Step 4 - Manage Secrets
    • PDF

    Step 4 - Manage Secrets

    • PDF

    Article summary

    GKE IAM user

    • A GKE IAM user is included in the Prerequisites section with all the permissions  required:
      • To enable Halo access to the Cloud Storage bucket which contains the CDR reports, an IAM user (compute@developer.gserviceaccount.com) is assigned the Compute Storage User/Admin role.

    Cloud Storage Bucket

    To enable Halo's access to the reporting Cloud Storage Bucket ('saname'):

    • Enable your current project as the default project for interoperable access within the interoperability settings within your Cloud Storage settings.
      • Navigate to Cloud Storage Settings and select the INTEROPERABILITY tab, then click Default project for interoperable access and select your project from the drop down menu.
    • Create Access key and Secret for storage, like above.
      • Navigate to Cloud Storage Settings and select the INTEROPERABILITY tab, then in the Default project for interoperable access section, click Create key.

    Note: Principals can access Cloud Storage data according to their project roles. To modify other permissions, use these group IDs to identify these roles.

    • Add your Access key and Secret for Storage to Kubernetes Secrets:
    kubectl create secret generic storage-access -n cdrplatform --from-literal=storage-access-key=<Add-Value> --from-literal=storage-secret-key=<Add-Value>

    MongoDB connection string

    To enable Glasswall Halo's Policy API to create and manage the policies in MongoDB, and Async API to create and manage the requests, MongoDB needs to be deployed using Helm charts listed in Step 8. 

    Add the MongoDB passwords to Kubernetes Secrets

    Two users will be created by the MongoDB Helm chart and the corresponding user's password needs to be set in Kubernetes Secrets.

    kubectl create secret generic cdrplatform-secrets -n cdrplatform --from-literal=mongodb-cdrp-password=<Add-Value> --from-literal=mongodb-admin-password=<Add-Value>

    Menlo API key

    To enable API key based authentication in Menlo API, add a secret menlo-api-key with an API key you would like to use.

    echo -n "<strong_api_key>" | gcloud secrets create "menlo-api-key" --data-file --replication-policy="automatic"
    


     


    Was this article helpful?