GovCloud Deployment
AWS GovCloud Deployment
Prerequisites
- AWS GovCloud account (US-Gov-East-1 or US-Gov-West-1)
- IAM role with EKS, RDS, ElastiCache, and Secrets Manager permissions
kubectl1.28+,helm3.14+,awsCLI 2.x- GOVERN Helm chart and federal values file
Step 1: EKS Cluster
# Create EKS cluster in GovCloudaws eks create-cluster \ --name govern-federal \ --region us-gov-east-1 \ --kubernetes-version 1.29 \ --role-arn arn:aws-us-gov:iam::$ACCOUNT_ID:role/govern-eks-role \ --resources-vpc-config \ subnetIds=$SUBNET_IDS,\ securityGroupIds=$SG_ID,\ endpointPrivateAccess=true,\ endpointPublicAccess=false
# Configure kubectlaws eks update-kubeconfig \ --name govern-federal \ --region us-gov-east-1Step 2: Install GOVERN
# Add GOVERN Helm repositoryhelm repo add govern https://charts.govern.archetypal.aihelm repo update
# Deploy with federal valueshelm install govern govern/govern \ --namespace govern \ --create-namespace \ -f values-federal.yaml \ -f values-federal-aws.yaml \ --set global.region=us-gov-east-1 \ --set global.fips.enabled=true \ --set auth.provider=cac-piv \ --set database.host=$RDS_ENDPOINT \ --set database.password=$DB_PASSWORDStep 3: Configure DNS
# Get load balancer endpointkubectl get svc -n govern govern-ingress-controller
# Create Route 53 (GovCloud) recordaws route53 change-resource-record-sets \ --hosted-zone-id $HOSTED_ZONE_ID \ --change-batch '{ "Changes": [{ "Action": "UPSERT", "ResourceRecordSet": { "Name": "govern.agency.gov", "Type": "CNAME", "TTL": 300, "ResourceRecords": [{"Value": "<lb-endpoint>"}] } }] }'Azure Government Deployment
Prerequisites
- Azure Government subscription
- AKS, Azure PostgreSQL Flexible Server, Azure Cache for Redis (Premium), Key Vault
azCLI 2.x,kubectl1.28+,helm3.14+
Step 1: AKS Cluster
# Login to Azure Governmentaz cloud set --name AzureUSGovernmentaz login
# Create resource groupaz group create \ --name govern-federal-rg \ --location usgovvirginia
# Create AKS clusteraz aks create \ --resource-group govern-federal-rg \ --name govern-federal \ --kubernetes-version 1.29 \ --node-count 3 \ --node-vm-size Standard_D4s_v3 \ --enable-fips-image \ --enable-private-cluster \ --network-plugin azure
# Configure kubectlaz aks get-credentials \ --resource-group govern-federal-rg \ --name govern-federalStep 2: Install GOVERN
helm install govern govern/govern \ --namespace govern \ --create-namespace \ -f values-federal.yaml \ -f values-federal-azure.yaml \ --set global.cloud=azure-government \ --set global.fips.enabled=true \ --set auth.provider=cac-piv \ --set auth.entraIntegration.enabled=true \ --set auth.entraIntegration.tenantId=$AZURE_TENANT_IDFederal Values Reference
# values-federal.yaml (excerpt)global: environment: federal fips: enabled: true mode: strict
security: tls: minVersion: "1.2" cipherSuites: - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 encryption: atRest: algorithm: AES-256 keyManagement: kms # AWS KMS or Azure Key Vault
auth: provider: cac-piv # Disables username/password mfa: required: true methods: [cac, piv] sessionTimeout: 480 # 8 hours
audit: enabled: true immutable: true retention: 365 # days siem: enabled: true format: cef
compliance: fedramp: enabled: true baseline: high # low | moderate | high cmmc: level: 2 nist80053: enabled: true