Prerequisites

Before you begin the process of deploying Glasswall Halo, ensure that you have the following tools and resources installed and setup.

System Requirements

The following guide has been written assuming it is being run on a Linux shell. If running on a different shell, some of the commands may need to be modified to run.

If running on Windows, please ensure you are using Windows Subsystem for Linux.

Required Tools

• Helm
• Kubectl
• AWS CLI

Required AWS Resources

1. EKS Cluster

• Recommended total of at least 8 vCPU and 32 GB RAM.
• Minimum node size is 4 vCPU and 16 GB RAM.
• For production workloads a minimum of 2 nodes is recommended.
• Make sure the EKS cluster has an IAM OIDC provider. 
  • Please refer to AWS Documentation to determine if the cluster has an IAM OIDC provider or if you need to create one.
• In the steps below, the EKS cluster is referred to as: eksname

Note: Glasswall Halo does not support ARM64 node VMs.

For guidance on creating an EKS cluster please refer to:

• Create EKS Cluster - Console 
• Create EKS Cluster - CLI 
• AWS Elastic Kubernetes Service - Best Practices

2. EFS

An AWS Elastic File System (EFS) is used to create Persistent volumes in EKS.

• Create the EFS in the same VPC where the EKS is created.

For guidance on creating EFS please refer to:

• Create EFS - Console 
• Create EFS - CLI 

3. S3 Bucket

An S3 bucket is used to store reports for each file processed by the platform.

4. IAM Roles for service accounts

• Two IAM roles need to be created for 2 Kubernetes service accounts deployed through the Helm charts. The Amazon Resource Names (ARN) of these roles are required during deployment of the Helm charts.
  • Role 1: role-cdrp-efs-csi-<suffix>
  • Role 2: role-cdrp-ext-secrets-<suffix>
• A shell script can be used to create the IAM roles. This script can be downloaded from the bottom of this page. 
• Pass AWS region, EKS cluster name and a  suffix as 3 arguments to the script. For e.g.

bash create-aws-roles.sh eu-west-1 eks-cdrp-dev dev

For guidance on creating IAM roles for service accounts, please refer to AWS Documentation.

5. MongoDB Database

MongoDB is used to store Glasswall Halo's content management policies. The MongoDB is used by the cdrplatform-policy-api service

• Deploy a DocumentDB which is MongoDB API compatible.
• If you do not require a Policy Management API and Async API, this step can be skipped.
• If DocumentDB is not available in AWS Gov Cloud, MongoDB kubernetes operator can be used to deploy the MongoDB in the EKS cluster.

Note: alternatively, MongoDB can deployed directly inside of your cluster,  using the MongoDB Helm Charts, as seen in Step 7.

Access to Glasswall Artifact Registry

• You are provided with a Token & Token ID to access Glasswall's Artifact Registry.
• This allows you to directly pull container images and Helm charts from your AKS cluster.
• In the steps below, the Token and Token ID will be referred to as: token and token_ID.

Continue  Need help?