Install Glasswall Halo in minikube

Prerequisites

• Access to Glasswall's Artifact Registry
  • In the steps below, the Token and Token ID will be referred to as: token and token_ID.
• Install & setup Docker
• Install & setup minikube
  • Ensure it is running via minikube start
• Minimum system requirements:
  • 8 CPU cores
  • 16 GB memory
• Install Helm & kubectl

Step 1 - Get access to Glasswall's Artifact Registry

Glasswall's Artifact Registry stores container images and Helm charts which you need to complete your Glasswall Halo installation.

• Run the command below to set minikube as the context.

kubectl config set-context minikube

All services associated with Glasswall Halo are deployed to a namespace within the target cluster.

• Create two namespace and then set the default context for the subsequent commands to be this newly created namespace (cdrplatform).

kubectl create namespace "cdrplatform"
kubectl create namespace "license-management"
kubectl config set-context --current --namespace="cdrplatform"

• To pull container images and Helm charts from Glasswall Artifact Registry, you need to use your token and token_ID in the following two commands.

kubectl create secret docker-registry acr-secret \
 --docker-server="glasswallhub.azurecr.io" --docker-username="${token_ID}" --docker-password="${token}"
kubectl create secret docker-registry acr-secret \
 --docker-server="glasswallhub.azurecr.io" --docker-username="${token_ID}" --docker-password="${token}" -n license-management

• Create a secret for MongoDB and generate your own password to be used.

kubectl create secret generic cdrplatform-secrets --from-literal=mongodb-cdrp-password="${new_password}" --from-literal=mongodb-admin-password="${new_password}"

• Login to the Helm registry using your token_ID and token as shown below.

helm registry login "glasswallhub.azurecr.io" -u "${token_ID}" -p "${token}"

See Glasswall Artifact Registry for a complete list of hosted container images and Helm charts.

Step 2 - Pull Helm charts

Glasswall Halo consists of Glasswall Helm charts hosted in our authenticated Glasswall Artifact Registry, along side a few industry recognized third-party charts.

• Before the charts can be installed, the right versions need to be pulled by Helm.
• An example pull command is shown below; this needs to be executed for each Helm chart listed.

helm pull oci://glasswallhub.azurecr.io/<repository> --version <version> --untar --untardir .

• The following example is pre-populated with the versions for v2.6.1.

helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-rabbitmq --version 0.6.2 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-external-secrets --version 0.4.0 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-storage --version 0.5.5 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-engine --version 0.2.2 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-sync-api --version 0.2.8 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-portal --version 0.2.2 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-policy-api --version 0.1.1 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-api-access --version 0.1.4 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-portal-access --version 0.0.4 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-license-management --version 0.1.1 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-cleanup --version 0.0.4 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-async-api --version  --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-metrics-collation --version 0.0.4 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-metrics-projection --version 0.0.4 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-report-extractor --version 0.0.4 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-mongodb --version 0.0.3 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-tally-accumulator --version  --untar --untardir .

• In order to gain access to the repositories from which our prerequisite components are installed, they must be added:

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add kedacore https://kedacore.github.io/charts
helm repo add mongodb https://mongodb.github.io/helm-charts
helm repo update

Step 3 - Install and configure the Helm charts

Now that you have access to the Helm charts, they can be deployed.

• Install the components. The examples below are pre-populated with the tags for v2.6.1.

Prerequisites

helm upgrade --install cdrplatform-storage cdrplatform-storage --set cloud_provider=local

helm upgrade --install rabbitmq-cluster-operator bitnami/rabbitmq-cluster-operator \
  --atomic \
  --version 4.3.16 \
  --set msgTopologyOperator.fullnameOverride=rabbitmq-messaging-topology-operator \
  --set clusterOperator.image.tag=2.8.0-debian-12-r2 \
  --set msgTopologyOperator.image.tag=1.13.0-debian-12-r8 \
  --set credentialUpdaterImage.tag=1.0.4-debian-12-r16 \
  --set rabbitmqImage.tag=3.13-debian-12-r1 \
  --set clusterOperator.watchAllNamespaces=false \
  --set clusterOperator.watchNamespaces={cdrplatform} \
  --set msgTopologyOperator.watchAllNamespaces=false \
  --set msgTopologyOperator.watchNamespaces={cdrplatform} \
  --set clusterOperator.resources.requests.cpu=100m \
  --set clusterOperator.resources.requests.memory=256Mi \
  --set clusterOperator.resources.limits.cpu=100m \
  --set clusterOperator.resources.limits.memory=256Mi \
  --set msgTopologyOperator.resources.requests.cpu=100m \
  --set msgTopologyOperator.resources.requests.memory=256Mi \
  --set msgTopologyOperator.resources.limits.cpu=100m \
  --set msgTopologyOperator.resources.limits.memory=256Mi

helm upgrade --install keda kedacore/keda --wait \
  --version 2.14.2

helm upgrade --install cdrplatform-rabbitmq -n cdrplatform cdrplatform-rabbitmq --wait \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-rabbitmq \
  --set image.tag=117498 \
  --set cloud_provider=local \
  --set replicas=1 \
  -f cdrplatform-rabbitmq/values.yaml

Step 4 - Install Engine

helm upgrade --install cdrplatform-engine cdrplatform-engine \
  --set cloud_provider=local \
  --set image.tag=120255 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-engine

Step 5 - Sync API

helm upgrade --install cdrplatform-sync-api cdrplatform-sync-api \
  --set cloud_provider=local \
  --set image.tag=120549 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-sync-api

Step 6 - API Access Service

The API Access service acts as a gateway service to access Glasswall Halo's Synchronous API and Policy API.

helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
 --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
 --atomic --set image.tag=120579

For deployments with TLS/SSL

To configure the CDR API with SSL certificates, create a private key and certificate for the domain to be used.

Create a Kubernetes secret using the key and crt files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

You can reference the following links for instructions on how to generate a local self-signed certificate as well as configure the desired domain name in your local host file. The domain name should point to 127.0.0.1 in the case of linux and macOS, in the case of windows if 127.0.0.1 (IPv4) doesn't work try ::1 (IPv6).

Generated certificates must contain a Subject Alternative Name (SAN) for your domain name.

Linux

• Create an OpenSSL configuration file (openssl.cnf) for the SAN and paste the following:

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca   # The extensions to add to the self-signed cert

[req_distinguished_name]
countryName                 = Country Name (2 letter code)
countryName_default         = UK
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = London
localityName                = Locality Name (eg, city)
localityName_default        = London
organizationName            = Organization Name (eg, company)
organizationName_default    = Glasswall
Email_address               = Company Email
commonName                  = Common Name (e.g. Your domain name)

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names

[alt_names]
DNS.1   = Your domain name

• Generate Certificate and Key:

  openssl req -newkey rsa:2048 \
    -x509 \
    -nodes \
    -days 365 \
    -keyout server.key \
    -out server.crt \
    -config openssl.cnf \
    -extensions 'v3_ca'

• Add domain name to local host file. For this deployment, map Minikube IP address to your configured domain name like this:

<minikube-ip> <your domain name>

Windows

• Generate Certificate and Key
• Add domain name to local host file

macOS

• OpenSSL comes installed with Mac OS, so the same guide for Linux can be used
• Add domain name to local host file

Add and trust your generated certificate in your local certificates store.

kubectl create secret tls tls-secret --key server.key --cert server.crt

This secret can then be used to enable TLS on the ingress as shown in the example below. Make sure to set the $domain_name variable prior to running the command:

helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
  --set cloud_provider=local \
  --set image.tag=120579 \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=$domain_name \
  --set ingress.tls.secretName=tls-secret

Enable API Authentication [Optional]

The Authentication in the Glasswall Halo API is disabled by default. If authentication needs to be enabled:

• Create 2 secret in kubernetes manually, one for the organisation ID and another for Orgnization token.

• The secrets should follow below naming convention

  • The secret for organisation ID should start with organisation and end with -id with a number in between. For example organisation1-id.
  • The secret for organisation tokens should start with organisation and end with -tokens with a number in between. For example organisation1-tokens.

The below example command can be used to create the secrets manually in Kubernetes, make sure to set the organisation_id and organisation_tokens variables prior to running the command.

Note: $organisation_tokens can take a comma-delimited list of password values.

kubectl create secret generic cdrplatform-secrets \
  --from-literal=organisation1-id="$organisation_id" \
  --from-literal=organisation1-tokens="$organisation_tokens"

If enabling API Auth, update configuration.configuration.AuthenticationScheme=Basic

For Example:

helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
  --set image.tag=120579 \
  --set configuration.AuthenticationScheme=Basic \
  --atomic

• To enable API key based authentication in Menlo, set configuration.MenloAuthenticationScheme=ApiKey. Make sure menlo-api-key secret has been added to the cdrplatform-secrets secret.

helm upgrade --install cdrplatform-api-access  cdrplatform-api-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
  --set image.tag=120579 \
  --set configuration.MenloAuthenticationScheme=ApiKey \
  --atomic

Step 7 - Install Portal

To deploy Portal service, run the below command. If enabling API Auth, update configuration.EnableAuth=true.

For deployments without TLS/SSL

helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.tag=120703 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
  --set configuration.BackendUrl=http://localhost:8080 \
  --set configuration.OIDC=null \
  --set configuration.HaloVersion=2.6.1 \
  --atomic

For deployments with TLS/SSL

If TLS needs to be enabled, add the --set ingress.tls.enable_tls=true and set portal_domain=<domain name> parameters - in the below example, it will use the same Kubernetes secret that was created for the API Access to retrieve the certificates.

portal_domain=""
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.tag=120703 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain} \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.OIDC=null \
  --set configuration.BackendUrl="https://${portal_domain}" \
  --set configuration.HaloVersion=2.6.1 \
  --atomic

Step 8 - Portal Access

Portal Access acts a backend for Portal. It enables Portal to access Policy API and Sync API

For deployments without TLS/SSL

helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
  --set configuration.AuthenticationScheme=None \
  --set image.tag=120712 \
  --atomic

For deployments with TLS/SSL

If TLS needs to be enabled, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters - in the below example, it will use the same Kubernetes secret that was created for the API Access to retrieve the certificates.

portal_domain=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
  --set image.tag=120712 \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain} \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.AuthenticationScheme=None \
  --atomic

Without authentication

helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
 --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
 --set image.tag=120712 \
 --set configuration.AuthenticationScheme=None \
 --atomic

Step 9 - Clean up Service

Clean up service deletes the original and rebuilt files from the persistent storage after the files are processed

helm upgrade --install cdrplatform-cleanup cdrplatform-cleanup \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-cleanup \
  --set cloud_provider=local \
  --set image.tag=115299 \
  --atomic

Step 10 - MongoDB

MongoDB Operator

helm install community-operator mongodb/community-operator --namespace cdrplatform \
  --set operator.version=0.9.0 \
  --set agent.version=107.0.0.8465-1 \
  --atomic

MongoDB

helm upgrade -i cdrplatform-mongodb cdrplatform-mongodb -n cdrplatform --atomic \
  --set cloud_provider=local

Step 11 - License Management

License management service is used to manage the license in the CDR Platform

helm upgrade --install cdrplatform-license-management cdrplatform-license-management -n license-management \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-license-management \
  --set image.tag=119970 \
  --set cloud_provider=local \
  --set "secretsFromRef[3].DATABASE__ConnectionString.secretName=mongodb-cdrplatform-cdrp-user" \
  --set "secretsFromRef[3].DATABASE__ConnectionString.key=connectionString.standard" \
  -n license-management \
  --atomic

Step 12 - Policy API

Policy API

The Policy API is used to manage policies for Glasswall Halo content management flags.

Note: this is an optional service, so only install this if you would like to create and use custom polices.

helm upgrade --install cdrplatform-policy-api  cdrplatform-policy-api \
  --set image.tag=119877 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-policy-api \
  --set "secretsFromRef[0].DATABASE__ConnectionString.secretName=mongodb-cdrplatform-cdrp-user" \
  --set "secretsFromRef[0].DATABASE__ConnectionString.key=connectionString.standard" \
  -f cdrplatform-policy-api/values.yaml \
  --atomic

Step 13 - Async API

The Asynchronous API can be deployed using the command below. A MongoDB database is a pre-requisite for the Async API.

helm upgrade --install cdrplatform-async-api cdrplatform-async-api \
  --set image.tag=119984 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-async-api \
  --set "secretsFromRef[3].DATABASE__ConnectionString.secretName=mongodb-cdrplatform-cdrp-user" \
  --set "secretsFromRef[3].DATABASE__ConnectionString.key=connectionString.standard" \
  --set cloud_provider=local \
  -f cdrplatform-async-api/values.yaml \
  --atomic

Step 14 - Metrics Collation

The Metrics Collation service captures events from Glasswall Halo and stores them in MongoDB.

helm upgrade --install cdrplatform-metrics-collation cdrplatform-metrics-collation \
  --set image.tag=120018 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-collation \
  --set cloud_provider=local \
  --set "secretsFromRef[0].DATABASE__ConnectionString.secretName=mongodb-cdrplatform-cdrp-user" \
  --set "secretsFromRef[0].DATABASE__ConnectionString.key=connectionString.standard" \
  -f cdrplatform-metrics-collation/values.yaml \
  --atomic

Step 15 - Metrics Projection

The Metrics Projection service is used to pull reporting data from MongoDB to display in the Portal UI.

helm upgrade --install cdrplatform-metrics-projection cdrplatform-metrics-projection \
  --set image.tag=120020 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-projection \
  --set cloud_provider=local \
  --set "secretsFromRef[0].DATABASE__ConnectionString.secretName=mongodb-cdrplatform-cdrp-user" \
  --set "secretsFromRef[0].DATABASE__ConnectionString.key=connectionString.standard" \
  -f cdrplatform-metrics-projection/values.yaml \
  --atomic

Step 16 - Report Extractor

The Report Extractor service extracts analysis reports and publishes them for reporting.

helm upgrade --install cdrplatform-report-extractor cdrplatform-report-extractor \
  --set image.tag=120000 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-report-extractor \
  --set cloud_provider=local \
  --atomic

Step 17 - Tally Accumulator

The Tally accumulator service tracks and maintains a tally of usage statistics.

helm upgrade --install cdrplatform-tally-accumulator cdrplatform-tally-accumulator -n cdrplatform \
  --set image.tag=120344 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-tally-accumulator \
  --set cloud_provider=local \
  --set "secretsFromRef[0].DATABASE__ConnectionString.secretName=mongodb-cdrplatform-cdrp-user" \
  --set "secretsFromRef[0].DATABASE__ConnectionString.key=connectionString.standard" \
  -f cdrplatform-tally-accumulator/values.yaml \
  --atomic

Enable minikube Ingress

Enable the minikube ingress addon.

minikube addons enable ingress

Step 18 - Expose API and Portal service to the host system via localhost.

Run the minikube tunnel command in a separate terminal window:

minikube tunnel

Step 19 - API and Portal Access

To access the API or Portal, navigate to the urls below in a browser:

#API
http://localhost/swagger/index.html

#Portal
http://localhost/

If TLS/SSL was configured, use the urls below while replacing <domain_name> with the domain name you configure earlier.

#API
https://<domain_name>/swagger/index.html

#Portal
https://<domain_name>/

If you encounter a connection refused error with TLS/SSL enabled, restart Minikube and wait for the deployment to complete.

minikube stop

minikube start