defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Prerequisites
  • Deployment

Was this helpful?

Edit on GitHub
  1. Admin & features
  2. Deploying your instance

Kubernetes

PreviousDocker ComposeNextUpgrading

Last updated 1 month ago

Was this helpful?

Prerequisites

To deploy and use Defguard on your cluster you'll need:

  • a

  • Kubernetes CLI installed on your machine

  • helm binary https://github.com/helm/helm/releases/latest

Our helm charts currently support only Traefik ingress - which is relevant and affects exposing GRPC services (see below ingress.hosts.grpc).

Deployment

We prepared a with Kubernetes configuration, clone it with:

git clone https://github.com/DefGuard/deployment.git && cd deployment/charts

Then create a namespace for Defguard on your cluster:

kubectl create namespace defguard

Copy and fill in values file:

cp defguard/values.yaml ./

Required values (the rest should work if left as-is):

  • ingress.hosts.grpc: GRPC ingress address - GRPC clients like defguard gateway, yubi-bridge

If you are configuring your gateway or yubi-bridge - please use this GRPC URL for communication.

If you have other ingress controller than traefik - you need to configure GRPC ingress manualy with corresponding to your setup.

  • ingress.hosts.web: Web ingress address - Defguard web app will be available here.

  • publicUrl: Public URL your Defguard will be available under. Usually the same as ingress.hosts.web, but differs depending on your load balancer and/or reverse-proxy setup.

If you want to deploy the enrollment service along with your Defguard instance you also need to configure values related to the defguard-proxysubchart:

  • defguard-proxy.enabled: enable the enrollment service

  • proxyUrl: proxy gRPC endpoint URL (based on defguard-proxy.ingress.grpc.host)

  • defguard-proxy.publicUrl: public URL of the enrollment service

  • defguard-proxy.ingress.web.host: enrollment service web ingress address (the enrollment website)

  • defguard-proxy.ingress.grpc.host: enrollment service gRPC ingress address (for communicating with core)

And finally, install the Helm chart in the namespace:

helm install --wait=true --namespace defguard defguard defguard -f values.yaml
Kubernetes cluster
kubectl
git repository