscout/chainguard:0.17.5
docker pull proxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/ggscout/chainguard-bash:0.17.2
docker pull proxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/fluent-bit:4.0.3
docker pull proxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/loki:3.5.1
docker pull proxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/minio-bitnami:0.20250524

You can verify that the images have been correctly downloaded and upload them to your private image registry.

docker images | grep replicated
info

For this process, you can utilize a tool like Skopeo to handle image transfers. Additionally, if you need to set up a proxy to access the replicated registry, refer to the Docker documentation.

Upload GitGuardian Images

Ensure the following directory structure is respected in your private registry:

Path and image name
/gitguardian/prm-static-chainguard
/gitguardian/prm-static-chainguard-fips
/gitguardian/prm-app-chainguard-fips
/gitguardian/prm-app-chainguard
/gitguardian/prm-helm-tooling
/gitguardian/ml-secret-engine-app-chainguard
/gitguardian/ml-secret-engine-app-chainguard-fips
/gitguardian/ggscout/chainguard
/gitguardian/ggscout/chainguard-bash
/gitguardian/wolfi/fluent-bit
/gitguardian/wolfi/loki
/gitguardian/wolfi/minio-bitnami
/gitguardian/wolfi/bash
/replicated/replicated-sdk

FIPS Compliance for Airgap Installations

info

FIPS (Federal Information Processing Standards) compliance is available for airgap Helm installations with additional steps.

If you require FIPS-compliant cryptographic modules for your airgap installation:

  1. Download the FIPS images (with -fips suffix):

    • proxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/prm-static-chainguard-fips
    • proxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/prm-app-fips
    • proxy.replicated.com/proxy/gitguardian/docker.io/gitguardian/ml-secret-engine-app-chainguard-fips

  2. Enable FIPS in your Helm values:

    global:
      fips:
        enabled: true

The FIPS images will be automatically used when FIPS is enabled.

Install the application

Proceed to the Helm installation instructions and adapt them for an airgap installation using the information below:

  1. Update your values file to use a private registry for image pulling.

Replace docker.internal with your private registry and example/path with the appropriate path where the images are stored in your registry. Ensure you maintain the specified directory structure.

global:
  imageRegistry: docker.internal/example/path # Location of the GitGuardian images
  imagePullSecrets:
    - name: pull-secret # Existing docker secret used to pull images

replicated:
  isAirgap: false # Enable only for environments without Internet access and no HTTP proxy configured
  imagePullSecrets:
    - name: pull-secret
info

Are you using an HTTP(s) proxy in your environment? More information on how to Configure a proxy server.

  1. 🚦 We strongly advise you to run our preflight script to ensure your existing cluster meets Gitguardian's requirements. Retrieve the script from our public repository here.

Specify an existing Kubernetes namespace using the -n option. If not specified, the script will run in your default namespace.

./preflights.sh -n <namespace> gitguardian-<version>.tgz -f local-values.yaml
Requirements

Preflight checks are critical for a successful installation. The following rules apply:

  • Preflight Check Failures: If preflight checks fail, the installation must not continue until the targeted environment meets all requirements. Please reach out to our support team if needed.
  • ⚠️ Preflight Check Warnings: If preflight checks return warnings, the installation can proceed, but it is recommended that you address these warnings to comply with our recommendations.
  1. Use the local Helm chart directory for installation instead of the remote repository. Example command:
helm install <release-name> --timeout 30m -n <namespace> --create-namespace gitguardian-<version>.tgz -f local-values.yaml

KOTS-based installation

Airgap installation on an Embedded cluster

Please refer to Embedded cluster installation

Airgap installation on an Existing cluster

Download and install the KOTS Admin Console

First, install the kubectl KOTS plugin on your machine:

curl https://kots.io/install | bash

Then, you need to download the latest bundle for the KOTS Admin Console. There are two places to download it. The first and recommended one is the download portal where you can also download your license and the application bundle. The second one is the release assets on GitHub. In both cases, make sure to match your locally installed KOTS plugin version. You can check it by running:

kubectl kots version

Now you need to upload these images to your registry using a user with write access to your internal registry:

kubectl kots admin-console push-images ./kotsadm.tar.gz \
  ${private.registry.host}/gitguardian \
  --registry-username ${rw-username} \
  --registry-password ${rw-password}

The username and password for the registry are not stored anywhere.

Finally, you can run the install command for the KOTS Admin Console:

kubectl kots install gitguardian \
  --kotsadm-namespace gitguardian \
  --kotsadm-registry ${private.registry.host} \
  --registry-username ${ro-username} \
  --registry-password ${ro-password}

A Kubernetes secret will be used to store these credentials.

An automatic port-forward is launched, you can now access the KOTS Admin Console on http://localhost:8800.

Upload the application bundle to the KOTS Admin Console

First, you will need to download the license and the application bundle from the download portal. The filename should end with .airgap.

Download portal airgap embedded

Upload your license on the KOTS Admin Console.. Then follow the instructions to set up the registry for the application itself and upload the application bundle.

Follow the rest of the instructions here to complete the installation.

Last updated on

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status