C3 AI Documentation Home

Use C3 AI Containers and Images in an Air-Gapped Environment

C3 Agentic AI Platform supports deployment with restricted network egress. This configuration is sometimes called "air-gapped" but frequently does not mean full isolation of the network of the C3 AI cluster. See C3 AI Air-Gapped Deployment Overview for details about the extent of network connectivity required for the C3 Agentic AI Platform to function efficiently.

By default, the C3 Agentic AI Platform version 8 uses Internet-based repositories to deliver C3 AI container images. Access of C3 AI repositories for container images, Helm charts, and HashiCorp Terraform modules is dependent on whether the deployment is a C3 AI-managed or customer-managed deployment.

For air-gapped environments, since access to the Internet-based repositories is restricted, you must set up your own container image repository. See Configure Sonatype Nexus as a Repository Server for an example.

Once you have set up and configured your own container registry, you will need to perform the following steps, which are covered in this topic:

  • Populate container registry with C3 AI container images

  • Set the Kubernetes secret for pulling the C3 AI container images

  • Configure the C3 Agentic AI Platform to use container registry

  • Override the expected registry defaults in operator Helm chart

Populate container registry with C3 AI container images

Work with your C3 AI Center of Excellence (CoE) to obtain the FullClusterBOM.yaml with all containers that are needed to run the C3 AI cluster.

Set the Kubernetes secret for pulling the C3 AI container images

As a Kubernetes Administrator, set up the Kubernetes secret for the Kubernetes instance used for C3 Agentic AI Platform so that the C3 AI container images can be pulled from the local repository.

If your local repository requires authentication, set the Kubernetes secret for pulling from that repository at runtime.

See the following example for guidance.

Text
$ kubectl create secret docker-registry my-registryc3ai --docker-server=registry.c3.ai --docker-username=qa-c3ci --docker-password=mypassword...  --docker-email=my.name@c3.ai -n my-ns1
> secret/my-registryc3ai created

$ kubectl get secret <secret-name>
> <response which contains dockerconfigjson value>

$ echo "<value of .dockerconfigjson>" | base64 -d
# This will give you the encoded auth. Use that in the C3 AI ContainerRegistry config

Configure the C3 Agentic AI Platform to use container registry

As a C3 AI Cluster Administrator, configure the container registry reference in the C3 Agentic AI Platform, using the following steps.

  1. Refer to the following example:

    JavaScript
    ContainerRegistry.make({"id": "c3", "name": "c3", "url":"https://<myregistry.mydomain>:<optionalPort><my-path>"}).setConfig(ConfigOverride.CLUSTER); 

ContainerRegistry.make({"name": "c3"}).setSecretValue("password","Basic <base64 encoded auth>", ConfigOverride.CLUSTER)

  2. Replace <myregistry.mydomain> with the endpoint of the container image repository.

  3. If the repository uses authentication, replace <base64 encoded auth> with the password from the previous section, setting docker-image-secret.

    NOTE: Jupyter settings use the same value.

Override the expected registry defaults in operator Helm chart

As a Kubernetes Administrator, set up the C3 AI Ops Kubernetes operator for the Kubernetes instance used for C3 Agentic AI Platform. You need the C3AIOPS operator version specified on the BOM specific to the deployment to manage image location expectations. Work with your C3 AI CoE to obtain the correct C3AIOPS operator version.

The C3 Agentic AI Platform uses open source software like Cassandra, Prometheus, and OpenSearch. C3 AI updates some capabilities, fixes bugs, and hardens containers. Some operators hardcode the location of container images they use. To allow customers to use their own container registry for service C3 AI images, C3 AI created the capability to override the expected registries.

To set the registry override, modify the c3aiops Helm chart overrides.yaml to include the following.

YAML
customOverride:
  enabled: true
  port: "9443"

  # Override the specific images by selecting pod by labels or namespace
  # e.g.
  # imageOverrides:
  #  - source: my.repo/app:v1
  #    target: custom.repo/custom_path/app:v2
  imageOverrides: 
  - source: registry.c3.ai/container:v1
    target: custom.repo/custom_path/container:v2

  # Override the specific images by selecting pod by labels or namespace
  # e.g.
  # podSelectors:
  #   labels:
  #     - app: my-app
  #       env: my-env
  podSelectors: {}

  # K8s Namespace to watch for pods to override
  namespaces: 
  - my-cluster-c3server-runtime-k8s-namespace # TO IMPROVE
  - c3aiops

  # Image pull secrets to be used for pulling images from private registry
  imagePullSecrets: []

Here is an example to replace images for deployments in the c3-opsadmin namespace.

YAML
customOverride:
  enabled: true
  imageOverrides:
  - source: opensearchproject/opensearch:2.9.0
    target: devops-rm.c3iot.io/opensearchproject/opensearch:2.9.0
  - source: registry.c3.ai
    target: devops-rm.c3iot.io
  - source: quay.io
    target: devops-rm.c3iot.io  
  - source: registry.k8s.io
    target: devops-rm.c3iot.io
  - source: docker.io
    target: devops-rm.c3iot.io
  - source: ghcr.io
    target: devops-rm.c3iot.io

namespaces:
  - c3-opsadmin

imagePullSecrets: 
  - nexusdevopsc3iotio

For operator deployment, in the values.yaml, override the namespaces and image lines that specify the names and locations of default C3 AI container images and registries with those of the local container registry.

See also

Was this page helpful?