Installing Spider on Kubernetes
Prerequisites
Credentials
To setup Spider, you need to have the credentials to download Spider docker images.
The Controller and Whisperer images are in a public accessible repository, but not the server images.
The credentials are coming together with your License key when you purchase a Spider license.
They have a limited validity duration, set to your license expiration date.
Tools
Spider Kubernetes setup requires the following tools to run:
- Kubernetes
- Spider has been successfully tested under the following distributions
- EKS - https://aws.amazon.com/eks/
- Karbon - https://www.nutanix.com/products/kubernetes-engine
- k3s - https://k3s.io/
- Spider has been successfully tested under the following distributions
- Helm package manager
- Elastic ECK operator (for Elasticsearch setup)
Optional dependencies
LDAP
Spider may authenticate users to an LDAP.
Using LDAP for authentication may be used in parallel or in replacement as local authentication.
You may indeed have both: local authenticated users and ldap authenticated users.
But a user may have only one of those authentication methods.
When the user does not exist, but has a valid LDAP account, it is automatically created.
For LDAP auth, you need to provide in the values.yml file:
- the LDAP server address,
- the base path where users are stored in the LDAP.
No service account is required. Spider does:
- it searches on the LDAP by the user's email
- it binds the user to the LDAP with its id and the provided password to check the later
OIDC provider
Spider may also authenticate users using OpenId Connect protocol against any Identity Provider implementing OIDC (Google, Gitlab, GitHub, Keycloak...).
Spider supports many OIDC providers at once.
OIDC authentication is done in parallel as others.
The user may have an LDAP or local account, and connect with OIDC.
When the user does not exist, but has a valid OIDC account, it is created with a fake random password.
For OIDC auth, you need to provide in the values.yml file:
- a name to identify and display it on the login page
- the client_id and client_secret of Spider application as registered in the identity provider,
- the URL endpoints of the identity provider to authenticate and exchange code to token
- the jwks uri to check the token signature
Optionally, you may have to define:
- the OAuth scopes to use,
openid profile emailare used as default scopes
- the userInfo URL to get the user details when the provider does not provide an id_token with the access_token.
S3 bucket
Spider may backup regularly its configuration resources:
- Users + User settings
- Teams
- Whisperers
To allow backup of data, you need to provide access to a S3 - or compatible - bucket.
Address and credentials have to be provided in the setup.yml values file.
When installing Spider, you may also ask it to restore a previous backup automatically after installation.
SMTP server
Spider sends mails at various times (configurable):
- For alerting
- During user creation workflow
- When a user profile changes
- At team creation or updates
- ...
To send a mail, Spider needs access to a SMTP server, with credentials to provide in setup.yml.
Helm repository
Spider Helmchart is published Floocus Helm repository.
You may add it to your Helm repositories:
$ helm repo add floocus https://repository.floocus.com/helm
Or you may add the option --repo https://repository.floocus.com/helm to the installation command.
Once added, you may search for available Spider helmchart using:
$ helm search repo floocus
NAME CHART VERSION APP VERSION DESCRIPTION
floocus/spider-analyzer 1.0.2 latest Helmchart to deploy Spider Analyzer server
Configuration
Create a values.yaml file containing the custom values to customize your Helm installation.
Sample (simplest) configuration file:
global:
version: 2023.06.15
endpoint:
host: spider.sample.io
publicPath: http://spider.sample.io
license:
key: yourLicenseKey
privateKey: '-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----'
jwt:
privateKey: '-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----'
publicKey: '-----BEGIN RSA PUBLIC KEY-----\n...\n-----END RSA PUBLIC KEY-----'
smtp:
email: spider.analyzer@sample.io
server: smtp.sample.io
port: 65
elasticsearch:
password: myESPassword
registries:
serverRegistryAuth:
login: your-spider-token
password: your-spider-api-key
customers:
supportEmails:
- admin@sample.io
admins:
createAccountsAtInstallation: false
accounts:
- givenName: "John"
familyName: "Doe"
email: "john.doe@sample.io"
controller:
privateKey: '-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----'
publicKey: '-----BEGIN RSA PUBLIC KEY-----\n...\n-----END RSA PUBLIC KEY-----'
This is the minimal setup, but many options are available to define:
- Secured ingress
- LDAP authentication
- Elasticsearch infrastructure
- etc.
For a complete reference, see the values file reference.
Installation
Once configuration is set, you run a one line command that installs Spider on the selected target.
$ helm install spider floocus/spider-analyzer \
-f ./values.yaml \
--namespace spider-system \
--create-namespace
This will install Spider with:
spiderrelease name,- using
floocus/spider-analyzerchart from Floocus repository, - using
setup.yamlconfiguration file, - in namespace
spider-systemthat will be created if it does not exist yet.
Upgrade
To upgrade to a new version, set the new version in the setup.yaml file, and run:
$ helm upgrade spider floocus/spider-analyzer \
-f ./values.yaml \
--namespace spider-system
Removal
To uninstall Spider, do so using Helm command:
$ helm uninstall spider \
--namespace spider-system