Pre-requisites
There are three main pre-requisites for a production grade cdefense installation on-premises
A managed Postgres instance (for AWS RDS db.r5.large)
A kubernetes cluster (/examples/eks) with at least two nodegroups
node group for jobs
each node has { label: job }
node group for all else
(optional) each node has { label: cdefense }
Install kafka
Download the kafka helm repo (bitnami)
helm repo add bitnami https://charts.bitnami.com/bitnami
(optional) create/edit values.yaml
nodeSelector:
label: external
Install kafka helm
helm install kafka bitnami/kafka -f values.yaml
Install cdefense
add cdefense helm repo
helm repo add cdefense https://clouddefenseai.github.io/charts/
clone the repo
git clone https://github.com/CloudDefenseAI/charts
create roles, role binding and service accounts
kubectl apply -f charts/cdefense/rbac
create secrets
kubectl apply -f charts/cdefense/secrets
Install cdefense helm
helm install cdefense cdefense --debug
or
helm upgrade cdefense cdefense/cdefense --debug
In order to sign in with different identity providers (for ex. github), create ID and secrets
Github
Homepage URL is the base_url
create secrets for authservice
create a secret for authservice
apiVersion: v1
kind: Secret
metadata:
name: authservice-secrets
type: Opaque
stringData:
SENDGRID_KEY:
GOOGLE_CLIENT_ID:
GOOGLE_CLIENT_SECRET:
GITHUB_CLIENT_ID:
GITHUB_CLIENT_SECRET:
GITLAB_APPLICATION_ID:
GITLAB_APPLICATION_SECRET:
BITBUCKET_KEY:
BITBUCKET_SECRET:
MICROSOFT_CLIENT_ID:
MICROSOFT_CLIENT_SECRET:
kubectl apply -f authservice-secrets.yaml
How to change location of logs
update value.yaml
api:
logs:
region: <REGION>
bucket: <BUCKET>
in case of private bucket
Edit the scan-server-secrets.yaml file
AWS_SCAN_S3_ACCESS_KEY: <AWS_SCAN_S3_ACCESS_KEY>
AWS_SCAN_S3_SECRET_KEY: <AWS_SCAN_S3_SECRET_KEY>
kubectl apply -f scan-server-secrets.yaml
or update secrets on cluster
encode values as base64 strings
AWS_SCAN_S3_ACCESS_KEY=<AWS_ACCESS_KEY>
BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_ACCESS_KEY | base64)
AWS_SCAN_S3_SECRET_KEY=<AWS_SECRET_KEY>
BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_SECRET_KEY | base64)
kubectl edit secret scan-server-secrets
AWS_SCAN_S3_ACCESS_KEY: <BASE64_AWS_SCAN_S3_ACCESS_KEY>
AWS_SCAN_S3_SECRET_KEY: <BASE64_AWS_SCAN_S3_SECRET_KEY>
save and restart api pod
kubectl delete pod api-<some-string>