Prerequisites

Before you begin the process of deploying Glasswall Halo, ensure that you have the following tools and resources installed and setup.

System Requirements

The following guide has been written assuming it is being run on a Linux shell. If running on a different shell, some of the commands may need to be modified to run.

If running on Windows, please ensure you are using Windows Subsystem for Linux. 

Required Tools

• Helm > 3.8 (to enable full support for OCI repositories)

• kubectl

• Azure CLI

Required Azure Resources

1. AKS Instance

• Recommended total of at least 8 vCPU and 32 GB RAM.

• Minimum node size is 4 vCPU and 16 GB RAM.

• For production workloads a minimum of 2 nodes is recommended.

• In the steps below, the AKS cluster is referred to as: aksname

Note: Glasswall Halo does not support ARM64 node VMs.

For guidance on creating an AKS cluster please refer to: 

• Create AKS Cluster - Portal

• Create AKS Cluster - CLI

• Azure Kubernetes Service - Best Practices

2. Key Vault

• Glasswall Halo secrets are managed using Azure Key Vault. These secrets are synced into the AKS cluster via External Secrets.

• In the steps below, the Key Vault is referred to as: kvname

For guidance on creating an Azure Key Vault please refer to:

• Create Key Vault - Portal

• Create Key Vault - CLI

• Azure Key Vault Best Practices

3. Storage Account

• A storage account is used to store reports for each file processed by the platform. The SKU of the storage account does not impact performance, but we recommend at least GRS configuration.

• An additional storage account is used as Azure File Share backing the cluster's Persistent Volume. This is added to the AKS cluster's resource group automatically.

• In the steps below, the storage account that collects the CDR reports is referred to as: saname

File shares:

• 1 x 10TB Provisioned Capacity (1100.0 MiB /s throughput)

  • Used for the Glasswall Halo transient file store and Glasswall Halo Rabbit MQ

4. Database

Option 1 - MongoDB Database

MongoDB can be used to store the Glasswall Halo content management policies and data required for asynchronous file processing. MongoDB is used by cdrplatform-policy-api, cdrplatform-async-api, cdrplatform-metrics-collation, cdrplatform-metrics-projection, cdrplatform-tally-accumulator services.

• Deploy a Cosmos DB with MongoDB API compatibility.

• Ensure that the instance is setup with the appropriate throughput allocation, depending on how much data is expected to pass through Glasswall Halo.

Note: alternatively, MonogoDB can deployed directly inside of your cluster. Deployable using the MongoDB Helm Charts, as seen in Step 8.

Option 2 - CosmosDB Database

Alternatively, CosmosDB can be used to store Glasswall Halo content management policies, data for asynchronous file processing, and metrics.

• Deploy a CosmosDB instance in Azure.

  • Ensure that the instance is setup with the appropriate throughput allocation, depending on how much data is expected to pass through Glasswall Halo.

5. App Registrations

A domain name must be configured for the Clean Room (portal service) to use SSO authentication.

Azure App registrations are required whenever SSO authentication using Azure AD needs to be enabled.

There are 3 App registrations that need to be created: 

• cdrplatform-api-access

• cdrplatform-portal-access

• cdrplatform-portal-client

The attached shell script helps to create these 3 app registrations. Enter the domain name you would like to use for the Portal as an argument to the shell script. For example, use cleanroom.glasswall.com as the domain name and run the script:

bash create-azure-app-registrations.sh cleanroom.glasswall.com

Access to Glasswall Artifact Registry

• You are provided with a Token & Token ID to access Glasswall's Artifact Registry.

• This allows you to directly pull container images and Helm charts from your AKS cluster.

• In the steps below, the Token and Token ID will be referred to as: token and token_ID.

Assigning Variables

Variables assigned before you begin

The variables mentioned in prerequisites above need to be assigned before you can begin Glasswall Halo installation. You'll need to replace "..." with your own values.

• Azure Resource Group name: rgp="..."

• Azure Kubernetes Service name: aksname="..."

• Azure Key Vault name: kvname="..."

• Azure Storage Account name: saname="..."

• Azure Container Registry Token ID: token_ID="..."

• Azure Container Registry Token: token="..."

Note: the steps above assume each resource is in the same resource group referred to as: rgp.

Variables assigned during steps

The following variables will need to be assigned during the installation process as resources are created.

• Azure Storage Account connection string: saconnstring="..."

• Managed Identity Access to Key Vault get and list permissions using objectid: objectID="..."

• Managed Identity Access to Key Vault using Client ID for Helm install: MIclientID="..."

Note: ensure the correct database provider is setup and relevant secrets are in the KeyVault as mentioned in Step 3.

Continue  Need help?