Installation Guide

​

Prerequisites

• Kubernetes v1.20+
• Helm v3+
• Administrator access to the cluster (for RBAC and CoreDNS patching)
• Outbound HTTPS access to NOFire AI

​

1. Helm Installation

​

Add Repository

helm repo add nofire https://nofirai.github.io/edge-helm-chart
helm repo update

​

Step 1: Initial Installation

helm install nofire-edge nofire/edge-helm-chart \
  --set publisher.apiKey=YOUR_API_KEY \
  --set publisher.graph.url=https://api.nofire.ai/graph \
  -n nofire-system --create-namespace

​

Step 2: Get the ClusterIP

kubectl get service nofire-edge -n nofire-system

​

Step 3: Reinstall with Static IP (Recommended)

[!IMPORTANT] Why Static IP? Setting a static ClusterIP ensures the service IP doesn’t change during upgrades or reinstalls. This is critical for CoreDNS configuration stability. By using the auto-assigned IP from Step 2 as your static IP, you avoid conflicts. Kubernetes allocates IPs dynamically from the upper range, while static IPs should use the lower range. Learn more about ClusterIP allocation strategy.

helm uninstall nofire-edge -n nofire-system

helm install nofire-edge nofire/edge-helm-chart \
  --set publisher.apiKey=YOUR_API_KEY \
  --set publisher.graph.url=https://api.nofire.ai/graph \
  --set service.clusterIP=<CLUSTER_IP_FROM_STEP_2> \
  -n nofire-system --create-namespace

publisher:
  apiKey: "YOUR_API_KEY"
  graph:
    url: "https://api.nofire.ai/graph"

service:
  clusterIP: "10.96.145.200"  # Use your ClusterIP from Step 2

services:
  address: ":6000"
  maxConns: 100

helm install nofire-edge nofire/edge-helm-chart -f values.yaml -n nofire-system --create-namespace

​

2. DNSTap Configuration (Critical)

[!IMPORTANT] Without DNSTap, the agent will only see static resources and will not show runtime dependencies.

​

Step 1: Verify Edge Service ClusterIP

kubectl get service nofire-edge -n nofire-system

EDGE_IP=$(kubectl get svc nofire-edge -n nofire-system -o jsonpath='{.spec.clusterIP}')
echo "Edge ClusterIP: $EDGE_IP"

​

Step 2: Patch CoreDNS

1. Obtain the current CoreDNS ConfigMap:
   Copy

   kubectl get configmap coredns -n kube-system -o yaml > coredns.yaml
   

2. Update the ConfigMap: Open coredns.yaml and locate the Corefile section. Insert the dnstap configuration line inside the main server block (.:53).
   Copy

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: coredns
     namespace: kube-system
   data:
     Corefile: |
       .:53 {
           errors
           health {
               lameduck 5s
           }
           ready
           kubernetes cluster.local in-addr.arpa ip6.arpa {
               pods insecure
               fallthrough in-addr.arpa ip6.arpa
               ttl 30
           }
           # --- INSERT THIS LINE ---
           dnstap tcp://NOFIRE_EDGE_IP:6000 full
           # ------------------------
           prometheus :9153
           forward . /etc/resolv.conf {
               max_concurrent 1000
           }
           cache 30
           loop
           reload
           loadbalance
       }
   

   [!WARNING] Replace NOFIRE_EDGE_IP with the actual ClusterIP from Step 1 (e.g., 10.96.145.200).

3. Apply the updated ConfigMap:
   Copy

   kubectl apply -f coredns.yaml
   

4. Restart CoreDNS:
   Copy

   kubectl rollout restart deployment coredns -n kube-system
   

​

Step 3: Verify Connection

kubectl logs -l app=nofire-edge -n nofire-system | grep "dnstap"

​

3. Publisher Configuration

• API Key: Must be set via publisher.apiKey. For security, consider using a Kubernetes Secret and referencing it in the Helm chart.
• Intervals:
  • publisher.graph.interval: Defaults to 1h. Controls how often the full graph is synced.

​

Troubleshooting

• No dependencies showing up? Check CoreDNS logs (kubectl logs -n kube-system -l k8s-app=kube-dns) for connection errors to the Edge Agent.
• Permission errors? Ensure the nofire-edge ServiceAccount has the necessary RBAC permissions (ClusterRole).