Step 7 - Install CDR components
    • PDF

    Step 7 - Install CDR components

    • PDF

    Article summary

    Finally, you can install the Glasswall Halo services. For these charts, ensure that you set the image tag to the corresponding tag found in the Release Notes.

    The examples below are pre-populated with the values for v2.6.1.

    7.1 - Engine

    To integrate Halo with Reversing Labs, set the `enable_reversing_labs` variable to `true` below. Make sure to create Reversing Labs secrets in the Vault as mentioned in Step 3.

    enable_reversing_labs=""
    helm upgrade --install cdrplatform-engine cdrplatform-engine -n cdrplatform \
      --set image.tag=120255 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-engine \
      --set cloud_provider=oracle \
      --set configuration.ENABLE_REVERSING_LABS="${enable_reversing_labs}" \
      --atomic

    7.2 - Sync API

    helm upgrade --install cdrplatform-sync-api cdrplatform-sync-api -n cdrplatform \
      --set image.tag=118332 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-sync-api \
      --set cloud_provider=oracle

    7.3 - API Access service

    The API Access service acts as a gateway service to access CDR Platform Sync API and Policy API.
    It exposes the CDR functionality via HTTP - in your environment you may require this to be done with TLS/SSL via HTTPS, if this is the case follow the instructions to install with TLS/SSL. Otherwise follow the instructions to install without.

    7.3A - For deployments without TLS/SSL

    helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
     --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
     --atomic --set image.tag=117921

    7.3B - To use SSL certificates on CDR API, create a private key and certificate for the domain to be used.

    Create a Kubernetes secret using the key and crt files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

    kubectl create secret tls tls-secret --key server.key --cert server.crt
    

    This secret can then be used to enable TLS on the ingress ensuring that the domain name is set on the command below:

    helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
     --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
     --set image.tag=117921 \
     --set cloud_provider=oracle \
     --set ingress.tls.enabled=true \
     --set ingress.tls.domain=<domain name> \
     --set ingress.tls.secretName=tls-secret \
     --atomic

    7.3C - To enable API authentication

    The Authentication in the Glasswall Halo API is disabled by default. If authentication needs to be enabled:

    • Add two new entries to the Vault Secret vault_secret_name; one for the Organisation ID and another for Organisation Tokens. When passing multiple tokens separate them with a comma (","). As a result, the token itself cannot have a comma.
    • The secrets in Vault should follow the naming convention below:
      • The secret for Organisation ID should start with organisation and end with -id with a number in between. For example organisation1-id, organisation2-id, organisation3-id etc.
      • The secret for the Organisation Tokens should start with organisation and end with -tokens with a number in between. For example organisation1-tokens, organisation2-tokens, organisation3-tokens etc.
    {
      "organisation1-id": "org-1",
      "organisation1-tokens": "org-1-token-1,org-1-token-2"
    }
    
    • Set configuration.AuthenticationScheme=Basic while deploying the helm chart. For example,
      helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
      --set image.tag=117921 \
      --set configuration.AuthenticationScheme=Basic \
      --set cloud_provider=oracle \
      --atomic

    To enable API key based authentication in Menlo, set configuration.MenloAuthenticationScheme=ApiKey. Make sure menlo-api-key secret has been added to the Vault in Step 3.

    helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
      --set image.tag=117921 \
      --set configuration.AuthenticationScheme=Basic \
      --set configuration.MenloAuthenticationScheme=ApiKey \
      --atomic

    7.4 - Portal

    7.4A - For deployments without TLS/SSL

    To deploy the Portal service, run the below commands.

    Note: the <IP-address> mentioned in this command refers to the Load Balancer's public IP address. This can be retrieved through the "Portal & API Access" steps below.

    helm upgrade --install cdrplatform-portal cdrplatform-portal -n cdrplatform \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
      --set configuration.OIDC=null \
      --set image.tag=118408 \
      --set configuration.BackendUrl=http://<IP-address> \
      --set configuration.HaloVersion=2.6.0 \
      --atomic

    7.4B - For deployments with TLS/SSL.

    To enable TLS, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters - in the below example, it will use the same Kubernetes secret that was created for the API Access to retrieve the certificates.

    helm upgrade --install cdrplatform-portal cdrplatform-portal -n cdrplatform \
      --set image.tag=118408 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
      --set ingress.tls.enabled=true \
      --set ingress.tls.domain=<domain name> \
      --set ingress.tls.secretName=tls-secret \
      --set configuration.BackendUrl=https://<domain name> \
      --set configuration.OIDC=null \
      --set configuration.HaloVersion=2.6.0 \
      --atomic

    7.5 - MongoDB

    MongoDB is a prerequisite for Policy Management API and Asynchronous API.

    helm upgrade -i cdrplatform-mongodb cdrplatform-mongodb -n cdrplatform --atomic \
      --set cloud_provider=oracle

    After MongoDB is deployed, get the connection string of the MongoDB and add it to the key value secret.

    • Retrieve the connection string from the Kubernetes secret:
    kubectl get secret mongodb-cdrplatform-cdrp-user -o jsonpath='{.data.connectionString\.standard}' | base64 -d
    • Update the Oracle vault secret by adding the key-value pair:
    {
        "mongodb-connectionstring": "<output-from-previous-step>"
    }
    • After updating the Oracle Vault, to sync the secrets to the Kubernetes secrets, run below command.
    kubectl annotate externalsecret external-secret updated_at=$(date +%s) --overwrite -n cdrplatform
    • Describe the `cdrplatform-secrets` kubernetes secret and make sure `mongodb-connectionstring` is synced and present in the secret. Then proceed to deploying next helm charts.
    kubectl describe secret cdrplatform-secrets

    7.6 - Policy API

    The Policy API manages policies for Glasswall Halo content management flags. This is an optional service, install this if you would like to create and use custom polices.

    helm upgrade --install cdrplatform-policy-api -n cdrplatform cdrplatform-policy-api \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-policy-api \
      --set image.tag=116799 \
      --set cloud_provider=oracle

    7.7 - Portal Access

    Portal Access acts a backend for Portal. It enables Portal to access Policy API and Sync API

    7.7A - For deployments with TLS/SSL

    If TLS needs to be enabled, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters - in the below example, it will use the same Kubernetes secret that was created for the API Access to retrieve the certificates.

    helm upgrade --install cdrplatform-portal-access -n cdrplatform cdrplatform-portal-access \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
      --set image.tag=117613 \
      --set ingress.tls.enabled=true \
      --set ingress.tls.domain=<domain-name> \
      --set ingress.tls.secretName=tls-secret \
      --set configuration.AuthenticationScheme=None \
      --atomic

    7.7B - For deployments without TLS/SSL 

    helm upgrade --install cdrplatform-portal-access -n cdrplatform cdrplatform-portal-access \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
      --set configuration.AuthenticationScheme=None \
      --set image.tag=120712 \
      --atomic

    7.8 - License Management

    The License Management service is used to manage licenses in Glasswall Halo.

    helm upgrade --install cdrplatform-license-management cdrplatform-license-management \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-license-management \
      --set image.tag=119970 \
      -n license-management \
      --atomic

    7.9 - Clean up Service

    Clean up service deletes the original and rebuilt files from the persistent storage after the files are processed.

    helm upgrade --install cdrplatform-cleanup cdrplatform-cleanup \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-cleanup \
      --set cloud_provider=oracle \
      --set image.tag=115299 \
      --atomic

    7.10 - Async API

    The Asynchronous API can be deployed using the command below. A MongoDB database is a pre-requisite for  the Async API.

    helm upgrade --install cdrplatform-async-api cdrplatform-async-api \
      --set image.tag=119984 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-async-api \
      --atomic

    7.11 - Metrics Collation

    The Metrics Collation service captures events from Glasswall Halo and stores them in MongoDB.

    helm upgrade --install cdrplatform-metrics-collation cdrplatform-metrics-collation \
      --set image.tag=120018 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-collation \
      --set cloud_provider=oracle \
      --atomic

    7.12 - Metrics Projection

    The Metrics Projection service is used to pull reporting data from MongoDB to display in the Portal UI.

    helm upgrade --install cdrplatform-metrics-projection cdrplatform-metrics-projection \
      --set image.tag=120020 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-projection \
      --set cloud_provider=oracle \
      --atomic

    7.13 - Report Extractor

    The Report Extractor service extracts analysis reports and publishes them for reporting.

    helm upgrade --install cdrplatform-report-extractor cdrplatform-report-extractor \
      --set image.tag=120000 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-report-extractor \
      --wait --atomic

    7.11 - Tally Accumulator

    The Tally accumulator service tracks and maintains a tally of usage statistics.

    helm upgrade --install cdrplatform-tally-accumulator cdrplatform-tally-accumulator \
      --set image.tag=120344 \
      --set image.repository=glasswallhub.azurecr.io/cdrplatform-tally-accumulator \
      --set cloud_provider=oracle \
      --wait --atomic

    7.12 - Portal & API Access

    Use the command below to determine the External-IP associated with your cluster:

    Note: External-IP will be the same as the Public IP address attached to the Oracle Cloud load balancer.

    kubectl get services --namespace cdrplatform nginx-ingress-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}'
    

    You can now use the IP returned above to navigate to the Portal and API Documentation (use https if TLS enabled):

    Portal: http://<ip>
    API Documentation: http://<ip>/swagger
    



    Congratulations, you have successfully deployed Glasswall Glasswall Halo! We would love to get your thoughts on the setup process and how we can improve it, using the feedback option below.


    Was this article helpful?

    What's Next