Deploying Eggplant DAI using Iron Bank Images
You can choose to source DAI Iron Bank container images from the US Department of Defence (DoD) Iron Bank image registry. Iron Bank is the DoD's source for hardened containers, which are built in an offline environment by the DoD and made available along with results of vulnerability scans, assessments, and bills of material.
Functionally, the DAI images within Iron Bank are identical to our standard images. The Iron Bank version of the images are primarily intended to serve DoD users, however the images are open to anyone who registers with Iron Bank.
Please refer to the Iron Bank site for more details on Iron Bank https://ironbank.dso.mil/about.
The overall process for deploying DAI using Iron Bank images is broadly the same as regular DAI install. This page seeks provide general guidance on using Iron Bank images.
The Postgresql, Minio, and RabbitMQ images are provided by the Iron Bank team and are not managed by Keysight.
Preparation
Image Pull Secrets
The Iron Bank image registry requires authentication. You therefore have to provide Iron Bank credentials to the helm install to allow the images to be pulled. Image pull credentials can be obtained in one of two ways:
-
Repo 1 Account - If you already have a 'Repo One' account then you can create a personal access token with the
read_registrypermission in the Iron Bank Gitlab repo. You can then use your username and newly created token to authenticate with the Iron Bank registry. -
Robot Account - Alternatively, you can request a robot account for pulling images by raising an issue here: https://repo1.dso.mil/dsop/dccscr/-/issues (this also requires a Repo One account). This is useful when you don't want to use a specific user token to pull images. Robot Account credentials are limited to 6 months and will then require rotation.
If you do not already have a Repo One account, you can register for one. Please refer to the Iron Bank Documentation for further guidenace.
Once you have your credentials you can create the image pull secret. First create the namespace where you wish to install DAI and then create the secret using the commands below (replacing the placeholders with your actual credentials):
kubectl create ns dai
kubectl create secret docker-registry ironbank --docker-server=registry1.dso.mil --docker-username=<your-username> --docker-password=<your-password> -n dai
Helm Values Changes
Additional helm values need to be set when installing from Iron Bank to:
- Set the image pull secret to
ironbank(i.e., the secret created above). This will be applied to all pods including both Keysight DAI services and the third party services (Postgres, RabbitMQ, Minio). - Update the DAI image registry and image names to use the Iron Bank variants of the image.
- Update the the third party services (Postgresql, Minio, and Rabbitmq) to use Iron Bank images.
- Update the configuration of the third party services to allow for configuration differences between the default images in the DAI chart and the Iron Bank variants.
The values in the YAML file below provide an example of the above customisation. These should be applied in addition to the values described in Deploying Eggplant DAI in Containers. Save the contents below as ironbank.yaml and customise to suit your installation if needed.
global:
dai:
image:
repository: registry1.dso.mil/ironbank/keysight/eggplant
keycloak:
provisioner:
image:
repository: registry1.dso.mil/ironbank/keysight/eggplant
imagePullSecrets:
- name: ironbank
minio:
image:
repository: registry1.dso.mil/ironbank/opensource/minio/minio
postgresql:
image:
repository: registry1.dso.mil/ironbank/opensource/postgres/postgresql
containerSecurityContext:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podSecurityContext:
fsGroup: 1001
seccompProfile:
type: RuntimeDefault
rabbitmq:
image:
registry: registry1.dso.mil
repository: ironbank/opensource/rabbitmq
tag: 4.2.4
containerSecurityContext:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podSecurityContext:
fsGroup: 1001
seccompProfile:
type: RuntimeDefault
Installation
To deploy DAI using Iron Bank containers:
-
Create your customized
dai.yamlhelm values file as described in Deploying Eggplant DAI in Containers; -
Create the image pull secret as described above;
-
Create
ironbank.yamlfile as described above; -
Then you can deploy it into the cluster using helm, supplying both your
dai.yamlandironbank.yamlvalues files:helm upgrade --install \--namespace dai \dai \oci://harbor.dai.eggplant.cloud/charts/dai \--version 1.38.19 \--values dai.yaml \--values ironbank.yaml \--waitOn success you will see output similar to this:
Release "dai" does not exist. Installing it now.NAME: daiLAST DEPLOYED: Tue Jun 9 14:18:36 2026NAMESPACE: daiSTATUS: deployedREVISION: 1TEST SUITE: NoneNOTES:Thank you for installing dai.Your release is named dai.To learn more about the release, try:$ helm status dai$ helm get all daiYou can access your DAI instance by visiting dai.example.com,using the credentials supplied in `keycloak-user-provisioner.adminUsers`.