> ## Documentation Index
> Fetch the complete documentation index at: https://docs.binarly.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Installation

# Overview

This repository contains the installer for Binarly On-Prem. The installer uses Helmfile and various Helm charts to set up all necessary components.

# Prerequisites

* Access to a Kubernetes cluster (at least with version `1.29.0` or newer).
* `kubectl` configured to interact with your cluster.
* `helm` installed, if using Helm for deployment. `v3.17.0` or newer is required.
* A Linux, macOS, or Windows with WSL enabled.
* Access credentials for Binarly's Artifact Registry (provided with the installer).
* Secrets and values set up as described on the [Configuration](./configuration) page.

<Info>
  The [Considerations](./considerations.mdx) page contains information pertinent to the install and should be read fully before proceeding
</Info>

## Deployment

### Helm

1. Set up Secrets as described in the [Configuration/Binarly Secrets](./configuration#binarly-secrets) section.
2. Create a `values-overlay.yaml` file with the necessary configuration. This is detailed in the [Configuration/Values](./configuration#values) section.
3. Read the [Third Party Charts](./considerations#third-party-charts) section and ensure any required third-party components are installed.

<Warning>
  CRD management in Helm leaves a lot to be desired, and some CRDs may not be installed properly, at an older version, or not at all. If you encounter issues, the CRDs can be applied one by one using `kubectl`, or a `helm install` of the individual charts.
</Warning>

To deploy the Binarly Transparency Platform, use the following command to create the CRDs:

```bash theme={null}
helm template binarly-transparency-platform \
  oci://<Your provided registry>/charts/binarly-transparency-platform:<The required version> \
  -f values-overlay.yaml | \
  yq e 'select(.kind == "CustomResourceDefinition")' - | kubectl apply -f -
```

then deploy the application:

```bash theme={null}
helm upgrade --install binarly-transparency-platform \
  oci://<Your provided registry>/charts/binarly-transparency-platform:<The required version> \
  -f values-overlay.yaml --namespace {Your Namespace} \
  --skip-crds \
  --take-ownership \
  --timeout 15m \
  --create-namespace
```

### ArgoCD

If you are using ArgoCD, you can create an Application manifest to deploy this chart. Here is an example, with sample values:

```yaml theme={null}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: binarly-transparency-platform
  namespace: argocd
spec:
  project: default
  source:
    helm:
      values: |
        global:
          argoCD: true # Important to disable helm-specific hooks
          storageClassName: standard
          ingressClassName: tailscale
          basedomain: binarly.io
          dashboard:
            hostname: "dashboard"
          keycloak:
            hostname: "keycloak"
          bucketsConfig:
            publicEndpoint: https://minio-api.binarly.io # The public endpoint for MinIO, if using the built-in data storage option
        keycloak:
          ingress:
            hostname: "keycloak.binarly.io" # Unfortunately this has to be set twice
        scan-workflow: # Specific configuration for the scanner jobs
          workflow:
            storageClassName: "premium"
            nodeSelector:
              workload: tools
            tolerations:
              - effect: NoSchedule
                key: workload
                operator: Equal
                value: tools
    repoURL: {The Repository URL}
    targetRevision: {The required version}
    chart: binarly-transparency-platform
  destination:
    server: https://kubernetes.default.svc
    namespace: binarly-transparency-platform
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - ServerSideApply=true
      - RespectIgnoreDifferences=true
      - CreateNamespace=true
  ignoreDifferences:
    - jsonPointers:
        - /data/password
        - /data/admin-password
      kind: Secret
```

### FluxCD

If you are using FluxCD, you can create a HelmRelease manifest to deploy this chart. Here is an example with sample values:

```yaml theme={null}
# -- More information on HelmRepository and HelmRelease can be found at https://fluxcd.io/flux/components/helm/helmreleases/
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: binarly-transparency-platform
  namespace: binarly-transparency-platform
spec:
  type: "oci"
  url: {The Repository URL}
  interval: 10m
  secretRef:
    name: binarly-registry

---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: binarly-transparency-platform
  namespace: binarly-transparency-platform
spec:
  interval: 5m
  chart:
    spec:
      chart: binarly-transparency-platform
      version: {The required version}
      sourceRef:
        kind: HelmRepository
        name: binarly-transparency-platform
        namespace: binarly-transparency-platform
  values:
    global:
      registryHost: "registry.binarly.io"
      storageClassName: standard
      ingressClassName: tailscale
      basedomain: binarly.io
      dashboard:
        hostname: "dashboard"
      keycloak:
        hostname: "keycloak"
      bucketsConfig:
        publicEndpoint: https://minio-api.binarly.io # The public endpoint for MinIO, if using the built-in data storage option
    keycloak:
      ingress:
        hostname: "keycloak.binarly.io" # Unfortunately this has to be set twice
    scan-workflow: # Specific configuration for the scanner jobs
      workflow:
        storageClassName: "premium"
        nodeSelector:
          workload: tools
        tolerations:
          - effect: NoSchedule
            key: workload
            operator: Equal
            value: tools
  install:
    createNamespace: true
  upgrade:
    remediation:
      retries: 3
```

## Post-Deployment

### User Setup

After installation is complete, a user needs to be set up on Keycloak before accessing the platform. To do this, follow these steps:

1. Access the Keycloak Admin Console at the configured keycloak hostname (e.g., `https://keycloak.binarly.cloud`).
2. Get the admin password using the following command:

   ```bash theme={null}
   kubectl get secret -n {{ The installation namespace }} keycloak -o jsonpath='{.data.admin-password}' | base64 --decode
   ```
3. Log in to the Keycloak Admin Console using the username `admin` and the password obtained in the previous step.
4. Click "Manage Realm", then "BinarlyRealm".
   <img src="https://mintcdn.com/binarly-bee2cf27/XVB6EHebXG41sH1I/images/manage-realm.png?fit=max&auto=format&n=XVB6EHebXG41sH1I&q=85&s=2747509aca4455d10ae368c63caf180c" alt="Manage Realm" width="724" height="540" data-path="images/manage-realm.png" />
   <img src="https://mintcdn.com/binarly-bee2cf27/XVB6EHebXG41sH1I/images/keycloak-realm.png?fit=max&auto=format&n=XVB6EHebXG41sH1I&q=85&s=41923ca4aa1a32ed521b5611410dff66" alt="BinarlyRealm" width="1010" height="444" data-path="images/keycloak-realm.png" />
5. Click "Users" in the left sidebar, then click "Add User".
6. Fill in the user's email and add `org_admin` in the Binarly Role field, and save.
   <img src="https://mintcdn.com/binarly-bee2cf27/XVB6EHebXG41sH1I/images/user-email.png?fit=max&auto=format&n=XVB6EHebXG41sH1I&q=85&s=ff892b5a97468139036e2abe3b3370b3" alt="New User" width="1071" height="622" data-path="images/user-email.png" />
7. Navigate to the "Credentials" tab and set a password for the user.
   <img src="https://mintcdn.com/binarly-bee2cf27/XVB6EHebXG41sH1I/images/user-credential.png?fit=max&auto=format&n=XVB6EHebXG41sH1I&q=85&s=2da07593f8e6aba866db163e7cb20178" alt="Create Credentials" width="1458" height="428" data-path="images/user-credential.png" />
   <img src="https://mintcdn.com/binarly-bee2cf27/XVB6EHebXG41sH1I/images/credential-window.png?fit=max&auto=format&n=XVB6EHebXG41sH1I&q=85&s=c5ce710499158fb436678597c0e4fff3" alt="Set Credentials" width="620" height="366" data-path="images/credential-window.png" />
8. Log in to the Binarly Transparency Platform at the configured dashboard hostname (e.g., `https://dashboard.binarly.cloud`) using the email and password set in the previous step.

<Warning>
  Please do not remove the `binarly-admin` user. This user is used by the application for user management and cannot be used to access the platform.
</Warning>

### Running a Scan

After logging in, you can refer to the [user guides](../../user-guides/get-started/first-scan.mdx) for how to use the platform.