We provide various different ways of deploying the DeepFactor Portal on your premises. The following article will describe how you can deploy DeepFactor portal in your Kubernetes cluster such ask Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), Rancher etc.
Pre-Requisites
-
A Kubernetes cluster (recommended version 1.18 or higher) with the following capacity:
3 node cluster with 2x m5.large (8GB) and 1x m5.xlarge (16GB) for running DAST scans.
If you do not have a K8s cluster, you can choose to deploy DeepFactor using the OVA or AMI.
service providers documentation to bring up a K8s cluster. Some relevant links are placed below for quick reference.
AWS - https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
Azure - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
GCP - https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-zonal-cluster#console -
Helm3 and kubectl installed on your local machine from which you intend to install DeepFactor Portal
https://helm.sh/docs/intro/install/
https://docs.docker.com/engine/install/ -
kube-config for your K8s cluster on your local machine.
-
An SSL certificate for the domain you want to assign to the DeepFactor portal. For example, deepfactor.mycompany.com.
If you want to use a self-signed certificate, we provide helper scripts. You can use the following commands to generate a self-signed certificate for the domain name of your choice.-
Download the following helper scripts
wget https://static.deepfactor.io/helm-charts/cert-gen/generate-cert.sh wget https://static.deepfactor.io/helm-charts/cert-gen/openssl-portal.cnf wget https://static.deepfactor.io/helm-charts/cert-gen/openssl-portalca.cnf
-
Run the script generate-cert.sh by providing the hostname you want to assign to your DeepFactor Portal
chmod +x generate-cert.sh sudo ./generate-cert.sh <deepfactor_portal_hostname>
-
-
Generate Kubernetes secrets
-
Download the following files using the following command
wget https://static.deepfactor.io/helm-charts/prerequisite/df-certs.yaml.tpl wget https://static.deepfactor.io/helm-charts/prerequisite/prerequisite.sh
-
Run prerequisite.sh to create the deepfactor namespace and k8s secrets required by DeepFactor portal.
chmod +x prerequisite.sh ./prerequisite.sh portalkeypath="./cert-gen/portal.key" \ portalcrtpath="./cert-gen/portal.crt" \ portalcakeypath="./cert-gen/portalca.key" \ portalcacrtpath="./cert-gen/portalca.crt" \ pempath="./cert-gen/01.pem"
portalkeypath, portalcrtpath, portalcakeypath, poatalcacrtpath and pempath are the paths for the respective cert files. If you used generate-cert.sh, these files will be present in the same directory where the script was run.
-
Deploy DeepFactor Using Helm v3
1. Add the DeepFactor helm charts repo by the following command.
helm repo add deepfactor https://static.deepfactor.io/helm-charts
Verify that the repo was successfully added by running the following command
$ helm repo ls (You should see a ouptut like the following) NAME URL deepfactor http://staging-df-helm-charts.s3-website-us-west-2.amazonaws.com $ helm search repo -l deepfactor (You should see a ouptut like the following) NAME CHART VERSION APP VERSION DESCRIPTION deepfactor/deepfactor 1.0.1 1.0.1 DeepFactor Portal Helm Chart deepfactor/ingress-nginx 3.7.1 0.40.2 Ingress controller for Kubernetes using NGINX a...
2. Run the following command to update the helm repo to the latest charts. This step is not required if you have just added the helm repo the first time.
$ helm repo update (You should see a ouptut like the following) ...Successfully got an update from the "deepfactor" chart repository Update Complete. ⎈Happy Helming!⎈
3. You can now install DeepFactor helm charts. You will need to supply an override.yaml file to helm install command. This file can be used to customize the DeepFactor portal deployment. At a minimum, you need to provide the following parameters.
You can get the portalToken by logging into my.deepfactor.io
Create a file override.yaml and paste the following data into it :
# dfstartup values
dfstartup:
config:
firstName: "<admin-first-name>"
lastName: "<admin-last-name>"
emailID: "<admin-email-id>"
ttlDays: "<ttl-days>"
portalToken: "<admin-portal-token>"
password: <password>
ingress:
hostName: <portal-endpoint>
appsettings:
numberOfConcurrentWebScansAllowed: <max-number-of-concurrent-web-scans-allowed>
$ helm install df-stable deepfactor/deepfactor -f override.yaml --namespace=deepfactor (You should see a ouptut like the following. I had given the `release-name`=beta) NAME: beta LAST DEPLOYED: Mon Apr 5 16:17:08 2021 NAMESPACE: deepfactor STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: The DeepFactor portal has been installed check its status by running: $ kubectl get pods -n deepfactor
where
df-stable is the release name. You can provide a different string if you would like.
5. Execute the following command to get the public IP of the portal.
$ kubectl get svc -n deepfactor ... beta-ingress-nginx-controller LoadBalancer 10.100.43.157 abcdefghijklmnopq-545188163.us-east-2.elb.amazonaws.com 80:32013/TCP,443:30366/TCP,8443:30520/TCP 7m30s ...
Find the df-stable-ingress-nginx-controller service and copy the long DNS string and set a DNS record to point <deepfactor_portal_hostname> to this domain (either using an ALIAS record in AWS or an A record).
You can now access the DeepFactor portal at <deepfactor_portal_hostname> and log in to the portal using the emailID and password entered in the override.yaml.
Uninstalling DeepFactor Portal
-
Run the following command to uninstall the portal.
$ helm uninstall df-stable --namespace=deepfactor
-
Delete the postgres and clickhouse pvc to free up the space. Please note you will lose all the telemetry and alerts data.
$ kubectl get pvc --namespace=deepfactor $ kubectl delete pvc <postgres-pvc-name> <clickhouse-pvc-name> <archivestore-pvc-name> <symbolsvc-pvc-name> --namespace=deepfactor
-
Delete the secrets
-
$ kubectl get secrets -n deepfactor $ kubectl delete secrets regcred deepfactor-certs <ingress-secret-name> -n deepfactor
Comments
0 comments
Please sign in to leave a comment.