Install on Existing Cluster with Helm

Introduction

GitGuardian can be installed on your existing Kubernetes cluster using Helm, a package manager for Kubernetes.

Requirements

Do not forget to check the installation requirements for the existing cluster before starting the installation:

Installation

Log into the Helm Chart registry

The Helm chart is hosted in the Replicated private registry. The GitGuardian team will send you a password that will be requested during the installation process.

Run the following command to log into the registry (replace the email with the one you provided to the GitGuardian team when setting up your access):

helm registry login registry.replicated.com --username your.name@yourcompany.com

Customize the local values file

This installation can be customized in many ways. As with all Helm applications, customization is done in a local values file (later referred to as local-values.yaml) that is submitted at installation time.

At the minimum, your values must configure the following elements:

hostname
postgres
redis
onPrem.adminUser

Here is an example of values file with these sections:

hostname: gitguardian.internal.yourcompany.com   # Hostname where the instance will be accessed

postgresql:
  host: gitguardian-postgres  # PostgreSQL host
  username: postgres          # PostgreSQL username
  database: gitguardian       # PostgreSQL database name
  existingSecret: postgresql  # Kubernetes secret where to check the PostgreSQL password
  existingSecretKeys:
    password: postgres-password  # Name of the key containing password in the secret
    
redis:
  main:
    host: gitguardian-redis   # Redis host
    existingSecret: redis     # Kubernetes secret where to check the Redis password
    existingSecretKeys:
      password: redis-password # Name of the key containing password in the secret
    
onPrem:
  adminUser:
    email: your.name@yourcompany.com  # email of the instance admin user
    firstname: YourName               # name of the instance admin user

See the values reference documentation for further details.

For more details about what the existingSecret parameter refers to, and how to set it up, see the sensible information management page.

Configure network access to the application

The application front end is behind a Service object named nginx. You can configure access to the application in different ways:

Configure the service as a LoadBalancer using front.service.type value. See Load-balancer for more details.
Add an Ingress object routing to the nginx service. See Ingress for more details.
If your cluster has istio service mesh, activate it with the istio.enabled value. This will enable the proper Gateway and VirtualService objects.

Install the application

Once you have your local-values.yaml file, install the application by running the following command, replacing release-name with the name you want to give to your application deployment:

helm install release-name oci://registry.replicated.com/gitguardian/gitguardian -f local-values.yaml

This can take several minutes to complete, as the installation includes the database migrations.

Verify the installation

Upon successful installation, you will see the following output as release notes:

> helm install release-name oci://registry.replicated.com/gitguardian/gitguardian -f local-values.yaml
NAME: release-name
LAST DEPLOYED: Mon May 15 16:15:56 2023
NAMESPACE: your-namespace
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing GitGuardian Internal Monitoring.

These notes can later be retrieved with helm get notes release-name

Troubleshooting

If you encounter any issues during the installation process, you can generate a support bundle to get proper support from the GitGuardian team: see the support bundle documentation

Upon successful installation, you will need to get your temporary admin password. Use the following command (assuming the active namespace is the one in which your release is installed):

kubectl get secrets gim-secrets -o jsonpath='{.data.ADMIN_PASSWORD}'| base64 -d

You can access the application using the hostname you provided, using the login with the email provided in the onPrem.adminUser.email and the temporary password.