Contents x
Step 4 - Manage Secrets
    • PDF
    Contents

    Step 4 - Manage Secrets

      • PDF
      Article summary

      GKE IAM user

      • A GKE IAM user is included in the Prerequisites section with all the permissions  required:
        • To enable Halo access to the Cloud Storage bucket which contains the CDR reports, an IAM user (compute@developer.gserviceaccount.com) is assigned the Compute Storage User/Admin role.

      Cloud Storage Bucket

      To enable Halo's access to the reporting Cloud Storage Bucket ('saname'):

      • Enable your current project as the default project for interoperable access within the interoperability settings within your Cloud Storage settings.
        • Navigate to Cloud Storage Settings and select the INTEROPERABILITY tab, then click Default project for interoperable access and select your project from the drop down menu.
      • Create Access key and Secret for storage, like above.
        • Navigate to Cloud Storage Settings and select the INTEROPERABILITY tab, then in the Default project for interoperable access section, click Create key.

      Note: Principals can access Cloud Storage data according to their project roles. To modify other permissions, use these group IDs to identify these roles.

      • Add your Access key and Secret for Storage to Kubernetes Secrets:
      kubectl create secret generic storage-access -n cdrplatform --from-literal=storage-access-key=<Add-Value> --from-literal=storage-secret-key=<Add-Value>

      MongoDB connection string

      To enable Glasswall Halo's Policy API to create and manage the policies in MongoDB, and Async API to create and manage the requests, MongoDB needs to be deployed using Helm charts listed in Step 8. 

      Add the MongoDB passwords to Kubernetes Secrets

      Two users will be created by the MongoDB Helm chart and the corresponding user's password needs to be set in Kubernetes Secrets.

      kubectl create secret generic cdrplatform-secrets -n cdrplatform --from-literal=mongodb-cdrp-password=<Add-Value> --from-literal=mongodb-admin-password=<Add-Value>

      Menlo API key

      To enable API key based authentication in Menlo API, add a secret menlo-api-key with an API key you would like to use.

      echo -n "<strong_api_key>" | gcloud secrets create "menlo-api-key" --data-file --replication-policy="automatic"


       

      Was this article helpful?
      What's Next