Skip to main content

Installing Prequel

Helm

Add the Prequel Helm chart repository with the following command:

helm repo add prequel https://prequel-dev.github.io/helm

Step 1: Name the installation

export INSTALL_NAME=prequel-collector

Step 2: Configure secrets

You can provide the provision token at install time or use a secrets manager to install it ahead of time in the same namespace.

info

The provision token can be found in the Prequel cloud console under your User Profile -> Onboarding. Prequel Customer Success will also provide you with an provision token to use for your first installation.

If you are providing the token at install time, then set the following environment variable and move on to the next step:

export PROVISION_TOKEN=<prequel-provision-token>
tip

You can avoid providing the API token at install time by using an external secrets manager and adding --set externalSecrets=true

If you are using an external secrets manager, then ensure the following secrets are installed in the same namespace as the Helm chart:

---
apiVersion: v1
kind: Secret
metadata:
  name: myprequeltoken
type: Opaque
stringData:
  apiKey: <prequel provision token>
---
apiVersion: v1
kind: Secret
metadata:
  name: registrycred
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <prequel registry credentials>

Install with --set externalSecrets=true and --set provision.tokenName=myprequeltoken. Obtain your Prequel token and Docker credentials from Prequel Customer Success.

Step 3. Set the cluster name

Prequel will assign a random cluster identifier during the install if none is provided. You can specify a friendly name at install time so that you can recognize the cluster in the Prequel cloud console. Prequel recommends setting this value, especially when installing Prequel on CI/CD environments.

export CLUSTER_NAME="prequel-gke-cluster-1"

Step 4. Install

helm install -n prequel $INSTALL_NAME prequel/prequel-collector \
  --set token=$PROVISION_TOKEN \
  --set clusterName=$CLUSTER_NAME \
  --create-namespace
  • If you are installing on OpenShift, then follow optional steps below and add --set scc=true
  • If you are adding node affinity/tolerations, then follow optional steps below and add -f prequel_patch.yaml

Optional Step 5. Set the SecurityContextConstraints (required for OpenShift only)

If you are installing Prequel on an OpenShift cluster, then you must set scc=true in the Helm values.yaml or specify --set scc=true on the command line when you execute the Helm installation command below.

Optional Step 6. Set node affinity

If you prefer to install Prequel on a subset of your cluster nodes using affinity labels, then you can update the values.yaml file or specify a Helm patch file.

For example, if you would only like to install Prequel on nodes with the following labels:

  • customer=test
  • kubernetes.io/arch=amd64
  • kubernetes.io/os=linux

Then create the following prequel_patch.yaml patch file:

probes:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: kubernetes.io/arch
            operator: In
            values:
            - amd64
          - key: kubernetes.io/os
            operator: In
            values:
            - linux
          - key: customer
            operator: In
            values:
            - test

Be sure to add -f prequel-patch.yaml to your Helm install command below.

Optional Step 7. Set node tolerations

In Kubernetes, taints allow nodes to repel pods. If taints have been applied to nodes in your environment, you'll need to declare tolerations to allow Kubernetes to schedule pods on nodes with matching taints.

For example, if you would like to install Prequel on nodes with the following labels:

  • service=dedicated

Then add the following to your prequel_patch.yaml patch file:

$ cat tolerations.yaml 
probes:
  tolerations:
    - key: service 
      operator: Equal
      value: dedicated
      effect: NoSchedule

Be sure to add -f prequel_patch.yaml to your Helm install command below.

ArgoCD

ArgoCD UI

  1. Go to Applications -> New App
  2. Set the Application Name to prequel-vX.Y.Z
  3. Set the Project Name to your configured project
  4. Configure the Sync Policy and options as you see fit (we recommend the defaults)
  5. Set the Source Repository URL to https://prequel-dev.github.io/helm and the Type to "Helm"
  6. Set the Chart to prequel-collector and the Version to the latest version available in the dropdown
  7. Select the Destination Cluster
  8. Set the Namespace to prequel (ensure that this namespace exists)
  9. Set the name of the cluster with clusterName
  10. Set the provision token with token
  11. If you are using external secrets, be sure to set externalSecrets to true.
  12. If you are using external secrets and name of either the Prequel token or the registry credential changes, be sure to set:
  • provision.tokenName
  • imagePullSecrets[0].name

Update the Helm values:

  1. Set the token to the Prequel API token provided to you by Customer Success
  2. Set the clusterName to a recognizable and unique name that will shown in the UI for detections from this cluster
  3. Set node affinity and tolerations using the syntax described in the Helm instructions above.

Below is an example ArgoCD application Yaml that uses external secrets.

prequel-argo-manifest.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: prequel
spec:
  destination:
    name: prequel-collector
    namespace: prequel
    server: 'https://kubernetes.default.svc'
  source:
    path: ''
    repoURL: 'https://prequel-dev.github.io/helm'
    targetRevision: 0.11.4
    chart: prequel-collector
    helm:
      parameters:
        - name: clusterName
          value: name-of-my-cluster
        - name: provision.tokenName
          value: myprequeltoken
        - name: externalSecrets
          value: 'true'
        - name: >-
            probes.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key
          value: kubernetes.io/arch
        - name: >-
            probes.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator
          value: In
        - name: >-
            probes.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]
          value: amd64
        - name: >-
            probes.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[1].key
          value: customer-label
        - name: >-
            probes.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[1].operator
          value: In
        - name: >-
            probes.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[1].values[0]
          value: customer1
        - name: probes.tolerations[0].key
          value: dedicated
        - name: probes.tolerations[0].operator
          value: Equal
        - name: probes.tolerations[0].value
          value: probes
        - name: probes.tolerations[0].effect
          value: NoSchedule
  sources: []
  project: default