Install on an Existing Cluster using Helm

Introduction

GitGuardian can be installed on your existing Kubernetes cluster using Helm, a package manager for Kubernetes.

GitGuardian supports deployment on bare metal, private, or public clouds.

Requirements

Before starting the installation, ensure to review the system and network requirements, and download your license.

Installation

danger

Only the following methods are supported to deploy the app using Helm charts: Helm CLI and ArgoCD.

note

For GitGuardian installation in an Airgap environment, utilize a private image repository. Detailed instructions are available on the Install on Airgap page.

Accessing the Helm Chart Registry

The GitGuardian Helm chart is available in the Replicated private registry. The GitGuardian team will provide you the password.

To log in, use the command below, replacing the email with the one given to the GitGuardian team:

helm registry login registry.replicated.com --username your.name@yourcompany.com

Customize the local values file

This installation offers multiple customization options. Use a local values file (named local-values.yaml) for customizations when installing any Helm application.

Ensure your values file configures these essential elements:

At the minimum, your values must configure the following elements:

• hostname
• postgres
• redis
• onPrem.adminUser

Below is an example values file covering these elements:

hostname: gitguardian.internal.yourcompany.com   # Hostname where the instance will be accessed

postgresql:
  host: gitguardian-postgres  # PostgreSQL host
  username: postgres          # PostgreSQL username
  database: gitguardian       # PostgreSQL database name
  existingSecret: gitguardian-postgresql-secret  # Kubernetes secret where to check the PostgreSQL password
  existingSecretKeys:
    password: postgres-password  # Name of the key containing password in the secret

redis:
  main:
    host: gitguardian-redis   # Redis host
    tls:
      enabled: false          # Set TLS encryption for Redis
    existingSecret: gitguardian-redis-secret     # Kubernetes secret where to check the Redis password
    existingSecretKeys:
      url: redis-url # Name of the key containing redis url in the secret

onPrem:
  adminUser:
    email: your.name@yourcompany.com  # email of the instance admin user
    firstname: YourName               # name of the instance admin user

For detailed guidance on:

• configurable parameters, refer to the Helm Chart Values Reference page.
• existingSecret parameter and its setup process, visit the Helm Sensitive Information Management page.
• database configuration, see Configure Your Database.
• scaling options, consult the Scaling Documentation.
• HTTP proxy, see Configure a proxy server.

Configure network access to the application

The application front end is behind a Service object named nginx. You can configure access to the application in different ways:

1. Configure the service as a LoadBalancer using front.service.type value. See Load-balancer for more details.
2. Add an Ingress object routing to the nginx service. See Ingress for more details.
3. If your cluster has istio service mesh, activate it with the istio.enabled value. This will enable the proper Gateway and VirtualService objects.

Please note that the nginx service is not configured with SSL support. You must configure it and manage your TLS certificate through your Load-Balancer, Ingress or Service Mesh.

Run preflight checks 🚦

Requirements

Preflight checks are critical for a successful installation. The following rules apply:

• ❌ Preflight Check Failures: If preflight checks fail, the installation must not continue until the targeted environment meets all requirements. Please reach out to our support team if needed.
• ⚠️ Preflight Check Warnings: If preflight checks return warnings, the installation can proceed, but it is recommended that you address these warnings to comply with our recommendations.

We strongly advise you to run our preflight script to ensure your existing cluster meets Gitguardian's requirements. Retrieve the script from our public repository here.

Specify an existing Kubernetes namespace using the -n option. If not specified, the script will run in your default namespace.

./preflights.sh -n <namespace> oci://registry.replicated.com/gitguardian/gitguardian -f local-values.yaml

Install the application

Use the following command to install the application using your local-values.yaml file. Replace <release-name> with your desired helm release name.

Specify an existing kubernetes namespace with the -n option. If not specified, Helm installs GitGuardian in your default namespace. Use the --create-namespace option to create the namespace if it doesn't exist.

helm install <release-name> --timeout 30m -n <namespace> --create-namespace oci://registry.replicated.com/gitguardian/gitguardian -f local-values.yaml

Note: The installation may take a few minutes due to database migrations.

Verify the installation

Upon successful installation, you should see the following output:

NAME: <release-name>
LAST DEPLOYED: Mon May 15 16:15:56 2023
NAMESPACE: <namespace>
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing GitGuardian Internal Monitoring.

These notes can later be retrieved with helm get notes <release-name>

Save the Data Encryption Key

caution

GitGuardian encrypts all sensitive information in the database using an encryption key (aka Django Secret Key). In case of disaster recovery, this key will be needed to restore your data.

When you don't specify it either using inline parameter miscEncryption.djangoSecretKey or using an existing secret with miscEncryption.existingSecret, the data encryption key is automatically generated by the Helm chart. You should save it and keep it in a secure location. Use the following command to display the key:

kubectl get secrets gim-secrets --namespace=<namespace> -o jsonpath='{.data.DJANGO_SECRET_KEY}' | base64 -d

If needed, specify the Kubernetes namespace with --namespace (default namespace is used if not specified).

Application login

Upon successful installation, you will need to get your temporary admin password. Use the following command:

kubectl get secrets gim-secrets --namespace=<namespace> -o jsonpath='{.data.ADMIN_PASSWORD}'| base64 -d

If needed, specify the Kubernetes namespace with --namespace (default namespace is used if not specified).

You can access the application using the hostname you provided, using the login with the email provided in the onPrem.adminUser.email and the temporary password.

Troubleshooting

If you encounter any issues during the installation process, you can generate a support bundle to get proper support from the GitGuardian team: see the support bundle documentation.