Install Deepfactor K8s webhook on EKS Fargate

Introduction

This document is a guide for installing the Deepfactor admission webhook in your AWS EKS cluster running on AWS Fargate via helm charts.

A Fargate EKS cluster can be created either by using CLI, UI, or eksctl command line tool as follows.

eksctl create cluster --name my-cluster --region AWS_REGION --fargate
 

Create Fargate Profile For Deepfactor webhook

Please create a Fargat Profile for the namespace in which the Deepfactor webhook will be deployed.

You may create the Fargate profile using the command below.

eksctl create fargateprofile \
--cluster my-cluster \
--name my-fargate-profile-name \
--namespace df-webhook \
--region CLUSTER_NAME \
--labels key=value

 

Install Deepfactor Mutating Webhook

The Deepfactor webhook requires a certificate to communicate with the kube api server.

 

Add Deepfactor Helm Repository

Add Deepfactor Helm Repository using the commands below. If you do not have helm installed, please click here.

helm repo add deepfactor https://static.deepfactor.io/helm-charts
helm repo update
 

Customize webhook-override.yaml

Store the default webhook config in a file named webhook-override.yaml

helm show values deepfactor/webhook \
| grep -A999 -e 'webhookconfig:' | tee webhook-override.yaml

 

Update the override.yaml with the dfRunToken value under the webhookconfig section with the run token fetched from the Deepfactor portal UI

For more details about the various webhook configuration parameters please refer to the following article.

Configure Deepfactor Mutating Webhook

Manually generate a certificate for the webhook

Deepfactor Mutating Webhook supports only self-signed certificates when deployed in the AWS Fargate EKS cluster. You can use the following set of commands to accomplish this.

rm -rf webhook-certs
export HELM_RELEASE_NAME=df-webhook-stable
export HELM_RELEASE_NAMESPACE=df-webhook
bash -c "$(curl -L https://static.deepfactor.io/scripts/public/df-webhook/cert-gen/certgen.sh)"

On successful completion, you will find the following three files under the certs directory.

  • ca.crt

  • tls.crt

  • tls.key

Pass the generated certificates in the helm install command as shown below. Now the webhook will be installed and will use the manually generated certificates.

helm upgrade --install $HELM_RELEASE_NAME -n $HELM_RELEASE_NAMESPACE deepfactor/webhook \
--set-file=webhook.ca.crt=webhook-certs/ca.crt \
--set-file=webhook.tls.crt=webhook-certs/tls.crt \
--set-file=webhook.tls.key=webhook-certs/tls.key \
--create-namespace -f webhook-override.yaml \
--set webhook.resources.requests.cpu=125m \
--set webhook.resources.requests.memory=250Mi \
--set webhook.resources.limits.cpu=250m \
--set webhook.resources.limits.memory=500Mi \
--set clusterName=CLUSTER_NAME_OF_YOUR_CHOICE \

 

Update Deepfactor Webhook

helm upgrade --install df-webhook-stable -n df-webhook deepfactor/webhook --reuse-values -f webhook-override.yaml

 

Uninstall Deepfactor Webhook

helm uninstall df-webhook-stable -n df-webhook
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.