Skip to main content
Version: DAI 26.2

Deploying Eggplant DAI using Iron Bank Images

You can choose to source DAI Iron Bank container images from the US Department of Defence (DoD) Iron Bank image registry. Iron Bank is the DoD's source for hardened containers, which are built in an offline environment by the DoD and made available along with results of vulnerability scans, assessments, and bills of material.

Functionally, the DAI images within Iron Bank are identical to our standard images. The Iron Bank version of the images are primarily intended to serve DoD users, however the images are open to anyone who registers with Iron Bank.

Please refer to the Iron Bank site for more details on Iron Bank https://ironbank.dso.mil/about.

The overall process for deploying DAI using Iron Bank images is broadly the same as regular DAI install. This page seeks provide general guidance on using Iron Bank images.

note

The Postgresql, Minio, and RabbitMQ images are provided by the Iron Bank team and are not managed by Keysight.

Preparation

Image Pull Secrets

The Iron Bank image registry requires authentication. You therefore have to provide Iron Bank credentials to the helm install to allow the images to be pulled. Image pull credentials can be obtained in one of two ways:

  • Repo 1 Account - If you already have a 'Repo One' account then you can create a personal access token with the read_registry permission in the Iron Bank Gitlab repo. You can then use your username and newly created token to authenticate with the Iron Bank registry.

  • Robot Account - Alternatively, you can request a robot account for pulling images by raising an issue here: https://repo1.dso.mil/dsop/dccscr/-/issues (this also requires a Repo One account). This is useful when you don't want to use a specific user token to pull images. Robot Account credentials are limited to 6 months and will then require rotation.

tip

If you do not already have a Repo One account, you can register for one. Please refer to the Iron Bank Documentation for further guidenace.

Once you have your credentials you can create the image pull secret. First create the namespace where you wish to install DAI and then create the secret using the commands below (replacing the placeholders with your actual credentials):

kubectl create ns dai
kubectl create secret docker-registry ironbank --docker-server=registry1.dso.mil --docker-username=<your-username> --docker-password=<your-password> -n dai

Helm Values Changes

Additional helm values need to be set when installing from Iron Bank to:

  • Set the image pull secret to ironbank (i.e., the secret created above). This will be applied to all pods including both Keysight DAI services and the third party services (Postgres, RabbitMQ, Minio).
  • Update the DAI image registry and image names to use the Iron Bank variants of the image.
  • Update the the third party services (Postgresql, Minio, and Rabbitmq) to use Iron Bank images.
  • Update the configuration of the third party services to allow for configuration differences between the default images in the DAI chart and the Iron Bank variants.

The values in the YAML file below provide an example of the above customisation. These should be applied in addition to the values described in Deploying Eggplant DAI in Containers. Save the contents below as ironbank.yaml and customise to suit your installation if needed.

global:
dai:
image:
repository: registry1.dso.mil/ironbank/keysight/eggplant
keycloak:
provisioner:
image:
repository: registry1.dso.mil/ironbank/keysight/eggplant
imagePullSecrets:
- name: ironbank

minio:
image:
repository: registry1.dso.mil/ironbank/opensource/minio/minio

postgresql:
image:
repository: registry1.dso.mil/ironbank/opensource/postgres/postgresql
containerSecurityContext:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podSecurityContext:
fsGroup: 1001
seccompProfile:
type: RuntimeDefault

rabbitmq:
image:
registry: registry1.dso.mil
repository: ironbank/opensource/rabbitmq
tag: 4.2.4
containerSecurityContext:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podSecurityContext:
fsGroup: 1001
seccompProfile:
type: RuntimeDefault

Installation

To deploy DAI using Iron Bank containers:

  1. Create your customized dai.yaml helm values file as described in Deploying Eggplant DAI in Containers;

  2. Create the image pull secret as described above;

  3. Create ironbank.yaml file as described above;

  4. Then you can deploy it into the cluster using helm, supplying both your dai.yaml and ironbank.yaml values files:

    helm upgrade --install \
    --namespace dai \
    dai \
    oci://harbor.dai.eggplant.cloud/charts/dai \
    --version 1.38.19 \
    --values dai.yaml \
    --values ironbank.yaml \
    --wait

    On success you will see output similar to this:

    Release "dai" does not exist. Installing it now.
    NAME: dai
    LAST DEPLOYED: Tue Jun 9 14:18:36 2026
    NAMESPACE: dai
    STATUS: deployed
    REVISION: 1
    TEST SUITE: None
    NOTES:
    Thank you for installing dai.

    Your release is named dai.

    To learn more about the release, try:

    $ helm status dai
    $ helm get all dai

    You can access your DAI instance by visiting dai.example.com,
    using the credentials supplied in `keycloak-user-provisioner.adminUsers`.