Install on Existing Cluster with Helm
Introduction
GitGuardian can be installed on your existing Kubernetes cluster using Helm, a package manager for Kubernetes.
Do not forget to check the installation requirements for the existing cluster before starting the installation:
Installation
Log into the Helm Chart registry
The Helm chart is hosted in the Replicated private registry. The GitGuardian team will send you a password that will be requested during the installation process.
Run the following command to log into the registry (replace the email with the one you provided to the GitGuardian team when setting up your access):
helm registry login registry.replicated.com --username your.name@yourcompany.com
Customize the local values file
This installation can be customized in many ways. As with all Helm applications,
customization is done in a local values file (later referred to as
local-values.yaml
) that is submitted at installation time.
At the minimum, your values must configure the following elements:
hostname
postgres
redis
onPrem.adminUser
Here is an example of values file with these sections:
hostname: gitguardian.internal.yourcompany.com # Hostname where the instance will be accessed
postgresql:
host: gitguardian-postgres # PostgreSQL host
username: postgres # PostgreSQL username
database: gitguardian # PostgreSQL database name
existingSecret: postgresql # Kubernetes secret where to check the PostgreSQL password
existingSecretKeys:
password: postgres-password # Name of the key containing password in the secret
redis:
main:
host: gitguardian-redis # Redis host
existingSecret: redis # Kubernetes secret where to check the Redis password
existingSecretKeys:
password: redis-password # Name of the key containing password in the secret
onPrem:
adminUser:
email: your.name@yourcompany.com # email of the instance admin user
firstname: YourName # name of the instance admin user
See the values reference documentation for further details.
For more details about what the existingSecret
parameter refers to, and how to
set it up, see the
sensible information management page.
Configure network access to the application
The application front end is behind a Service object named nginx
.
You can configure access to the application in different ways:
- Configure the service as a
LoadBalancer
usingfront.service.type
value. See Load-balancer for more details. - Add an Ingress object routing to the
nginx
service. See Ingress for more details. - If your cluster has
istio
service mesh, activate it with theistio.enabled
value. This will enable the proper Gateway and VirtualService objects.
Install the application
Once you have your local-values.yaml
file, install the application by running
the following command, replacing release-name
with the name you want to give
to your application deployment:
helm install release-name oci://registry.replicated.com/gitguardian/gitguardian -f local-values.yaml
This can take several minutes to complete, as the installation includes the database migrations.
Verify the installation
Upon successful installation, you will see the following output as release notes:
> helm install release-name oci://registry.replicated.com/gitguardian/gitguardian -f local-values.yaml
NAME: release-name
LAST DEPLOYED: Mon May 15 16:15:56 2023
NAMESPACE: your-namespace
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing GitGuardian Internal Monitoring.
These notes can later be retrieved with helm get notes release-name
Troubleshooting
If you encounter any issues during the installation process, you can generate a support bundle to get proper support from the GitGuardian team: see the support bundle documentation
Application login
Upon successful installation, you will need to get your temporary admin password. Use the following command (assuming the active namespace is the one in which your release is installed):
kubectl get secrets gim-secrets -o jsonpath='{.data.ADMIN_PASSWORD}'| base64 -d
You can access the application using the hostname you provided, using the login
with the email provided in the onPrem.adminUser.email
and the temporary
password.