Installing the Controller Using Helm Chart

After preparing the cluster with cert-manager, you can deploy the FortiADC Kubernetes Controller using Helm. This process creates the controller pod and all necessary supporting resources within your specified namespace.

Repository Setup

Starting with version 3.0.0, the Helm chart repository was renamed. If you are upgrading from an older version (2.x), you must remove the legacy repository before adding the new one.

helm repo remove fortiadc-ingress
helm repo add fortiadc-kubernetes-controller \
https://fortinet.github.io/fortiadc-kubernetes-controller/
helm repo update

Customization via values.yaml

The installation is governed by a values.yaml file that provides the default configurations. You can override these values during installation to customize node tolerations or define whether security parameters (such as WAF or Antivirus profiles) are optional or mandatory.

Below is an excerpt of the default configuration variables:

# Default values for fadc-k8s-ctrl.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# FortiADC Kubernetes Controller image from Dockerhub.com
image:
  repository: fortinet/fortiadc-ingress
  pullPolicy: IfNotPresent
  tag: "3.1.0"

nameOverride: ""
fullnameOverride: ""

serviceAccount:
  create: true
  annotations: {}
  name: "fortiadc-ingress"

podAnnotations: {}

podSecurityContext: {}

securityContext: {}
nodeSelector: {}

tolerations:
  - effect: "NoExecute"
    key: "node.kubernetes.io/not-ready"
    operator: "Exists"
    tolerationSeconds: 30
  - effect: "NoExecute"
    key: "node.kubernetes.io/unreachable"
    operator: "Exists"
    tolerationSeconds: 30

affinity: {}

# Define Ingress Class for FortiADC Kubernetes Controller
controller:
  ingressClassResource:
    name: "fadc-ingress-controller"
    enabled: true
    default: true
    controllerValue: "fortinet.com/fadc-ingress-controller"
# You can decide parameters defined in annotation of Ingress to be optional or mandatory.
# FortiADC Kubernetes Controller will check the parameter if it marks mandatory.
parameters:
  virtualServerNatSrcPool : "optional"
  virtualServerWafProfile : "optional"
  virtualServerAvProfile : "optional"
  virtualServerDosProfile : "optional"
  virtualServerCaptchaProfile : "optional"
  virtualServerPersistence : "optional"
  virtualServerFortiGSLB : "optional"
  openshiftRouteSupport: "no"
  enableStaticRouteSupport: "no"
webhook:
  useCertManager: true
  service:
    name: fad-webhook
    port: 443
    targetPort: 8443
  tlsSecretName: webhook-tls
  validatingWebhookName: validator.fadk8sctrl.fortinet.com
  mutatingWebhookName: mutator.fadk8sctrl.fortinet.com
  rules:
    validating:
      - name: validate-vs.fadk8sctrl.fortinet.com
        group: fadk8sctrl.fortinet.com
        version: v1alpha2
        resources:
          - virtualservers
        scope: "Namespaced"
        path: /validate-vs
      - name: validate-ingress.fadk8sctrl.fortinet.com
        group: networking.k8s.io
        version: v1
        resources:
          - ingresses
        scope: "Namespaced"
        path: /validate-ingress

    mutating:
      - name: mutate-vs.fadk8sctrl.fortinet.com
        group: fadk8sctrl.fortinet.com
        version: v1alpha2
        resources:
          - virtualservers
        scope: "Namespaced"
        path: /mutate-vs

To get the verbose output, add --debug option for all the Helm commands.

Installation

You can specify a particular Kubernetes namespace in which FortiADC Kubernetes Controller will be deployed.

By default, if no Kubernetes namespace is specified, the default namespace would be default. The RELEASE_NAME is the name you give to this chart installation:

helm install  [RELEASE_NAME] --namespace [Kubernetes NameSpace] \
fortiadc-kubernetes-controller/fadc-k8s-ctrl

Standard Installation: The following example installs the chart with the release name first-release in the namespace fortiadc-ingress:

user@control-plane-node ~> helm install first-release --namespace fortiadc-ingress \
fortiadc-kubernetes-controller/fadc-k8s-ctrl

Overriding Values: You can use --set flags to override values in the values.yaml file. For example, to set the virtualServerWafProfile parameter as mandatory:

user@control-plane-node ~> helm install --debug first-release \
--set parameters.virtualServerWafProfile="mandatory" \
--namespace fortiadc-ingress fortiadc-kubernetes-controller/fadc-k8s-ctrl

Moreover, you can create a new namespace and deploy FortiADC Kubernetes Controller within the namespace at the same time:

helm install first-release --namespace fortiadc-ingress \
--create-namespace --wait fortiadc-kubernetes-controller/fadc-k8s-ctrl

Upgrading the Chart

Use the upgrade command to move to a newer version. The --install option ensures the release is installed if it does not already exist.

You can specify the namespace with the --namespace option. Use --install option to install the release with RELEASE_NAME if it does not exist.

Note: The --reset-values option will remove all the user-supplied values. For example, if you had specified the virtualServerWafProfile parameter to be mandatory in a previous upgrade or install, the value will be reset to optional. The --reset-values option ensures all the values are directly from the updated repository.

helm repo update
helm upgrade --reset-values --debug -n [Kubernetes NameSpace] [RELEASE_NAME] \
fortiadc-kubernetes-controller/fadc-k8s-ctrl --install

Customizing during Upgrade: You can also change fields using the --set command during an upgrade:

To see which values you can change, refer to https://github.com/fortinet/fortiadc-kubernetes-controller/blob/main/charts/fadc-k8s-ctrl-3.1.0/values.yaml.

In the example below, you can override the value for the virtualServerWafProfile parameter to make it mandatory:

helm upgrade --debug -n [Kubernetes NameSpace] \
--set parameters.virtualServerWafProfile="mandatory" \
[RELEASE_NAME] fortiadc-kubernetes-controller/fadc-k8s-ctrl

Using the --debug option, allows you to verify your settings under the USER-SUPPLIED VALUES section of the Helm output.

Release "first-release" has been upgraded. Happy Helming!
NAME: first-release
LAST DEPLOYED: Mon Apr 18 09:07:46 2022
NAMESPACE: fortiadc-ingress
STATUS: deployed
REVISION: 2
TEST SUITE: None
USER-SUPPLIED VALUES:
parameters:
  virtualServerWafProfile: mandatory

Uninstalling the Chart

To uninstall the Helm Chart:

helm uninstall [RELEASE_NAME]

To uninstall the FortiADC Kubernetes Controller in the specified Kubernetes namespace:

helm uninstall [RELEASE_NAME] --namespace [Kubernetes NameSpace]

Installing the Controller Using Helm Chart

Repository Setup

Starting with version 3.0.0, the Helm chart repository was renamed. If you are upgrading from an older version (2.x), you must remove the legacy repository before adding the new one.

helm repo remove fortiadc-ingress
helm repo add fortiadc-kubernetes-controller \
https://fortinet.github.io/fortiadc-kubernetes-controller/
helm repo update

Customization via values.yaml

Below is an excerpt of the default configuration variables:

# Default values for fadc-k8s-ctrl.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# FortiADC Kubernetes Controller image from Dockerhub.com
image:
  repository: fortinet/fortiadc-ingress
  pullPolicy: IfNotPresent
  tag: "3.1.0"

nameOverride: ""
fullnameOverride: ""

serviceAccount:
  create: true
  annotations: {}
  name: "fortiadc-ingress"

podAnnotations: {}

podSecurityContext: {}

securityContext: {}
nodeSelector: {}

tolerations:
  - effect: "NoExecute"
    key: "node.kubernetes.io/not-ready"
    operator: "Exists"
    tolerationSeconds: 30
  - effect: "NoExecute"
    key: "node.kubernetes.io/unreachable"
    operator: "Exists"
    tolerationSeconds: 30

affinity: {}

# Define Ingress Class for FortiADC Kubernetes Controller
controller:
  ingressClassResource:
    name: "fadc-ingress-controller"
    enabled: true
    default: true
    controllerValue: "fortinet.com/fadc-ingress-controller"
# You can decide parameters defined in annotation of Ingress to be optional or mandatory.
# FortiADC Kubernetes Controller will check the parameter if it marks mandatory.
parameters:
  virtualServerNatSrcPool : "optional"
  virtualServerWafProfile : "optional"
  virtualServerAvProfile : "optional"
  virtualServerDosProfile : "optional"
  virtualServerCaptchaProfile : "optional"
  virtualServerPersistence : "optional"
  virtualServerFortiGSLB : "optional"
  openshiftRouteSupport: "no"
  enableStaticRouteSupport: "no"
webhook:
  useCertManager: true
  service:
    name: fad-webhook
    port: 443
    targetPort: 8443
  tlsSecretName: webhook-tls
  validatingWebhookName: validator.fadk8sctrl.fortinet.com
  mutatingWebhookName: mutator.fadk8sctrl.fortinet.com
  rules:
    validating:
      - name: validate-vs.fadk8sctrl.fortinet.com
        group: fadk8sctrl.fortinet.com
        version: v1alpha2
        resources:
          - virtualservers
        scope: "Namespaced"
        path: /validate-vs
      - name: validate-ingress.fadk8sctrl.fortinet.com
        group: networking.k8s.io
        version: v1
        resources:
          - ingresses
        scope: "Namespaced"
        path: /validate-ingress

    mutating:
      - name: mutate-vs.fadk8sctrl.fortinet.com
        group: fadk8sctrl.fortinet.com
        version: v1alpha2
        resources:
          - virtualservers
        scope: "Namespaced"
        path: /mutate-vs

To get the verbose output, add --debug option for all the Helm commands.

Installation

You can specify a particular Kubernetes namespace in which FortiADC Kubernetes Controller will be deployed.

By default, if no Kubernetes namespace is specified, the default namespace would be default. The RELEASE_NAME is the name you give to this chart installation:

helm install  [RELEASE_NAME] --namespace [Kubernetes NameSpace] \
fortiadc-kubernetes-controller/fadc-k8s-ctrl

Standard Installation: The following example installs the chart with the release name first-release in the namespace fortiadc-ingress:

user@control-plane-node ~> helm install first-release --namespace fortiadc-ingress \
fortiadc-kubernetes-controller/fadc-k8s-ctrl

Overriding Values: You can use --set flags to override values in the values.yaml file. For example, to set the virtualServerWafProfile parameter as mandatory:

user@control-plane-node ~> helm install --debug first-release \
--set parameters.virtualServerWafProfile="mandatory" \
--namespace fortiadc-ingress fortiadc-kubernetes-controller/fadc-k8s-ctrl

Moreover, you can create a new namespace and deploy FortiADC Kubernetes Controller within the namespace at the same time:

helm install first-release --namespace fortiadc-ingress \
--create-namespace --wait fortiadc-kubernetes-controller/fadc-k8s-ctrl

Upgrading the Chart

Use the upgrade command to move to a newer version. The --install option ensures the release is installed if it does not already exist.

You can specify the namespace with the --namespace option. Use --install option to install the release with RELEASE_NAME if it does not exist.

helm repo update
helm upgrade --reset-values --debug -n [Kubernetes NameSpace] [RELEASE_NAME] \
fortiadc-kubernetes-controller/fadc-k8s-ctrl --install

Customizing during Upgrade: You can also change fields using the --set command during an upgrade:

To see which values you can change, refer to https://github.com/fortinet/fortiadc-kubernetes-controller/blob/main/charts/fadc-k8s-ctrl-3.1.0/values.yaml.

In the example below, you can override the value for the virtualServerWafProfile parameter to make it mandatory:

helm upgrade --debug -n [Kubernetes NameSpace] \
--set parameters.virtualServerWafProfile="mandatory" \
[RELEASE_NAME] fortiadc-kubernetes-controller/fadc-k8s-ctrl

Using the --debug option, allows you to verify your settings under the USER-SUPPLIED VALUES section of the Helm output.

Release "first-release" has been upgraded. Happy Helming!
NAME: first-release
LAST DEPLOYED: Mon Apr 18 09:07:46 2022
NAMESPACE: fortiadc-ingress
STATUS: deployed
REVISION: 2
TEST SUITE: None
USER-SUPPLIED VALUES:
parameters:
  virtualServerWafProfile: mandatory

Uninstalling the Chart

To uninstall the Helm Chart:

helm uninstall [RELEASE_NAME]

To uninstall the FortiADC Kubernetes Controller in the specified Kubernetes namespace:

helm uninstall [RELEASE_NAME] --namespace [Kubernetes NameSpace]

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

FortiADC Kubernetes Controller Deployment Guide

Installing the Controller Using Helm Chart

Installing the Controller Using Helm Chart

Repository Setup

Customization via values.yaml

Installation

Upgrading the Chart

Uninstalling the Chart

Installing the Controller Using Helm Chart

Installing the Controller Using Helm Chart

Repository Setup

Customization via values.yaml