Prerequisites
    • PDF

    Prerequisites

    • PDF

    Article summary

    Before you begin the process of deploying Glasswall's Constellations, ensure that you have the following tools and resources installed and setup.

    Required Tools

    Required Azure Resources

    1. AKS Cluster

    • Create 3 node pools
      • default: This is a system node pool and will be used to host Constellations services
      • engine: This is a user node pool and will be used to host Glasswall Halo Engine service
      • cdrplatform: This is a user node pool and will be used to host remaining Glasswall Halo services
    • Minimum node size is 4 vCPU and 16 GB RAM.
    • For production workloads each node pool is recommended to have a minimum of 3 nodes.
      • The cluster should be configured with a vnet and subnet with sufficient IP address availability (it is recommended to use a /16 CIDR range so as to have greater than 16k IPs available)
    • In the steps below, the AKS cluster is referred to as: aksname

    Note: Glasswall Constellations does not support ARM64 node VMs.

    For guidance on creating an AKS cluster please refer to:

    2. Key Vault

    • Constellations secrets are managed using Azure Key Vault. These secrets are synced into the AKS cluster via External Secrets.
    • In the steps below, the Key Vault is referred to as: kvname

    For guidance on creating an Azure Key Vault please refer to:

    3. CosmosDB NoSQL Database

    • CosmosDB is used to store the Constellations scans data.
    • Create a CosmosDB account and a database with 24,000 RUs.
    • Create below collections in the CosmosDB with the given Partition Key. (No need to set RUs for individual collection.)
      • ScanCollection: /scanOwner
      • SegmentCollection: /scanId
      • FileMetadataCollection: /scanId
      • TransactionEventCollection: /scanId
      • LeaseCollection: /id
      • ScanSummaryProjection: /scanId
      • FileResultsProjection: /scanId
      • FilesFormatProjection: /scanId
      • ArchiveFileResultsProjection: /archiveId

    For guidance on creating a Cosmos DB, please refer to:

    4. App registrations

    • An Azure app resigration is needed when SSO authentication using Azure AD is to be enabled
    • Create an App registration (e.g. ar-constellations-api)
    • Under App roles blade, create 2 App roles - Admin and StandardUser
      • Standard User:
        • Display name: StandardUser
        • Description: Standard Users have the ability to manage only their own scans
        • Allowed member types: Users/Groups,Applications
        • Value: StandardUser
      • Admin:
        • Display name: Admin
        • Description: Admins have the ability to manage all scans
        • Allowed member types: Users/Groups,Applications
        • Value: Admin

    Access to Glasswall Artifact Registry

    • You are provided with a Token & Token ID to access Glasswall's Artifact Registry.
    • This allows you to directly pull container images and Helm charts from your AKS cluster.
    • In the steps below, the Token and Token ID will be referred to as: token and token_ID.

    Assigning Variables

    Variables assigned before you begin

    The variables mentioned above need to be assigned before you can begin the Constellations installation. You'll need to replace "..." with your own values.

    • Azure Resource Group name: rgp="..."
    • Azure Kubernetes Service name: aksname="..."
    • Azure Key Vault name: kvname="..."
    • Azure Storage Account name: saname="..."
    • Azure CosmosDB Account name: cosmos_name="..."
    • Azure CosmosDB Database name: cosmos_db_name="..."
    • Azure Container Registry Token ID: token_ID="..."
    • Azure Container Registry Token: token="..."

    Variables assigned during steps

    The following variables will need to be assigned during the installation process as resources are created.

    • Azure Storage account connection string: saconnstring="..."
    • Managed Identity Access to Key Vault get and list permissions using objectid: objectID="..."
    • Managed Identity Access to Key Vault using Client ID for Helm install: MIclientID="..."
    • Rabbitmq password to set in the constellations: rmq_password="..."
    • Domain name of the Constellations API, if you want to use one: api_domain="..."
    • Azure tenant ID: tenant_id="..."
    • Azure App registration URI: app_id_uri="..."


     



    Was this article helpful?