Introduction #
This document provides step by step guide to installing Deepfactor Mutating Admission Controller Webhook via helm charts.
The Deepfactor webhook requires a certificate to communicate with the kube api server. The recommended way to generate this certificate is to use cert-manager. However, if you would like to generate a self-signed certificate manually, you can find the steps to do so in this article
Manually generate certificate for the webhook
Add Deepfactor Helm Repository #
Add Deepfactor Helm Repository using the commands below. If you do not have helm installed, please click here.
helm repo add deepfactor https://static.deepfactor.io/helm-charts helm repo update
Customize webhook-override.yaml #
Store the default webhook config in a file named webhook-override.yaml
helm show values deepfactor/webhook \ | grep -A100 -e '^webhookconfig:' | tee webhook-override.yaml
If you do not have cert-manager installed in your kubernetes cluster, please add the following lines in webhook-override.yaml at the root level. As part of the Deepfactor webhook installation, cert-manager will also be installed. If you already have cert manager installed, you can skip adding the following lines in your webhook-override.yaml file.
cert-manager: enablemodule: true installCRDs: true
Update the override.yaml with the following changes
- Update the dfRunToken value under the webhookconfig section with the run token fetched from the Deepfactor portal UI
- Add certManager section under webhook
webhook:
certManager:
enabled: true
issuerRef: {}
# if you have any issuer then you can pass it like this
# issuerRef:
# name: df-webhook-issuer
# kind: ClusterIssuer/Issuer
webhookconfig:
dfRunToken: "GET_FROM_PORTAL_UI"
Install Deepfactor Mutating Admission Webhook #
Now that you have set up your webhook-override.yaml, install the Deepfactor webhook using the command below:
helm upgrade --install df-webhook-stable -n df-webhook deepfactor/webhook \ --set clusterName=CLUSTER_NAME_OF_YOUR_CHOICE --create-namespace -f webhook-override.yaml
Please provide a name for this cluster. After successful installation of the webhook, you will be able to view and configure this cluster on the portal UI. To know how to configure the Deepfactor admission webhook, please read the following article:
Configure Deepfactor Kubernetes admission webhook
Update Deepfactor Webhook
helm upgrade --install df-webhook-stable -n df-webhook deepfactor/webhook --reuse-values -f webhook-override.yaml
Uninstall Deepfactor Webhook #
helm uninstall df-webhook-stable -n df-webhook
Manually generate certificate for the webhook #
We recommend using cert-manager to generate certificates for webhook. However if you would like to generate the certificate manually, please use the below steps
Run the following commands to generate certificate
rm -rf webhook-certs export HELM_RELEASE_NAME=df-webhook-stable export HELM_RELEASE_NAMESPACE=df-webhook bash -c "$(curl -L https://static.deepfactor.io/scripts/public/df-webhook/cert-gen/certgen.sh)"
On successful completion, you will find the following three files under the certs directory.
- ca.crt
- tls.crt
- tls.key
Ensure you disable cert manager in the webhook-override.yaml
cert-manager: enablemodule: false
Also do not add the certManager section under webhook section of the webhook-override.yaml file.
Pass the generated certificates in the helm install command as shown below. Now the webhook will be installed and will use the manually generated certificates.
helm upgrade --install $HELM_RELEASE_NAME -n $HELM_RELEASE_NAMESPACE deepfactor/webhook \ --set-file=webhook.ca.crt=webhook-certs/ca.crt \ --set-file=webhook.tls.crt=webhook-certs/tls.crt \ --set-file=webhook.tls.key=webhook-certs/tls.key \ --create-namespace -f webhook-override.yaml \ --set clusterName=CLUSTER_NAME_OF_YOUR_CHOICE
Please provide a name for this cluster. After successful installation of the webhook, you will be able to view and configure this cluster on the portal UI. To know how to configure the Deepfactor admission webhook, please read the following article:
Configure Deepfactor Kubernetes admission webhook