Step 8 - Install CDR components
    • PDF

    Step 8 - Install CDR components

    • PDF

    Article summary

    Finally, install the CDR application services. For these charts, ensure you set the image tag to the corresponding tag found in the Release Notes.

    The examples below are pre-populated with the tags for v2.6.2.  

    8.1 - Engine

    To integrate Halo with Reversing Labs, set the `enable_reversing_labs` variable to `true` below. Make sure to create Reversing Labs secrets in the KeyVault as mentioned in the Step 3.

    enable_reversing_labs=""
    helm upgrade --install cdrplatform-engine cdrplatform-engine \
      --set image.tag=123571 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-engine \
      --set configuration.ENABLE_REVERSING_LABS="${enable_reversing_labs}" \
      --atomic

    8.2 - Sync API

    helm upgrade --install cdrplatform-sync-api cdrplatform-sync-api \
      --set image.tag=122850 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-sync-api \
      --atomic

    8.3 - API Access Service

    The API Access service acts as a gateway service to access Glasswall Halo's Synchronous API and Policy API.

    It exposes the CDR functionality via HTTP - in your environment you may require this to be done with TLS/SSL via HTTPS, if this is the case follow the instructions to install with TLS/SSL. Otherwise follow the instructions to install without.

    8.3A - For deployments without TLS/SSL

    helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
     --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
     --set image.tag=122620 \
     --atomic

    8.3B - For deployments with TLS/SSL

    To use SSL certificates on CDR API, create a private key and certificate for the domain to be used.

    Create a Kubernetes secret using the key and crt files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

    kubectl create secret tls tls-secret --key server.key --cert server.crt

    This secret can then be used to enable TLS on the ingress ensuring that the domain name is set on the command below:

    helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
      --set image.tag=122620\
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
      --set ingress.tls.enabled=true \
      --set ingress.tls.domain=<domain name> \
      --set ingress.tls.secretName=tls-secret \
      --atomic

    8.3C - To enable Basic API authentication

    The Authentication in Glasswall Halo is disabled by default. When enabled, the authentication will be enabled for both Glasswall Halo's Synchronous API and Policy API. 

    If authentication needs to be enabled:

    • Create 2 secrets in Azure Key Vault; one for the Organisation ID and another for Organization Tokens. When passing multiple tokens, separate them by a comma(","), hence make sure the token itself cannot have a comma(",").
    • The secrets in Azure Key Vault should follow the naming convention below:
      • The secret for Organisation ID should start with 'organisation' and end with '-id' with a number in between. For example 'organisation0-id', 'organisation1-id', 'organisation2-id' etc.
      • The secret for Organisation Tokens should start with 'organisation' and end with '-tokens' with a number in between. For example 'organisation0-tokens', 'organisation2-tokens', 'organisation3-tokens' etc.
    • Set configuration.AuthenticationScheme=Basic while deploying the helm chart. For example:
    helm upgrade --install cdrplatform-api-access  cdrplatform-api-access \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
      --set image.tag=122620 \
      --set configuration.AuthenticationScheme=Basic \
      --atomic

    To enable API key based authentication in Menlo, set configuration.MenloAuthenticationScheme=ApiKey. Ensure menlo-api-key secret has been added to the Vault in Step 3.

    helm upgrade --install cdrplatform-api-access  cdrplatform-api-access \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
      --set image.tag=122620 \
      --set configuration.AuthenticationScheme=Basic \
      --set configuration.MenloAuthenticationScheme=ApiKey \
      --atomic

    8.3D - To enable Azure AD API authentication

    To enable Azure AD based authentication, set configuration.AuthenticationScheme=Bearer and set tenant_id and domain_name variables while deploying the helm chart. For example:

    tenant_id=""
    domain_name=""
    helm upgrade --install cdrplatform-api-access cdrplatform-api-access --wait --atomic \
      --set image.tag="122620" \
      --set image.repository="glasswallhub.azurecr.io/cdrplatform-api-access" \
      --set ingress.tls.enabled=true \
      --set ingress.tls.domain=${domain_name} \
      --set ingress.tls.secretName=tls-secret \
      --set configuration.AuthenticationScheme="Bearer" \
      --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0=api://cdrplatform-api-access \
      --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
      --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/

    8.4 - Portal

    To deploy Portal service, run the commands below:

    8.4A - For deployments without TLS/SSL

    Note that the <IP-address> mentioned in this command refers to the Load Balancer's public IP address. This can be retrieved through the Portal & API Access steps below.

    helm upgrade --install cdrplatform-portal cdrplatform-portal \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
      --set configuration.BackendUrl="http://<IP-address>" \
      --set image.tag=122959 \
      --set configuration.HaloVersion=2.6.2 \
      --atomic

    8.4B - For deployments with TLS/SSL

    If TLS needs to be enabled, add the --set ingress.tls.enable_tls=true and set portal_domain=<domain name> parameters - in the below example, it will use the same Kubernetes secret that was created for the API Access to retrieve the certificates.

    portal_domain=""
    helm upgrade --install cdrplatform-portal cdrplatform-portal \
      --set image.tag=122959 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
      --set ingress.tls.enabled=true \
      --set ingress.tls.domain=${portal_domain} \
      --set ingress.tls.secretName=tls-secret \
      --set configuration.BackendUrl="https://${portal_domain}" \
      --set configuration.HaloVersion=2.6.2 \
      --atomic

    8.4C - To configure SSO login in Halo Portal

    Set portal_domain, portal_client_id, tenant_id variables in the commands below and run them. The portal_domain is the domain name used to setup TLS for the portal service as well as the same domain used in the cdrplatform-portal-client app registration.

    portal_client_id is the Application (client) ID of the cdrplatform-portal-client app registration created in the prerequisites step.

    tenant_id is of the tenant where App registrations are created.

    enabled_pages should contain various pages that need to be enabled. Pass the values separated by comma(,). E.g it should be set to `PolicySettings\,IcapSettings\,IcapRequests\,IcapReporting` when Policy API and ICAP server are both deployed, or set to `PolicySettings` if only Policy API is deployed. If neither Policy API and ICAP server are deployed, then set it to empty `enabled_pages=""`.

    portal_domain=""
    portal_client_id=""
    tenant_id=""
    enabled_pages="PolicySettings"
    helm upgrade --install cdrplatform-portal cdrplatform-portal \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
      --set image.tag=122959 \
      --set ingress.tls.enabled=true \
      --set ingress.tls.domain=${portal_domain} \
      --set ingress.tls.secretName=tls-secret \
      --set configuration.BackendUrl="https://${portal_domain}" \
      --set configuration.EnabledPages=${enabled_pages} \
      --set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id}/v2.0" \
      --set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \
      --set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \
      --set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \
      --set configuration.HaloVersion=2.6.2 \
      --atomic

    8.5 - Portal Access

    Portal Access acts as a backend for Portal. It enables Portal to access Policy API and Sync API.

    8.5A For deployments with TLS/SSL

    If TLS needs to be enabled, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters - in the example below, it will use the same Kubernetes secret that was created for the API Access to retrieve the certificates.

    helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
      --set image.tag=120755 \
      --set ingress.tls.enabled=true \
      --set ingress.tls.domain=<domain-name> \
      --set ingress.tls.secretName=tls-secret \
      --set configuration.AuthenticationScheme=None \
      --atomic

    8.5B - For deployments without TLS/SSL

    helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
      --set configuration.AuthenticationScheme=None \
      --set image.tag=120755 \
      --atomic

    8.5C - Without authentication

    helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
     --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
     --set image.tag=120755 \
     --set configuration.AuthenticationScheme=None \
     --atomic

    8.5D - To enable Azure AD authentication

    Portal Access enables SSO authentication using Azure AD. Set tenant_id and portal_domain variables in the below commands and run them.

    tenant_id=""
    portal_domain=""
    helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
     --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
     --set image.tag=120755 \
     --set ingress.tls.enabled=true \
     --set ingress.tls.domain=${portal_domain} \
     --set ingress.tls.secretName=tls-secret \
     --set configuration.AuthenticationScheme=Bearer \
     --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0=api://cdrplatform-portal-access \
     --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
     --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
     --atomic

    8.6 - Policy API

    The Policy API is used to manage policies for Glasswall Halo content management flags. This is an optional service, install this if you would like to create and use custom polices.

    helm upgrade --install cdrplatform-policy-api  cdrplatform-policy-api \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-policy-api \
      --set image.tag=122747 \
      --set configuration.DATABASE__Provider=${database_provider}

    Policy API swagger page can be accessed using:

    http://<ip>/swagger/index.html
    

    8.7 - License Management

    License management service is used to manage the license in Glasswall Halo.

    helm upgrade --install cdrplatform-license-management cdrplatform-license-management -n license-management\
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-license-management \
      --set image.tag=119970 \
      --set configuration.DATABASE__Provider=${database_provider} \
      -n license-management \
      --atomic

    8.8 - Clean up Service

    Clean up service deletes the original and rebuilt files from the persistent storage after the files are processed.

    helm upgrade --install cdrplatform-cleanup cdrplatform-cleanup \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-cleanup \
      --set image.tag=123764 \
      --atomic

    8.9 - Async API

    The Asynchronous API can be deployed using the command below. A MongoDB database is a pre-requisite for  the Async API.

    helm upgrade --install cdrplatform-async-api cdrplatform-async-api \
      --set image.tag=119984\
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-async-api \
      --set configuration.DATABASE__Provider=${database_provider} \
      --atomic

    8.10 - Metrics Collation (Removed from version 2.6.2)

    The Metrics Collation service captures events from Glasswall Halo and stores them in MongoDB. Deploy only when using Halo version 2.6.1 and below.

    helm upgrade --install cdrplatform-metrics-collation cdrplatform-metrics-collation \
      --set image.tag=123766\
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-collation \
      --set configuration.DATABASE__Provider=${database_provider} \
      --set cloud_provider=azure \
      --atomic

    8.11 - Metrics Projection

    The Metrics Projection service is used to pull reporting data from MongoDB to display in the Portal UI.

    helm upgrade --install cdrplatform-metrics-projection cdrplatform-metrics-projection \
      --set image.tag=123045 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-projection \
      --set configuration.DATABASE__Provider=${database_provider} \
      --set cloud_provider=azure \
      --atomic

    8.12 - Report Extractor

    The Report Extractor service extracts analysis reports and publishes them for reporting.

    helm upgrade --install cdrplatform-report-extractor cdrplatform-report-extractor \
      --set image.tag=123768 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-report-extractor \
      --atomic

    8.13 - Tally Accumulator

    The Tally accumulator service tracks and maintains a tally of usage statistics.

    helm upgrade --install cdrplatform-tally-accumulator cdrplatform-tally-accumulator \
      --set image.tag=121659 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-tally-accumulator \
      --set configuration.DATABASE__Provider=${database_provider} \
      --atomic

    8.14 - MongoDB

    Note: If you have previously configured and setup MongoDB within Azure and if you do not wish to manage and install MongoDB within your cluster, you can skip this step, and proceed to installing Portal Access below.

    MongoDB Operator

    helm install community-operator mongodb/community-operator --namespace cdrplatform \
      --set operator.version=0.9.0 \
      --set agent.version=107.0.0.8465-1 \
      --atomic

    MongoDB

    helm upgrade -i cdrplatform-mongodb cdrplatform-mongodb -n cdrplatform --atomic \
      --set cloud_provider=azure
    • Retrieve the connection string from the Kubernetes secret:
    kubectl get secret mongodb-cdrplatform-cdrp-user -o jsonpath='{.data.connectionString\.standard}' | base64 -d
    • Update the Azure Key Vault secret with the MongoDB connection string:
    az keyvault secret set --name "mongodb-connectionstring" --vault-name "${kvname}" --value "<output-from-previous-step>"

    8.15 - Portal & API Access

    Use the command below to determine the External-IP associated with your cluster: 

    Note: External-IP will be the same as the Public IP address attached to the Azure load balancer.

    • Determine the IP associated with your cluster:
    kubectl get services --namespace cdrplatform nginx-ingress-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}'
    • You can now use the IP returned above to navigate to the Portal and API Documentation (use https if TLS enabled):
    Portal: http://<ip>
    API Documentation: http://<ip>/swagger/index.html



    Congratulations, you have successfully deployed Glasswall Halo! We would love to get your thoughts on the setup process and how we can improve it, using the feedback option below.


    Was this article helpful?