Air-Gapped Installation
Air-gapped GOVERN deployments serve classified networks (IL5, IL6, Top Secret) where no outbound internet connectivity is permitted. The GOVERN offline bundle contains everything needed to install and operate GOVERN without external connectivity.
Offline Bundle Contents
govern-offline-bundle-2.x.x.tar.gz├── images/│ ├── govern-api.tar # API container image│ ├── govern-app.tar # Frontend container image│ ├── govern-probe.tar # Probe runtime image│ ├── postgres-15.tar # PostgreSQL (FIPS)│ ├── redis-7.tar # Redis (FIPS)│ └── nginx.tar # Ingress controller├── charts/│ └── govern-2.x.x.tgz # Helm chart (offline)├── values/│ ├── values-airgap.yaml # Air-gap base values│ ├── values-il5.yaml # IL5 overlay│ └── values-il6.yaml # IL6 overlay├── migrations/│ └── *.sql # Database migrations├── docs/│ └── INSTALL.md # This guide└── checksums.sha256 # SHA-256 hashes for verificationObtaining the Bundle
Bundles are provided via:
- DISA Software Portal (for authorized DoD components)
- Archetypal AI Government Delivery (direct physical delivery for IL5/IL6)
- Authorized distributor transfer (classified network hand-carry)
Verify bundle integrity before installation:
sha256sum -c checksums.sha256Installation Steps
Step 1: Transfer Bundle
Transfer the bundle to the air-gapped host via approved media (encrypted USB, removable hard drive per your organization’s media control policy).
Step 2: Load Container Images
# Extract bundletar -xzf govern-offline-bundle-2.x.x.tar.gz
# Load all imagesfor img in images/*.tar; do docker load < $img echo "Loaded: $img"done
# Verify images loadeddocker images | grep governStep 3: Configure Private Registry
# Tag images for your private registryREGISTRY=registry.youragency.gov/govern
docker tag archetypal/govern-api:2.x.x $REGISTRY/govern-api:2.x.xdocker tag archetypal/govern-app:2.x.x $REGISTRY/govern-app:2.x.xdocker tag archetypal/govern-probe:2.x.x $REGISTRY/govern-probe:2.x.xdocker tag postgres:15-fips $REGISTRY/postgres:15-fipsdocker tag redis:7-fips $REGISTRY/redis:7-fips
# Push to private registrydocker push $REGISTRY/govern-api:2.x.xdocker push $REGISTRY/govern-app:2.x.x# ... etcStep 4: Install Helm Chart
# Install from local chart (no internet required)helm install govern charts/govern-2.x.x.tgz \ --namespace govern \ --create-namespace \ -f values/values-airgap.yaml \ -f values/values-il5.yaml \ # or values-il6.yaml --set global.registry=$REGISTRY \ --set global.airgap=true \ --set database.host=$POSTGRES_HOST \ --set database.password=$DB_PASSWORDStep 5: Run Migrations
# Run database migrationskubectl exec -n govern deployment/govern-api -- \ npx govern-migrate --dir /app/migrations upStep 6: Verify Installation
# Check pod statuskubectl get pods -n govern
# Check healthkubectl exec -n govern deployment/govern-api -- \ curl -s http://localhost:3000/health | jq .Air-Gap Values Reference
Key settings required for air-gapped operation:
global: airgap: true registry: registry.youragency.gov/govern updateCheck: enabled: false # No update checks
probe: telemetry: batchMode: true # Buffer telemetry locally batchSize: 1000 # Flush every 1000 events batchInterval: 60 # Or every 60 seconds
licenseServer: offline: true licenseFile: /etc/govern/license.json
updates: source: local # No remote update checks localPath: /mnt/govern-updatesUpdates in Air-Gapped Environments
Updates require a new offline bundle delivered via approved media:
- Receive new bundle via approved delivery channel
- Verify checksums
- Load new container images
- Tag and push to private registry
- Run
helm upgradewith new chart version - Run any new migrations