Docs/Deploy & operate/Airgap

Airgap installs

No internet in the critical path. Signed offline bundle, verified with Cosign, imported through your approved channel.

Airgap installs get a signed offline bundle that contains every image, chart, and preflight check. Nothing phones home. Updates ship as new signed bundles on your change cadence.

What's in the bundle

  • All container images (control plane, operator, model pools, SIP gateway).
  • Model weights (as needed for the requested shape).
  • The Helm chart and CRDs.
  • The wordcab CLI binary.
  • Cosign public key + SBOM.
  • Preflight manifests and a reference values.yaml for your shape.
  • A printable installation runbook (PDF).

Verify the bundle

bash
# 1. Verify the top-level archive signature
cosign verify-blob \
  --key cosign.pub \
  --signature wordcab-offline-v1.8.0.tar.gz.sig \
  wordcab-offline-v1.8.0.tar.gz

# 2. Extract
tar xzf wordcab-offline-v1.8.0.tar.gz
cd wordcab-offline-v1.8.0/

# 3. Verify each image signature (optional — the installer does this)
for img in images/*.tar; do
  cosign verify --key cosign.pub --local-image "$img"
done

Transfer

The bundle is a single tarball (typically 40–80 GB depending on the model pools included). Transfer it through your approved channel — DVD, one-way diode, bastion host, physical media. Wordcab does not require any specific transfer mechanism.

Import to the internal registry

bash
# Import all images into your internal registry.
# The script walks images/*.tar and pushes them.
./scripts/import-images.sh \
  --registry registry.internal.example.com/wordcab \
  --skip-existing

Custom CA

If your internal registry or IdP uses a private CA, mount it into the Wordcab pods via global.caBundle:

yaml
global:
  caBundle:
    configMapName: internal-ca
    # or inline:
    # inline: |
    #   -----BEGIN CERTIFICATE-----
    #   ...

Install

bash
# Run the airgap-mode installer. It uses your internal registry,
# runs preflight, and registers the deployment with a LOCAL control plane
# (no wordcab.com contact).
wordcab deploy apply -f values.yaml --offline

Preflight

The preflight suite verifies: GPU count, driver version, CNI policy, StorageClass, ingress controller, image pull from the local registry, and the CA bundle. Run before every install and every upgrade.

bash
wordcab deploy preflight --offline    # skips any network-facing checks

Audit

Every key event (install, upgrade, login, key rotation) is emitted to stdout as structured JSON, and to syslog. Configure your SIEM to tail the pod logs or the syslog sink — the bundle includes a Fluent Bit preset that maps to the common SIEMs (Splunk, Elastic, QRadar, Chronicle).

Signature verification is non-negotiable

Refuse to install a bundle whose Cosign signature does not verify against the public key you received separately (never from the same channel as the bundle itself). If verification fails, stop and contact support.