Air-Gapped Deployments - Cartesia Docs

For deployments without internet connectivity to Cartesia’s licensing servers, you can run in air-gapped mode. This mode uses an offline license file instead of real-time authentication.

Download your offline license file from the on-prem portal. See Provisioned Resources for details.

Configuration

Terraform
Helm

# In your .tfvars file
authenticate               = false
license_proxy_persistence  = true   # Required for air-gapped mode

infra:
  authenticate: false
licenseProxy:
  persistence:
    enabled: true
    storageClass: gp2  # Use appropriate storage class for your cluster

Loading a License

You can seed a license at install time (recommended for first deployment) or upload one to a running cluster via the /license endpoint.

At install time

Pass the downloaded license file directly to your deploy tool. The chart creates a ConfigMap containing the license and adds an initContainer that copies it into the license-proxy volume on first boot, so terraform apply / helm install is a one-shot setup.

Terraform
Helm

# In your .tfvars file
authenticate              = false
license_proxy_persistence = true
license_proxy_seed_file   = "/path/to/license.json"

Then:

terraform apply

helm install cartesia ./cartesia \
  --set infra.authenticate=false \
  --set licenseProxy.persistence.enabled=true \
  --set-file licenseProxy.licenseContent=/path/to/license.json

Use --set-file to pass the file contents; --set will try to parse the JSON as structured values and fail.

The seed is a one-time bootstrap — if a license already exists on disk, the initContainer skips the copy. Licenses uploaded later via POST /license take precedence automatically (the license proxy picks the license with the latest issued_at), and they are not clobbered on pod restart. To rotate a seeded license, upload the new license with POST /license (see below) — re-running terraform apply / helm upgrade alone will not overwrite an existing license on disk.

On a running cluster

The /license and /audit endpoints are served by the license proxy pod behind the cartesia-license-proxy service, not by the API pod.

In air-gapped mode, the /license endpoint is exposed for license management.

Via Port-Forward

kubectl port-forward svc/cartesia-license-proxy 8080:8080 -n cartesia

In another terminal:

curl -X POST http://localhost:8080/license -d '<license-json>'

Via Ingress

If ingress is enabled:

curl -X POST https://<your-domain>/license -d '<license-json>'

Retrieving Audit Logs

The /audit endpoint is available in air-gapped mode for retrieving usage audit logs:

curl -X GET https://<your-domain>/audit --output audits.tar

These audit logs contain usage metadata for billing reconciliation. No transcript data is included, which you can validate by looking at the contents of the output.

​Configuration

​Loading a License

​At install time

​On a running cluster

​Via Port-Forward

​Via Ingress

​Retrieving Audit Logs

Configuration

Loading a License

At install time

On a running cluster

Via Port-Forward

Via Ingress

Retrieving Audit Logs