Skip to content

This repository provides a step-by-step guide for installing CloudDefense.AI DevSecOps tools on a Kubernetes cluster, specifically tailored for AWS environments. It covers everything from prerequisites to deployment, ensuring a smooth integration of CloudDefense.AI into your DevSecOps workflow.

Notifications You must be signed in to change notification settings

CloudDefenseAI/charts

Repository files navigation

How to Install CloudDefense.AI DevSecOps on a Kubernetes cluster (AWS specific)

Note: Term 'cdefense' as an analogy for the on-prem installation

STEP 1: PRE-REQUISITES (Customer Reponsibility)

Required Skills/Person:

  1. Mid to Senior DevOps resource/person with knowledge of Docker, Kubernetes, Helm, Cloud and your infrastructure.
  2. Time needed: Approx 2 hours for Pre-requisites, Approx 2 hours for CloudDefense.ai HELM chart. May also require a video call for debugging session

There are three main pre-requisites for a cdefense installation on-premises

  1. A Managed Postgres instance (for ex. AWS RDS db.r5.large) (Postgres is a Relational DB. Learn more about what is Postgres: https://www.postgresql.org/)
    1. enable automated backups
  2. A Kubernetes cluster (EKS/GKE/AKS) that has access to the above DB and to the internet (/examples/eks) with at least two nodegroups. (Learn more about what is Kubernetes: https://kubernetes.io/)
    1. node group for jobs
      1. each node has { label: job }
    2. node group for all else
      1. (optional) each node has { label: cdefense }
    3. Access to the internet by installing Ingress controller. Doc: https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
  3. A cluster auto-scaler

Excel sheet with minimum infrastructure requirements: https://docs.google.com/spreadsheets/d/13R4DrVM6CfEgrlf3A7XDCrTNo8Aqq8DPU3Ne7FtHlgw/edit?usp=sharing

Confirming pre-requisites (How will you know that K8S is installed?):

  1. Here is a K8S command to check if your K8S cluster is up and running : kubectl get nodes
  2. Here is a command to check if your K8S can access your Postgres DB : pg_isready -d <db_name> -h <host_name> -p <port_number> -U <db_user>
  3. Here is a command to check if load balancer controller is installed in the EKS cluster: kubectl get deployment -n kube-system aws-load-balancer-controller
  4. Here is a command to check if your K8S can connect to the internet : kubectl get ingress and check the address column in the output if the values are generated

Warnings

STEP 2: INSTALL CLOUDDEFENSE.AI (CloudDefense.ai on-prem installation)

Note: Term 'cdefense' as an analogy for the on-prem installation

Install cdefense from git repo

  • clone the repo

    git clone https://github.com/CloudDefenseAI/charts
    cd charts
  • create roles, role binding and service accounts

    kubectl apply -f charts/cdefense/rbac
  • create secrets

    kubectl apply -f charts/cdefense/secrets
  • create a dump folder (git ignored) if it does not exist

    mkdir dump
    
  • create/edit values.yaml in dump (git ignored)

    cp charts/cdefense/values.yaml dump/cdefense/values.yaml
  • Edit values.yaml in dump (git ignored) for ex. change domain and hostname

    vi dump/cdefense/values.yaml
  • Install cdefense helm

    helm install cdefense charts/cdefense -f dump/cdefense/values.yaml --debug

Install cdefense from helm repo

  • add cdefense helm repo

    helm repo add cdefense https://clouddefenseai.github.io/charts/  
  • update repos

    helm repo update
  • create/edit values.yaml

    touch cdefense/values.yaml
  • Edit values.yaml for ex. change domain and hostname

    vi cdefense/values.yaml
  • Install cdefense

    helm install cdefense cdefense/cdefense -f cdefense/values.yaml --debug

Install kafka

  • Download the kafka helm repo (bitnami)

    helm repo add bitnami https://charts.bitnami.com/bitnami
  • create/edit values.yaml

    touch kafka/values.yaml
  • Edit values.yaml for ex. add a nodeSelector

    vi kafka/values.yaml
    nodeSelector:
      label: external
  • Install kafka helm

    helm install kafka bitnami/kafka -f kafka/values.yaml

Configure Social Authentication

In order to sign in with different identity providers (for ex. github), create ID and secrets

Github

create secrets for authservice

  • create a secret for authservice

    apiVersion: v1
    kind: Secret
    metadata:
      name: authservice-secrets
      type: Opaque
    stringData:
      SENDGRID_KEY: 
      GOOGLE_CLIENT_ID: 
      GOOGLE_CLIENT_SECRET: 
      GITHUB_CLIENT_ID: 
      GITHUB_CLIENT_SECRET: 
      GITLAB_APPLICATION_ID: 
      GITLAB_APPLICATION_SECRET: 
      BITBUCKET_KEY: 
      BITBUCKET_SECRET: 
      MICROSOFT_CLIENT_ID: 
      MICROSOFT_CLIENT_SECRET: 
    kubectl apply -f authservice-secrets.yaml
  • restart authservice pod

About

This repository provides a step-by-step guide for installing CloudDefense.AI DevSecOps tools on a Kubernetes cluster, specifically tailored for AWS environments. It covers everything from prerequisites to deployment, ensuring a smooth integration of CloudDefense.AI into your DevSecOps workflow.

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages