Introduction
This document provides step by step guide to installing Deepfactor Mutating Admission Controller Webhook via helm charts.
The Deepfactor webhook requires a certificate to communicate with the kube api server. The recommended way to generate this certificate is to use cert-manager. However, if you would like to generate a self-signed certificate manually, you can find the steps to do so in this article
Add Deepfactor Helm Repository
Add Deepfactor Helm Repository using the commands below. If you do not have helm installed, please click here.
helm repo add deepfactor https://static.deepfactor.io/helm-charts
helm repo update
Customize webhook-override.yaml
Store the default webhook config in a file named webhook-override.yaml
helm show values deepfactor/webhook \
| grep -A999 -e 'webhookconfig:' | tee webhook-override.yaml
If you do not have cert-manager installed in your kubernetes cluster, please add the following lines in webhook-override.yaml at the root level. As part of the Deepfactor webhook installation, cert-manager will also be installed. If you already have cert manager installed, you can skip adding the following lines in your webhook-override.yaml file.
cert-manager:
enablemodule: true
installCRDs: true
Update the override.yaml with the following changes
- Update the dfRunToken value under the webhookconfig section with the run token fetched from the Deepfactor portal UI
- Add certManager section under webhook
- Add namespaces you want to instrument with Deepfactor under webhookconfig
For more details about the various webhook configuration parameters please refer to the following article.
webhook:
certManager:
enabled: true
issuerRef: {}
# if you have any issuer then you can pass it like this
# issuerRef:
# name: df-webhook-issuer
# kind: ClusterIssuer/Issuer
webhookconfig:
dfRunToken: "GET_FROM_PORTAL_UI"
namespaces:
- name: "df1"
Install Deepfactor Mutating Admission Webhook
Now that you have set up your webhook-override.yaml, install the Deepfactor webhook using the command below:
helm upgrade --install df-webhook-stable -n df-webhook deepfactor/webhook \
--create-namespace -f webhook-override.yaml
Update Deepfactor Webhook
helm upgrade --install df-webhook-stable -n df-webhook deepfactor/webhook --reuse-values -f webhook-override.yaml
Uninstall Deepfactor Webhook
helm uninstall df-webhook-stable -n df-webhook
Manually generate certificate for the webhook
We recommend using cert-manager to generate certificates for webhook. However if you would like to generate the certificate manually, please use the below stepsRun the following commands to generate certificate
rm -rf webhook-certs
export HELM_RELEASE_NAME=df-webhook-stable
export HELM_RELEASE_NAMESPACE=df-webhook
bash -c "$(curl -L https://static.deepfactor.io/scripts/public/df-webhook/cert-gen/certgen.sh)"
On successful completion, you will find the following three files under the certs directory.
ca.crttls.crttls.key
Ensure you disable cert manager in the webhook-override.yaml
cert-manager: enablemodule: false
Also do not add the certManager section under webhook section of the webhook-override.yaml file.
Pass the generated certificates in the helm install command as shown below. Now the webhook will be installed and will use the manually generated certificates.
helm upgrade --install $HELM_RELEASE_NAME -n $HELM_RELEASE_NAMESPACE deepfactor/webhook \
--set-file=webhook.ca.crt=webhook-certs/ca.crt \
--set-file=webhook.tls.crt=webhook-certs/tls.crt \
--set-file=webhook.tls.key=webhook-certs/tls.key \
--create-namespace -f webhook-override.yaml
Comments
Please sign in to leave a comment.