Skip to main content

Local Kubernetes Cluster

CI Sense's Docker images and Helm charts are made available via a private repo. Please contact your Code Intelligence Customer Success Manager to receive the relevant credentials.

With the CI Sense Helm charts it's easy to deploy CI Sense into an existing kubernetes cluster to best integrate into various infrastructures.

Without access to a kubernetes cluster or for demo purposes it is possible to deploy CI Sense to a single node kubernetes cluster which can be installed in minutes. We recommend a kind cluster for trying out CI Sense before deploying to a managed kubernetes cluster.

Creating a local Kind cluster

To test the CI App locally download the kind cluster binary. A suitable kind cluster configuration can be found in kind-cluster-config.yaml. Create the cluster with

kind create cluster --config <kind-cluster-config.yaml>

After the cluster is up create the TLS certificate secret as described in the Ingress section and deploy an ingress controller with the commands

kubectl apply -f "https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/provider/kind/deploy.yaml"
kubectl wait deployment -n ingress-nginx ingress-nginx-controller --for condition=Available=true

See here for more details on alternative Ingress controllers that work in the kind cluster.

Create a custom-values.yaml with the following content and fill in the registry username, password and a domain of your choice:

global:
  imagePullSecret:
    create: true
    username: "<$USER_NAME>"
    password: "<$PASSWORD>"

  fuzzContainerRegistry:
    address: registry.<your-domain>
    externalCredentials:
      username: cifuzz
      password: cifuzz-registry-password
    clusterCredentials:
      username: cisense
      password: cisense-registry-password

persistence:
  storageClassName: "standard"
  # Kind cluster's default storage class is a local storage provider.
  # Storage is not synced between nodes, so it doesn't support ReadWriteMany
  # access mode. It does provide ReadWriteOnce, which is ok as long as we're
  # running with a single worker node.
  accessModes:
    - ReadWriteOnce

ingress:
  tlsSecretName: cifuzz-server-certificates
  hosts:
    gateway: app.<your-domain>

grpcIngress:
  host: grpc.<your-domain>
  tlsSecretName: cifuzz-server-certificates

cifuzz-worker:
  enabled: true

registry:
  enabled: true
  ingress:
    host: registry.<your-domain>
    tlsSecretName: cifuzz-server-certificates

# Storage for the container registry.
minio:
  enabled: true
  persistence:
    storageclass: standard
    size: 20gi
  resources:
    requests:
      memory: 500mi

and execute the deployment

helm upgrade cifuzz-server oci://f5d6e55758e0d08d.azurecr.io/helm/cifuzz-server \
    --install \
    --namespace <namespace> \
    --create-namespace \
    --values custom-values.yaml

After successful deployment add the following lines to your /etc/hosts:

127.0.0.1 app.<your-domain>
127.0.0.1 grpc.<your-domain>
127.0.0.1 registry.<your-domain>

You should be able to access the CI App on https://app.code-intelligence.local.

Container Registry Setup

In a kind cluster some additional steps are required to enable pulling from the registry inside the cluster. Firstly, the registry host name needs to be resolvable on the node level. Run the following command to add hostname entries to the /etc/hosts file:

REGISTRY_HOST="registry.<your-domain>"
CLUSTER_IP=$(kubectl get svc -n ingress-nginx ingress-nginx-controller -o json | jq -r ".spec.clusterIP")
for node in $(kind get nodes); do
  docker exec "${node}" bash -c "echo \"${CLUSTER_IP} ${REGISTRY_HOST}\" >> /etc/hosts"
done

In the case of a self signed certificate containerd will refuse pulling images from the container registry. To bypass this issue you can disable certificate verification for one specific container registry with the command:

REGISTRY_HOST="registry.<your-domain>"
REGISTRY_DIR="/etc/containerd/certs.d/${REGISTRY_HOST}"
for node in $(kind get nodes); do
  docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
  cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
[host."https://${REGISTRY_HOST}"]
  skip_verify = true
EOF
done

Cluster storage requirements

CI Sense application recommends at least 256 GB of storage available for the Container Registry. Fuzz Containers stored in the Registry are periodically pruned to keep the storage usage in check.