Install Deepfactor Mutating Webhook


This document provides step by step guide to installing Deepfactor Mutating Admission Controller Webhook via helm charts.
The Deepfactor webhook requires a certificate to communicate with the kube api server. The recommended way to generate this certificate is to use cert-manager. However, if you would like to generate a self-signed certificate manually, you can find the steps to do so in this article

Add Deepfactor Helm Repository

Add Deepfactor Helm Repository using the commands below. If you do not have helm installed, please click here.
helm repo add deepfactor
helm repo update

Customize webhook-override.yaml

Store the default webhook config in a file named webhook-override.yaml
helm show values deepfactor/webhook \
| grep -A999 -e 'webhookconfig:' | tee webhook-override.yaml
If you do not have cert-manager installed in your kubernetes cluster, please add the following lines in webhook-override.yaml at the root level. As part of the Deepfactor webhook installation, cert-manager will also be installed. If you already have cert manager installed, you can skip adding the following lines in your webhook-override.yaml file.
  enablemodule: true
  installCRDs: true
Update the override.yaml with the following changes
  • Update the dfRunToken value under the webhookconfig section with the run token fetched from the Deepfactor portal UI
  • Add certManager section under webhook
  • Add namespaces you want to instrument with Deepfactor under webhookconfig
For more details about the various webhook configuration parameters please refer to the following article.
    enabled: true
    issuerRef: {}
    # if you have any issuer then you can pass it like this
    # issuerRef:
      # name: df-webhook-issuer
      # kind: ClusterIssuer/Issuer
  dfRunToken: "GET_FROM_PORTAL_UI"
  - name: "df1"


Install Deepfactor Mutating Admission Webhook

Now that you have set up your webhook-override.yaml, install the Deepfactor webhook using the command below:
helm upgrade --install df-webhook-stable -n df-webhook deepfactor/webhook \
--create-namespace -f webhook-override.yaml

Update Deepfactor Webhook

helm upgrade --install df-webhook-stable -n df-webhook deepfactor/webhook --reuse-values -f webhook-override.yaml

Uninstall Deepfactor Webhook

helm uninstall df-webhook-stable -n df-webhook

Manually generate certificate for the webhook

We recommend using cert-manager to generate certificates for webhook. However if you would like to generate the certificate manually, please use the below steps
Run the following commands to generate certificate
rm -rf webhook-certs
export HELM_RELEASE_NAME=df-webhook-stable
export HELM_RELEASE_NAMESPACE=df-webhook
bash -c "$(curl -L"

On successful completion, you will find the following three files under the certs directory.

  • ca.crt
  • tls.crt
  • tls.key
Ensure you disable cert manager in the webhook-override.yaml
  enablemodule: false

Also do not add the certManager section under webhook section of the webhook-override.yaml file.

Pass the generated certificates in the helm install command as shown below. Now the webhook will be installed and will use the manually generated certificates.

helm upgrade --install $HELM_RELEASE_NAME -n $HELM_RELEASE_NAMESPACE deepfactor/webhook \ \
--set-file=webhook.tls.crt=webhook-certs/tls.crt \
--set-file=webhook.tls.key=webhook-certs/tls.key \
--create-namespace -f webhook-override.yaml


Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.