Offline / airgap considerations

Onyxia can be installed in constrained environments such as behind a proxy, offline or airgap. This page aims at listing various things and configurations to have in mind when installing Onyxia in such environments.

Catalogs

By default, Onyxia (Onyxia-API to be precise) is configured to use Inseefrlab Opensource catalogs straight from Github This won't work if you don't have access to internet. If behind a proxy, you can configure the proxy by using the corresponding API env variables. You can configure your own catalogs by using the catalogs key from the Helm chart : A catalog is a regular Helm charts repository, see here for more details on how to create your own catalog. Note that Onyxia does not currently support OCI-based repositories, you need to have an index.yaml based repository. See this issue to track progress on this.

Certificates

If you are using non-public (internal) certificates, you need to either mount them (recommended) or skip tls validation (not recommended).

Mounting certificates (recommended)

Certificates can be mounted on the API pod :

api:
  extraVolumeMounts:
    - mountPath: "/usr/local/share/ca-certificates"
      name: ca-bundle
  extraVolumes:
    - name: ca-bundle
      secret:
        secretName: ca-bundle

Disabling tls validation (not recommended)

To disable tls validation for the API ⇒ OIDC provider : oidc.skip-tls-verify To disable tls validation for Helm (catalogs retrieval) : skipTlsVerify

Images

Currently, Onyxia's images and images used by our opensource catalogs are hosted on Dockerhub. Make sure your cluster nodes are configured to pull from a mirror or prepull the corresponding images. If needed, you can override the images Onyxia uses in the values.yaml and the images of your services in your catalogs values.yaml / values.schema.json