Console
Deployments & Integration
Bring Narsil into your environment with signed, OCI-compliant artifacts. Choose a deployment model below — every path ships hardened defaults and verifiable evidence out of the box.
How integration works
Request enclave credentials
An authorizing official issues a short-lived token scoped to your enclave and classification level.
Mirror artifacts to OCI
Sync signed images and Helm charts into the in-boundary OCI registry mirror — nothing reaches the enclave unsigned.
Wire your pipeline
Drop the Narsil gate into your CI; every build is scanned, attested, and mapped to controls automatically.
Seal evidence
OSCAL assessment results and a hash-linked audit bundle are produced on every deploy for the AO.
Declarative enclave provisioning
Provision a sealed Narsil enclave — network boundary, hardened compute, and the OCI registry mirror — from version-controlled HCL. State is stored in an encrypted, air-gap-friendly backend.
- 1
Authenticate
Export a short-lived enclave token; never commit credentials.
- 2
Plan
Run terraform plan and attach the output to your change record.
- 3
Apply
terraform apply provisions the boundary, nodes, and registry mirror.
terraform {
required_providers {
narsil = {
source = "alethe-labs/narsil"
version = "~> 1.4"
}
}
# Encrypted, air-gap friendly state
backend "s3" {
bucket = "narsil-tfstate"
key = "enclaves/us-east-3.tfstate"
encrypt = true
}
}
provider "narsil" {
endpoint = var.enclave_endpoint
token = var.enclave_token # injected from CI secret
}
module "enclave" {
source = "alethe-labs/enclave/narsil"
version = "1.4.0"
name = "us-east-3"
classification = "il5"
stig_baseline = "rhel9-v1r13"
oci_registry_mirror = true
fips_140_3 = true
}variable "enclave_endpoint" {
type = string
description = "Air-gapped Narsil control-plane endpoint"
}
variable "enclave_token" {
type = string
sensitive = true
}