Install on an Embedded cluster
Introduction
GitGuardian Private Repository Monitoring is a Kubernetes application. You can install the software on an existing cluster or use our installer that has an embedded, production-ready Kubernetes distribution packaged with it.
Our deployment is powered by KOTs.
You can install our application on bare metal, GovCloud, VPC, Vsphere, or an existing Kubernetes cluster.
This documentation covers the embedded Kubernetes installation. For existing clusters, please refer to this documentation.
Do not forget to check the installation requirements before starting the installation:
You also need to download your license.
Installation
Embedded cluster
To start the installation, run the following command on your host. This command
will run for 10-20 minutes, putting in a screen or a tmux
session can prevent
an interruption due to a loss of connection.
curl -sSL https://k8s.kurl.sh/gitguardian-seal-prod | sudo bash
If a proxy is required for outgoing access to the internet, please create a
patch.yaml
:
apiVersion: "cluster.kurl.sh/v1beta1"
kind: "Installer"
metadata:
name: "patch"
spec:
kurl:
proxyAddress: http://<IP>:<PORT>
noProxy: false
And run the installer with -installer-spec-file=patch.yaml
:
curl -sSL https://k8s.kurl.sh/gitguardian-seal-prod | sudo bash -s installer-spec-file=patch.yaml
This will install a single node-managed Kubernetes cluster with everything it needs to run the GitGuardian application.
At the end of the installation command, there will be instructions on how to connect to the admin console. Port 8800 will need to be open to access it.
Save this information, especially passwords, they will be useful later.
Application
- Now, connect to the admin console and configure TLS. You can upload TLS certificates or use self-signed ones.
- Enter the password provided at the end of the cluster installation.
- Upload the license downloaded on the portal for instructions on how to download the license file).
- Configure the application. You need to fill in all the required fields:
- Application URL: URL for GitGuardian application.
- Admin user fields: Used to create the first GitGuardian user. The password will need to be changed after the first login.
- Nginx TLS certificate: You can either use auto-generated self-signed certificates or upload your own. These are not the same as the TLS certificates for the admin console used during step 1. If you choose to use self-signed certificates or your own private CA, you need to disable SSL verification for the GitHub webhook.
Other configuration options available:
- Scaling (advanced): how many replicas for each application component.
- Databases/datastores: Whether to use an embedded PostgreSQL/Redis or an external one.
- Check if preflight checks pass.
- Launch
The first installation of the application requires a few minutes to create all
database objects.
Once the process is completed, you will be able to log in to the dashboard using
the administrator user you defined.
- Save the Data Encryption Key
GitGuardian encrypts all sensitive information in the database using an encryption key (aka Django Secret Key). In case of disaster recovery, this key will be needed to restore your data.
You should save it and keep it in a secure location. Use the following command to display the key:
kubectl get secrets gitguardian-env-variables -o jsonpath='{.data.DJANGO_SECRET_KEY}' | base64 -d