Contents x
Step 9 - Install Constellations components
    • PDF
    Contents

    Step 9 - Install Constellations components

      • PDF
      Article summary

      9.1 - Install RabbitMQ for Constellations

      • Ensure you set a strong password for the services to connect to RabbitMQ
      helm upgrade --install constellations-rabbitmq -n common-services constellations-rabbitmq --create-namespace \
  --set replicas=3 \
  --atomic

      9.2 - Install Constellations external secrets

      For this step, select the same method which you used to configure your access to the Key Vault in Step 4 (Managed Identity or Service Principal), and follow the corresponding steps below to configure external secrets and install the secret synchronization.

      9.2A - Managed Identity

      • Obtain the kubelet Managed Identity client ID via the following command.
      az aks show -g "${rgp}" -n "${aksname}"
      • Find the same element as last time "identityProfile/kubeletidentity" but this time you need the Client ID value.
      • Next, install the supporting components (ensuring ${kvname} is substituted for the Key Vault name and ${MIclientID} is replaced with the value sourced above):
      helm upgrade --install constellations-external-secrets constellations-external-secrets \
--set cloud_providers.azurekv.enabled=true \
--set cloud_providers.azurekv.vaultUrl="https://${kvname}.vault.azure.net" \
--set cloud_providers.azurekv.clientId=${MIclientID}  \
-n scan-management

helm upgrade --install constellations-external-secrets constellations-external-secrets \
--set cloud_providers.azurekv.enabled=true \
--set cloud_providers.azurekv.vaultUrl="https://${kvname}.vault.azure.net" \
--set cloud_providers.azurekv.clientId=${MIclientID}  \
-n event-collation


      OR

      9.2B - Service Principal

      In addition to the 'ClientID' and 'ClientSecret' you set in the previous Service Principal step, you will also need to enter the 'tenantId' of the Service Principal. The 'tenantID' can be found in Azure Active Directory.

      • Once obtained, enter the following command to install cdrplatform external secrets to use the desired service principal.
      helm upgrade --install constellations-external-secrets constellations-external-secrets --create-namespace \
--set cloud_providers.azurekv.enabled=true \
--set cloud_providers.azurekv.authType=ServicePrincipal \
--set cloud_providers.azurekv.tenantId=${tenantid} \
--set cloud_providers.azurekv.authSecretRef.clientId.name=keyvault-service-principal \
--set cloud_providers.azurekv.authSecretRef.clientId.key=ClientID \
--set cloud_providers.azurekv.authSecretRef.clientSecret.name=keyvault-service-principal \
--set cloud_providers.azurekv.authSecretRef.clientSecret.key=ClientSecret \
--set cloud_providers.azurekv.vaultUrl="https://"${kvname}".vault.azure.net"
-n scan-management

helm upgrade --install constellations-external-secrets constellations-external-secrets --create-namespace \
--set cloud_providers.azurekv.enabled=true \
--set cloud_providers.azurekv.authType=ServicePrincipal \
--set cloud_providers.azurekv.tenantId=${tenantid} \
--set cloud_providers.azurekv.authSecretRef.clientId.name=keyvault-service-principal \
--set cloud_providers.azurekv.authSecretRef.clientId.key=ClientID \
--set cloud_providers.azurekv.authSecretRef.clientSecret.name=keyvault-service-principal \
--set cloud_providers.azurekv.authSecretRef.clientSecret.key=ClientSecret \
--set cloud_providers.azurekv.vaultUrl="https://"${kvname}".vault.azure.net"
-n event-collation


      9.3 - Install Scan Management services

      helm upgrade --install constellations-page-scanner -n scan-management constellations-page-scanner --create-namespace \
  --set image.repository=glasswallhub.azurecr.io/constellations-page-scanner \
  --set image.tag=96273 \
  --atomic

helm upgrade --install constellations-scan-preprocessor -n scan-management constellations-scan-preprocessor --create-namespace \
  --set image.repository=glasswallhub.azurecr.io/constellations-scan-preprocessor \
  --set image.tag=103135 \
  --atomic

      9.4- Install Scan Controller service

      9.4A - Without TLS configuration


      helm upgrade --install constellations-scan-controller -n scan-management constellations-scan-controller --create-namespace \
  --set image.repository=glasswallhub.azurecr.io/constellations-scan-controller \
  --set image.tag=104178 \
  --set configuration.Authentication__EnableAuth=false \
  --set secretsFromRef[0].DATABASE__AuthKeyOrResourceToken.secretName=scan-controller-externalsecrets \
  --set secretsFromRef[0].DATABASE__AuthKeyOrResourceToken.key=azure-cosmosdb-primarykey \
  --set secretsFromRef[1].DATABASE__AccountEndpoint.secretName=scan-controller-externalsecrets \
  --set secretsFromRef[1].DATABASE__AccountEndpoint.key=azure-cosmosdb-accountendpoint \
  --set secretsFromRef[2].DATABASE__DatabaseName.secretName=scan-controller-externalsecrets \
  --set secretsFromRef[2].DATABASE__DatabaseName.key=azure-cosmosdb-databasename \
  --set secretsFromRef[3].QUEUE__Username.secretName=event-projection-externalsecrets \
  --set secretsFromRef[3].QUEUE__Username.key=constellations-rmq-username \
  --set secretsFromRef[4].QUEUE__Password.secretName=event-projection-externalsecrets \
  --set secretsFromRef[4].QUEUE__Password.key=constellations-rmq-password \
  --set "kvSecrets={azure-cosmosdb-primarykey,azure-cosmosdb-accountendpoint,azure-cosmosdb-databasename,constellations-rmq-username,constellations-rmq-password}" \
  --atomic

      9.4B - With TLS configuration and without AAD authentication

      To use SSL certificates on constellations API, create a private key and certificate for the domain to be used.

      Create a Kubernetes secret using the key and crt files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

      kubectl create secret tls scan-controller-tls --key server.key --cert server.crt -n scan-management

      The scan-controller-tls secret can be then used on the ingress of the service, ensuring the domain name is set on the below command:

      api_domain=""
helm upgrade --install constellations-scan-controller -n scan-management constellations-scan-controller --create-namespace \
  --set image.repository=glasswallhub.azurecr.io/constellations-scan-controller \
  --set image.tag=104178 \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${api_domain} \
  --set ingress.tls.secretName=scan-controller-tls \
  --set configuration.Authentication__EnableAuth=false \
  --set secretsFromRef[0].DATABASE__AuthKeyOrResourceToken.secretName=scan-controller-externalsecrets \
  --set secretsFromRef[0].DATABASE__AuthKeyOrResourceToken.key=azure-cosmosdb-primarykey \
  --set secretsFromRef[1].DATABASE__AccountEndpoint.secretName=scan-controller-externalsecrets \
  --set secretsFromRef[1].DATABASE__AccountEndpoint.key=azure-cosmosdb-accountendpoint \
  --set secretsFromRef[2].DATABASE__DatabaseName.secretName=scan-controller-externalsecrets \
  --set secretsFromRef[2].DATABASE__DatabaseName.key=azure-cosmosdb-databasename \
  --set secretsFromRef[3].QUEUE__Username.secretName=event-projection-externalsecrets \
  --set secretsFromRef[3].QUEUE__Username.key=constellations-rmq-username \
  --set secretsFromRef[4].QUEUE__Password.secretName=event-projection-externalsecrets \
  --set secretsFromRef[4].QUEUE__Password.key=constellations-rmq-password \
  --set "kvSecrets={azure-cosmosdb-primarykey,azure-cosmosdb-accountendpoint,azure-cosmosdb-databasename,constellations-rmq-username,constellations-rmq-password}" \
  --atomic

      9.4C - With TLS configuration and with AAD authentication

      To use SSL certificates on constellations API, create a private key and certificate for the domain to be used.

      Create a Kubernetes secret using the key and crt files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

      kubectl create secret tls scan-controller-tls --key server.key --cert server.crt -n scan-management

      The scan-controller-tls secret can be then used on the ingress of the service, ensuring the domain name is set on the below command.
      Make sure to set the application ID URI of app registration and the tenant ID where on the below command.

      api_domain=""
tenant_id=""
app_id_uri=""
helm upgrade --install constellations-scan-controller -n scan-management constellations-scan-controller --create-namespace \
  --set image.repository=glasswallhub.azurecr.io/constellations-scan-controller \
  --set image.tag=104178 \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${api_domain} \
  --set ingress.tls.secretName=scan-controller-tls \
  --set configuration.Authentication__EnableAuth=true \
  --set configuration.Authentication__Schemes__Bearer__Authority="https://login.microsoftonline.com/common" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences=api://${app_id_uri} \
  --atomic

      9.5 - Install CDR Enabler Service

      helm upgrade --install constellations-cdr-enabler -n cdr-enabler constellations-cdr-enabler --create-namespace \
  --set image.repository=glasswallhub.azurecr.io/constellations-cdr-enabler \
  --set image.tag=103371 \
  --atomic

      9.6 - Install Event Collation Service

      helm upgrade --install constellations-event-collation -n event-collation constellations-event-collation \
  --set image.repository=glasswallhub.azurecr.io/constellations-event-collation \
  --set image.tag=87723 \
  --set secrets.QueueCreds.QUEUE__Password="${rmq_password}" \
  --atomic

      9.7 - Install Event Projection Service

      9.7A - Without TLS configuration

      helm upgrade --install constellations-event-projection -n event-collation constellations-event-projection \
  --set image.repository=glasswallhub.azurecr.io/constellations-event-projection \
  --set image.tag=104179 \
  --set configuration.Authentication__EnableAuth=false \
  --set secretsFromRef[0].DATABASE__AuthKeyOrResourceToken.secretName=event-projection-externalsecrets \
  --set secretsFromRef[0].DATABASE__AuthKeyOrResourceToken.key=azure-cosmosdb-primarykey \
  --set secretsFromRef[1].DATABASE__AccountEndpoint.secretName=event-projection-externalsecrets \
  --set secretsFromRef[1].DATABASE__AccountEndpoint.key=azure-cosmosdb-accountendpoint \
  --set secretsFromRef[2].DATABASE__DatabaseName.secretName=event-projection-externalsecrets \
  --set secretsFromRef[2].DATABASE__DatabaseName.key=azure-cosmosdb-databasename \
  --set secretsFromRef[3].QUEUE__Username.secretName=event-projection-externalsecrets \
  --set secretsFromRef[3].QUEUE__Username.key=constellations-rmq-username \
  --set secretsFromRef[4].QUEUE__Password.secretName=event-projection-externalsecrets \
  --set secretsFromRef[4].QUEUE__Password.key=constellations-rmq-password \
  --set "kvSecrets={azure-cosmosdb-primarykey,azure-cosmosdb-accountendpoint,azure-cosmosdb-databasename,constellations-rmq-username,constellations-rmq-password}" \
  --atomic

      9.7B - With TLS configuration and without AAD authentication

      To use SSL certificates on constellations API, create a private key and certificate for the domain to be used.

      Create a Kubernetes secret using the key and crt files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

      kubectl create secret tls event-projection-tls --key server.key --cert server.crt -n event-collation

      The event-projection-tls secret can be then used on the ingress of the service, ensuring the domain name is set on the below command:

      api_domain=""
helm upgrade --install constellations-event-projection -n event-collation constellations-event-projection \
  --set image.repository=glasswallhub.azurecr.io/constellations-event-projection \
  --set image.tag=104179 \
  --set configuration.Authentication__EnableAuth=false \
  --set secretsFromRef[0].DATABASE__AuthKeyOrResourceToken.secretName=event-projection-externalsecrets \
  --set secretsFromRef[0].DATABASE__AuthKeyOrResourceToken.key=azure-cosmosdb-primarykey \
  --set secretsFromRef[1].DATABASE__AccountEndpoint.secretName=event-projection-externalsecrets \
  --set secretsFromRef[1].DATABASE__AccountEndpoint.key=azure-cosmosdb-accountendpoint \
  --set secretsFromRef[2].DATABASE__DatabaseName.secretName=event-projection-externalsecrets \
  --set secretsFromRef[2].DATABASE__DatabaseName.key=azure-cosmosdb-databasename \
  --set secretsFromRef[3].QUEUE__Username.secretName=event-projection-externalsecrets \
  --set secretsFromRef[3].QUEUE__Username.key=constellations-rmq-username \
  --set secretsFromRef[4].QUEUE__Password.secretName=event-projection-externalsecrets \
  --set secretsFromRef[4].QUEUE__Password.key=constellations-rmq-password \
  --set "kvSecrets={azure-cosmosdb-primarykey,azure-cosmosdb-accountendpoint,azure-cosmosdb-databasename,constellations-rmq-username,constellations-rmq-password}" \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${domain_name} \
  --set ingress.tls.secretName=event-projection-tls
  --atomic

      9.7B - With TLS configuration and with AAD authentication

      To use SSL certificates on constellations API, create a private key and certificate for the domain to be used.

      Create a Kubernetes secret using the key and crt files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

      kubectl create secret tls event-projection-tls --key server.key --cert server.crt -n event-collation

      The event-projection-tls secret can be then used on the ingress of the service, ensuring the domain name is set on the below command.
      Make sure to set the application ID URI of app registration and the tenant ID where on the below command.

      api_domain=""
tenant_id=""
app_id_uri=""
helm upgrade --install constellations-event-projection -n event-collation constellations-event-projection \
  --set image.repository=glasswallhub.azurecr.io/constellations-event-projection \
  --set image.tag=104179 \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${domain_name} \
  --set ingress.tls.secretName=event-projection-tls \
  --set configuration.Authentication__EnableAuth="true" \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/common \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences=api://${app_id_uri} \
  --atomic

      9.8 - Install Autoscaling

      helm upgrade --install constellations-autoscaling -n common-services constellations-autoscaling \
  --set secrets.QueueCreds.QUEUE__Password=${rmq_password} \
  --atomic

      9.9 - Retrieve scan & scan results endpoints

      Use the below command to determine the External-IP associated with your cluster:

      Note: External-IP will be the same as Public IP address attached to the Azure load balancer.

      kubectl get services --namespace common-services nginx-ingress-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}'

      You can now use the IP returned above to navigate to the scan and scan results API documentation (use https if TLS is enabled):

      Scan API Documentation: http://<ip>/scans/swagger/index.html
Scan results API Documentation: http://<ip>/scan-results/swagger/index.html



      Congratulations, you have successfully deployed Glasswall Constellations! We would love to get your thoughts on the setup process and how we can improve it, using the feedback option below.

      Was this article helpful?
      What's Next