Air-Gap Bundle Delivery
Petra's air-gap delivery is built around bundles -- single, signed, self-contained archives that include everything needed to deploy or update a cluster without internet access.
Creating a Bundle
Define what goes into the bundle:
apiVersion: petra.sh/v1alpha1
kind: Bundle
metadata:
name: petra-platform
version: 0.1.0
spec:
images:
- name: cilium-agent
image: cgr.dev/shebash.io/cilium-agent
- name: gatekeeper
image: cgr.dev/shebash.io/gatekeeper
# ... all required images
charts:
- name: cilium
repo: https://helm.cilium.io
version: 1.16.5
# ... all required charts
platform:
includeBase: true
includeObservability: true
output:
dir: ./dist
sign: true
verify: true
petra bundle create -f bundle.yaml
Build Process
- Image Pull: Each image pulled from Chainguard with digest pinning (via crane)
- Signature Verification: Cosign verifies each image against Chainguard's CA
- Vulnerability Scanning: Each image scanned for known CVEs
- Chart Pull: Helm charts pulled at exact pinned versions
- Manifest Inclusion: Platform Kustomization files and HelmRelease definitions
- Metadata Generation:
metadata.jsonwith digests, signatures, scan results - Packaging: Compressed into
.tar.zstarchive - Signing: cosign
sign-blobproduces detached.sigfile
Output:
dist/
petra-platform-0.1.0.tar.zst # The bundle
petra-platform-0.1.0.tar.zst.sig # Cosign signature
Cross-Domain Transfer
Bundles traverse any CDS type:
| Method | How | Automation |
|---|---|---|
| Sneakernet | Removable media through physical checkpoint | Manual |
| Hardware Diode | One-way fiber link (Owl, Waterfall) | Partial |
| Guard | Bidirectional with content inspection (Forcepoint, BAE) | Partial |
| AWS Diode | S3-to-S3 through managed CDS | Full |
AWS Diode Pipeline
Connected Side Classified Side
petra bundle create
-> S3 staging bucket
-> AWS Diode transfer -------> S3 landing bucket
-> verify signature
-> petra bundle load
-> Flux reconciles
Bundle Load (Disconnected Side)
petra bundle load -f petra-platform-0.1.0.tar.zst
- Verify cosign signature (reject on failure)
- Extract archive
- Load images into container runtime (pre-pulled or k3s airgap tar)
- Place charts in local repository
- Flux detects updated manifests and reconciles
- Report status of each HelmRelease
CDS Compatibility
Bundle format is designed for content inspection:
- tar.gz available for maximum guard compatibility
- Manifests in plain text at top level for inspection
- OCI image layers are standard tar archives
- No executable binaries outside OCI layers
- Chunking support for per-file size limits