Introduction #
This document is a guide for installing the Deepfactor admission webhook in your AWS EKS cluster running on AWS Fargate via helm charts.
A Fargate EKS cluster can be created either by using CLI, UI, or eksctl command line tool as follows.
eksctl create cluster --name my-cluster --region AWS_REGION --fargate
Create Fargate Profile For Deepfactor webhook #
Please create a Fargat Profile for the namespace in which the Deepfactor webhook will be deployed.
You may create the Fargate profile using the command below.
eksctl create fargateprofile \ --cluster my-cluster \ --name my-fargate-profile-name \ --namespace df-webhook \ --region CLUSTER_NAME \ --labels key=value
Install Deepfactor Mutating Webhook #
The Deepfactor webhook requires a certificate to communicate with the kube api server.
Add Deepfactor Helm Repository #
Add Deepfactor Helm Repository using the commands below. If you do not have helm installed, please click here.
helm repo add deepfactor https://static.deepfactor.io/helm-charts helm repo update
Customize webhook-override.yaml #
Store the default webhook config in a file named webhook-override.yaml
helm show values deepfactor/webhook \ | grep -A999 -e 'webhookconfig:' | tee webhook-override.yaml
Update the override.yaml with the dfRunToken value under the webhookconfig section with the run token fetched from the Deepfactor portal UI
For more details about the various webhook configuration parameters please refer to the following article.
Configure Deepfactor Mutating Webhook
Manually generate a certificate for the webhook #
Deepfactor Mutating Webhook supports only self-signed certificates when deployed in the AWS Fargate EKS cluster. You can use the following set of commands to accomplish this.
rm -rf webhook-certs export HELM_RELEASE_NAME=df-webhook-stable export HELM_RELEASE_NAMESPACE=df-webhook bash -c "$(curl -L https://static.deepfactor.io/scripts/public/df-webhook/cert-gen/certgen.sh)"
On successful completion, you will find the following three files under the certs directory.
- ca.crt
- tls.crte
- tls.keye
Pass the generated certificates in the helm install command as shown below. Now the webhook will be installed and will use the manually generated certificates.
helm upgrade --install $HELM_RELEASE_NAME -n $HELM_RELEASE_NAMESPACE deepfactor/webhook \ --set-file=webhook.ca.crt=webhook-certs/ca.crt \ --set-file=webhook.tls.crt=webhook-certs/tls.crt \ --set-file=webhook.tls.key=webhook-certs/tls.key \ --create-namespace -f webhook-override.yaml \ --set webhook.resources.requests.cpu=125m \ --set webhook.resources.requests.memory=250Mi \ --set webhook.resources.limits.cpu=250m \ --set webhook.resources.limits.memory=500Mi \ --set clusterName=CLUSTER_NAME_OF_YOUR_CHOICE \
Update Deepfactor Webhook #
helm upgrade --install df-webhook-stable -n df-webhook deepfactor/webhook -f webhook-override.yaml
Uninstall Deepfactor Webhook #
helm uninstall df-webhook-stable -n df-webhook