# Install CloudDefense suite on a Kubernetes cluster {% embed url="" %} ### Pre-requisites There are three main pre-requisites for a production grade cdefense installation on-premises 1. A managed Postgres instance (for AWS RDS db.r5.large) 1. enable automated backups 2. A kubernetes cluster (/examples/eks) with at least two nodegroups 1. node group for jobs 1. each node has { label: job } 2. node group for all else 1. (optional) each node has { label: cdefense } 3. A cluster auto-scaler ### Install kafka * Download the kafka helm repo (bitnami) ``` helm repo add bitnami https://charts.bitnami.com/bitnami ``` * (optional) create/edit `values.yaml` ``` nodeSelector: label: external ``` * Install kafka helm ``` helm install kafka bitnami/kafka -f values.yaml ``` ### Install cdefense * add cdefense helm repo ``` helm repo add cdefense https://clouddefenseai.github.io/charts/ ``` * update repos ``` helm repo update ``` * clone the repo ``` git clone https://github.com/CloudDefenseAI/charts ``` * create roles, role binding and service accounts ``` kubectl apply -f charts/cdefense/rbac ``` * create secrets ``` kubectl apply -f charts/cdefense/secrets ``` * Install cdefense helm ``` helm install cdefense cdefense --debug ``` or ``` helm upgrade cdefense cdefense/cdefense --debug ``` ### Configure Social Authentication In order to sign in with different identity providers (for ex. github), create ID and secrets #### Github * go to [github developer settings](https://github.com/settings/developers) * create a New OAuth App * Homepage URL is the base\_url * Authorization callback URL is
#### create secrets for authservice * create a secret for authservice ``` apiVersion: v1 kind: Secret metadata: name: authservice-secrets type: Opaque stringData: SENDGRID_KEY: GOOGLE_CLIENT_ID: GOOGLE_CLIENT_SECRET: GITHUB_CLIENT_ID: GITHUB_CLIENT_SECRET: GITLAB_APPLICATION_ID: GITLAB_APPLICATION_SECRET: BITBUCKET_KEY: BITBUCKET_SECRET: MICROSOFT_CLIENT_ID: MICROSOFT_CLIENT_SECRET: ``` ``` kubectl apply -f authservice-secrets.yaml ``` * restart authservice pod ### How to change location of logs * update value.yaml ``` api: logs: region: bucket: ``` #### in case of private bucket * Edit the scan-server-secrets.yaml file ``` AWS_SCAN_S3_ACCESS_KEY: AWS_SCAN_S3_SECRET_KEY: ``` ``` kubectl apply -f scan-server-secrets.yaml ``` * or update secrets on cluster * encode values as base64 strings ``` AWS_SCAN_S3_ACCESS_KEY= BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_ACCESS_KEY | base64) ``` ``` AWS_SCAN_S3_SECRET_KEY= BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_SECRET_KEY | base64) ``` * edit scan-server-secrets ``` kubectl edit secret scan-server-secrets ``` ``` AWS_SCAN_S3_ACCESS_KEY: AWS_SCAN_S3_SECRET_KEY: ``` * save and restart api pod ``` kubectl delete pod api- ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.clouddefenseai.com/on-prem-installation/install-clouddefense-suite-on-a-kubernetes-cluster.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.