Step 8 - Install CDR components

Finally, install the CDR application services. For these charts, ensure you set the image tag to the corresponding tag found in the release notes.

The examples below are pre-populated with the tags for v2.11.0:

8.1 Engine

To integrate Halo with Reversing Labs, set the enable_reversing_labs variable to true below. Make sure to create Reversing Labs secrets in the KeyVault as mentioned in the Step 3.

enable_reversing_labs=""
helm upgrade --install cdrplatform-engine cdrplatform-engine \
  --set image.tag=141890 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-engine \
  --set configuration.ENABLE_REVERSING_LABS="${enable_reversing_labs}" \
  --atomic

8.2 - Sync API

helm upgrade --install cdrplatform-sync-api cdrplatform-sync-api \
  --set image.tag=144712 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-sync-api \
  --atomic

8.3 API Access service

The API Access service acts as a gateway service to access CDR Platform Sync API and Policy API. It exposes the CDR functionality via HTTP - in your environment you may require this to be done with TLS/SSL via HTTPS, if this is the case follow the instructions to install with TLS/SSL. Otherwise follow the instructions to install without.

8.3A - For deployments without TLS/SSL

helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
 --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
 --set image.tag=144498 \
 --atomic

8.3B - For deployments with TLS/SSL

To use SSL certificates on CDR API, create a private key and certificate for the domain to be used.

Create a Kubernetes secret using the key and crt files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

kubectl create secret tls tls-secret --key server.key --cert server.crt

This secret can then be used to enable TLS on the ingress ensuring that the domain name is set on the command below:

helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag=144498\
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=<domain name> \
  --set ingress.tls.secretName=tls-secret \
  --atomic

8.3C - To enable Basic API authentication

The Authentication in the CDR Platform is disabled by default, when enabled the authentication will be enabled for both CDR Platform Sync API and Policy API. If authentication needs to be enabled -

• Create 2 secret in Azure Key Vault, one for the organisation ID and another for Orgnization tokens. When passing multiple tokens seperate them by comma(","), hence make sure the token itself cannot have a comma(",").

• The secrets in Azure Keyvault should follow below naming convention

  • The secret for organisation ID should start with organisation and end with -id with a number in between. For example organisation0-id, organisation1-id, organisation2-id etc.

  • The secret for organisation tokens should start with organisation and end with -tokens with a number in between. For example organisation0-tokens, organisation2-tokens, organisation3-tokens etc.

• Set configuration.AuthenticationScheme=Basic while deploying the helm chart. For example,

helm upgrade --install cdrplatform-api-access  cdrplatform-api-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
  --set image.tag=144498 \
  --set configuration.AuthenticationScheme=Basic \
  --atomic

8.3D - To enable Azure AD API authentication

To enable Azure AD based authentication, set configuration.AuthenticationScheme=Bearer and set tenant_id and domain_name variables while deploying the helm chart. For example,

tenant_id=""
domain_name=""
helm upgrade --install cdrplatform-api-access cdrplatform-api-access --wait --atomic \
  --set image.tag="144498" \
  --set image.repository="glasswallhub.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${domain_name} \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.AuthenticationScheme="Bearer" \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0=api://cdrplatform-api-access \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/

8.4 Portal

To deploy Portal service, run below commands.

8.4A - For deployments without TLS/SSL

Note that the <IP-address> mentioned in this command refers to the Load Balancer's public IP address. This can be retrieved through the "Portal & API Access" steps below.

helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
  --set configuration.BackendUrl="http://<IP-address>" \
  --set image.tag=144806 \
  --set configuration.HaloVersion=2.11.0 \
  --atomic

8.4B - For deployments with TLS/SSL

If TLS needs to be enabled, add the --set ingress.tls.enable_tls=true and set portal_domain=<domain name> parameters - in the below example, it will use the same Kubernetes secret that was created for the API Access to retrieve the certificates.

portal_domain=""
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.tag=144806 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain} \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.BackendUrl="https://${portal_domain}" \
  --set configuration.HaloVersion=2.11.0 \
  --atomic

8.4C - Enable Admin access without authentication

When Single Sign-On (SSO) login is not enabled in the Portal, administrative features, such as license management and policy configuration are not accessible. To enable access to these admin features without setting up SSO, deploy the Helm chart with the following configuration -

helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.tag=144806 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain} \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.AutoAdmin="true" \
  --atomic

8.4D To configure SSO login in cleanroom

Set portal_domain, portal_client_id, tenant_id variables in the below commands and run them. The portal_domain is the domain name used to setup TLS for the portal service as well as the same domain used in the cdrplatform-portal-client app registration.

portal_client_id is the Application (client) ID of the cdrplatform-portal-client app registration created in the prerequisites step.

tenant_id is of the tenant where app registrations are created.

enabled_pages should contain various pages that needs to be enabled. Pass the values separated by comma(,). For example it should be set to SystemSettings\,PolicySettings\,ValidationSettings\,IcapSettings\,IcapRequests\,IcapReporting when Policy API, ICAP server and ReversingLabs is deployed, Or set it to SystemSettings\,PolicySettings\,ValidationSettings if only Policy API is deployed. If none of the Policy API and ICAP server are deployed, set it to enabled_pages="SystemSettings".

portal_domain=""
portal_client_id=""
tenant_id=""
enabled_pages="SystemSettings\,PolicySettings\,ValidationSettings"
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
  --set image.tag=144806 \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain} \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.BackendUrl="https://${portal_domain}" \
  --set configuration.EnabledPages=${enabled_pages} \
  --set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id}/v2.0" \
  --set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \
  --set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \
  --set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \
  --set configuration.HaloVersion=2.11.0 \
  --atomic

8.5 Portal Access

Portal Access acts a backend for Portal. It enables Portal to access Policy API and Sync API

8.5A For deployments with TLS/SSL

If TLS needs to be enabled, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters - in the below example, it will use the same Kubernetes secret that was created for the API Access to retrieve the certificates.

helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
  --set image.tag=144773 \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=<domain-name> \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.AuthenticationScheme=None \
  --atomic

8.5B For deployments without TLS/SSL

helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
  --set configuration.AuthenticationScheme=None \
  --set image.tag=144773 \
  --atomic

8.5C Without authentication

helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
 --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
 --set image.tag=144773 \
 --set configuration.AuthenticationScheme=None \
 --atomic

8.5D To enable Azure AD authentication

Portal Access enables SSO authentication using Azure AD. Set tenant_id and portal_domain variables in the below commands and run them.

tenant_id=""
portal_domain=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
 --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
 --set image.tag=144773 \
 --set ingress.tls.enabled=true \
 --set ingress.tls.domain=${portal_domain} \
 --set ingress.tls.secretName=tls-secret \
 --set configuration.AuthenticationScheme=Bearer \
 --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0=api://cdrplatform-portal-access \
 --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
 --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
 --atomic

8.6 Policy API

The policy API is to manage policies for CDR Platform content management flags. This is an optional service, install this if you would like to create and use custom polices.

helm upgrade --install cdrplatform-policy-api  cdrplatform-policy-api \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-policy-api \
  --set image.tag=144507 \
  --set configuration.DATABASE__Provider=${database_provider}

Policy API swagger page can be accessed using

http://<ip>/swagger/index.html

8.7 License management

License management service is used to manage the license in the CDR Platform

helm upgrade --install cdrplatform-license-management cdrplatform-license-management -n license-management\
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-license-management \
  --set image.tag=144502 \
  --set configuration.DATABASE__Provider=${database_provider} \
  -n license-management \
  --atomic

8.8 Clean up service

Clean up service deletes the original and rebuilt files from the persistent storage after the files are processed

helm upgrade --install cdrplatform-cleanup cdrplatform-cleanup \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-cleanup \
  --set image.tag=144500 \
  --atomic

8.9 Async API

The Asynchronous API can be deployed using the command below. A MongoDB database is a pre-requisite for  the Async API.

helm upgrade --install cdrplatform-async-api cdrplatform-async-api \
  --set image.tag=144738\
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-async-api \
  --set configuration.DATABASE__Provider=${database_provider} \
  --atomic

8.10 Metrics collation (Removed from version 2.6.2)

Metrics collation service captures events from the CDRPlatform and stores in MongoDB. Deploy only when using Halo version 2.6.1 and below.

helm upgrade --install cdrplatform-metrics-collation cdrplatform-metrics-collation \
  --set image.tag=120018 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-collation \
  --set configuration.DATABASE__Provider=${database_provider} \
  --set cloud_provider=azure \
  --atomic

8.11 Metrics projection

Metrics projection service is used to pull reporting data from MongoDB to display in the Portal UI.

helm upgrade --install cdrplatform-metrics-projection cdrplatform-metrics-projection \
  --set image.tag=144801 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-projection \
  --set configuration.DATABASE__Provider=${database_provider} \
  --set cloud_provider=azure \
  --atomic

8.12 Report extractor

Report extractor service extracts analysis reports and publish them for reporting.

helm upgrade --install cdrplatform-report-extractor cdrplatform-report-extractor \
  --set image.tag=144516 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-report-extractor \
  --atomic

8.13 Tally Accumulator

The Tally accumulator service tracks and maintains a tally of usage statistics.

helm upgrade --install cdrplatform-tally-accumulator cdrplatform-tally-accumulator \
  --set image.tag=144513 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-tally-accumulator \
  --set configuration.DATABASE__Provider=${database_provider} \
  --atomic

8.14 MongoDB

*Note: If you have previously configured and setup MongoDB within Azure and if you do not wish to manage and install MongoDB within your cluster, you can skip this step, and proceed.

MongoDB operator

helm install community-operator mongodb/community-operator --namespace cdrplatform \
  --set operator.version=0.9.0 \
  --set agent.version=107.0.0.8465-1 \
  --atomic

MongoDB

helm upgrade -i cdrplatform-mongodb cdrplatform-mongodb -n cdrplatform --atomic \--set cloud_provider=azure

• Retrieve the connection string from the k8s secret

kubectl get secret mongodb-cdrplatform-cdrp-user -o jsonpath='{.data.connectionString\.standard}' | base64 -d

• Update the Azure Key Vault secret with the MongoDB connection string

az keyvault secret set --name "mongodb-connectionstring" --vault-name "${kvname}" --value "<output-from-previous-step>"

8.15 Storage Monitoring Service

The Storage Monitoring service provides an API to subscribe and track changes made to documents in a configured storage mechanism such as SharePoint.

TLS needs to be enabled for the Webhook, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters - in the below example, it will use the same Kubernetes secret that was created for the API Access to retrieve the certificates.

helm upgrade --install cdrplatform-storage-monitor cdrplatform-storage-monitor --wait --atomic \
    --set image.tag="144514" \
    --set image.repository="glasswallhub.azurecr.io/cdrplatform-storage-monitor" \
    --set configuration.DATABASE__Provider="${database_provider}" \
    --set configuration.WEBHOOKS__CallbackBaseAddress="https://<domain-name>" \
    --set ingress.tls.enabled=true \
    --set ingress.tls.domain=<domain-name> \
    --set ingress.tls.secretName=tls-secret \
    --atomic

8.16 Portal & API Access

Use the command below to determine the External-IP associated with your cluster:

Note: External-IP will be the same as Public IP address attached to the Azure load balancer.

kubectl get services --namespace cdrplatform nginx-ingress-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}'

You can now use the IP returned above to navigate to the Portal and API documentation (use https if TLS enabled):

Portal: http://<ip>
API Documentation: http://<ip>/swagger/index.html

Need help?

Congratulations, you have successfully deployed Glasswall Halo! We would love to get your thoughts on the setup process and how we can improve it, using the feedback option below.