Step 7 - Install CDR components
Finally, install the Glasswall Halo services. For each Helm chart, ensure that the image tag is set to the corresponding version listed in the release notes.
The examples below are pre populated with values for v2.15.0.
7.1 - Engine
To integrate Halo with ReversingLabs, set the enable_reversing_labs variable to true. Ensure that the ReversingLabs secrets have been created in Vault, as described in Step 3.
enable_reversing_labs=""
helm upgrade --install cdrplatform-engine cdrplatform-engine -n cdrplatform \
--set image.tag=159562 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=oracle \
--set configuration.ENABLE_REVERSING_LABS="${enable_reversing_labs}" \
--atomic
7.2 - Synchronous API
helm upgrade --install cdrplatform-sync-api cdrplatform-sync-api -n cdrplatform \
--set image.tag=159538 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=oracle
7.3 - API Access service
The API Access service acts as a gateway to the Glasswall Halo Synchronous API and the Policy Management API.
It exposes CDR functionality over HTTP. If your environment requires HTTPS with TLS or SSL, follow the instructions to install the service with TLS or SSL enabled. Otherwise, follow the instructions for installation without TLS or SSL.
7.3A - For deployments without TLS/SSl
helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
--set image.registry=glasswallhub.azurecr.io \
--atomic --set image.tag=158548
7.3B - To use SSL certificates on CDR API, create a private key and certificate for the domain to be used.
Create a Kubernetes secret using the key and CRT files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.
kubectl create secret tls tls-secret --key server.key --cert server.crt
This secret can then be used to enable TLS on the ingress ensuring that the domain name is set on the command below:
helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=158548 \
--set cloud_provider=oracle \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=<domain name> \
--set ingress.tls.secretName=tls-secret \
--atomic
7.3C - Enable API authentication
Authentication for the Glasswall Halo API is disabled by default. To enable authentication, complete the steps below.
-
Add two new entries to the Vault secret
vault_secret_name.- One entry for the organisation ID
- One entry for the organisation tokens
When specifying multiple tokens, separate them with commas. Ensure that individual tokens do not contain commas.
-
Vault secret entries must follow the naming conventions below.
-
Organisation ID
- Must start with
organisation - Must end with
-id - Include a numeric index between the prefix and suffix
- Examples:
organisation1-id,organisation2-id,organisation3-id
- Must start with
-
Organisation tokens
- Must start with
organisation - Must end with
-tokens - Include a numeric index between the prefix and suffix
- Examples:
organisation1-tokens,organisation2-tokens,organisation3-tokens
- Must start with
-
{
"organisation1-id": "org-1",
"organisation1-tokens": "org-1-token-1,org-1-token-2"
}
- Set
configuration.AuthenticationScheme=Basicwhile deploying the helm chart. For example,
helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=158548 \
--set configuration.AuthenticationScheme=Basic \
--set cloud_provider=oracle \
--atomic
7.4 - Portal
7.4A - Deployments without TLS or SSL
To deploy the Portal service, run the commands below.
Note: the <IP-address> referenced in these commands is the public IP address of the load balancer. This can be retrieved by following the Portal and API Access steps below.
helm upgrade --install cdrplatform-portal cdrplatform-portal -n cdrplatform \
--set image.registry=glasswallhub.azurecr.io \
--set configuration.OIDC=null \
--set image.tag=160393 \
--set configuration.BackendUrl=http://<IP-address> \
--set configuration.HaloVersion=2.15.0 \
--atomic
7.4B - Deployments with TLS or SSL
To enable TLS, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters.
In the example below, the same Kubernetes secret created for the API Access service is used to retrieve the TLS certificates.
helm upgrade --install cdrplatform-portal cdrplatform-portal -n cdrplatform \
--set image.tag=160393 \
--set image.registry=glasswallhub.azurecr.io \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=<domain name> \
--set ingress.tls.secretName=tls-secret \
--set configuration.BackendUrl=https://<domain name> \
--set configuration.OIDC=null \
--set configuration.HaloVersion=2.15.0 \
--atomic
7.4C - Enable admin access without authentication
When Single Sign On login is not enabled for the Portal, administrative features such as license management and policy configuration are not accessible.
To enable access to these administrative features without configuring SSO, deploy the Helm chart with the following configuration.
helm upgrade --install cdrplatform-portal cdrplatform-portal \
--set image.tag=160393 \
--set image.registry=glasswallhub.azurecr.io \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${portal_domain} \
--set ingress.tls.secretName=tls-secret \
--set configuration.AutoAdmin="true" \
--atomic
7.5 - MongoDB
MongoDB is a prerequisite for Policy Management API and Asynchronous API.
helm upgrade -i cdrplatform-mongodb cdrplatform-mongodb -n cdrplatform --atomic \
--set cloud_provider=oracle
After MongoDB is deployed, get the connection string of the MongoDB and add it to the key value secret.
- Retrieve the connection string from the Kubernetes secret:
kubectl get secret mongodb-cdrplatform-cdrp-user -o jsonpath='{.data.connectionString\.standard}' | base64 -d
- Update the Oracle Vault secret by adding the key-value pair:
{
"mongodb-connectionstring": "<output-from-previous-step>"
}
- After updating Oracle Vault, run the following command to sync the secrets to Kubernetes.
kubectl annotate externalsecret external-secret updated_at=$(date +%s) --overwrite -n cdrplatform
- Describe the
cdrplatform-secretsKubernetes secret and verify thatmongodb-connectionstringis present and synced. Then proceed with deploying the next Helm charts.
kubectl describe secret cdrplatform-secrets
7.6 - Policy Management API
The Policy Management API is used to manage Glasswall Halo content management flags. This service is optional and should be installed only if you plan to create and use custom policies.
helm upgrade --install cdrplatform-policy-api -n cdrplatform cdrplatform-policy-api \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=159224 \
--set cloud_provider=oracle
7.7 - Portal Access
The Portal Access service acts as the backend for the Portal. It enables the Portal to access the Policy Management API and the Synchronous API.
7.7A - Deployments with TLS or SSL
If TLS is required, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters.
In the example below, the same Kubernetes secret created for the API Access service is used to retrieve the TLS certificates.
helm upgrade --install cdrplatform-portal-access -n cdrplatform cdrplatform-portal-access \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=159930 \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=<domain-name> \
--set ingress.tls.secretName=tls-secret \
--set configuration.AuthenticationScheme=None \
--atomic
7.7B - For deployments without TLS/SSL
helm upgrade --install cdrplatform-portal-access -n cdrplatform cdrplatform-portal-access \
--set image.registry=glasswallhub.azurecr.io \
--set configuration.AuthenticationScheme=None \
--set image.tag=159930 \
--atomic
7.8 - License management
The License management service is used to manage licenses in Glasswall Halo.
helm upgrade --install cdrplatform-license-management cdrplatform-license-management \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=157724 \
-n license-management \
--atomic
7.9 - Clean up service
The Clean up service deletes the original and rebuilt files from the persistent storage after the files are processed.
helm upgrade --install cdrplatform-cleanup cdrplatform-cleanup \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=oracle \
--set image.tag=157621 \
--atomic
7.10 Asynchronous API
The Asynchronous API can be deployed using the command below. A MongoDB database is required for the Asynchronous API.
helm upgrade --install cdrplatform-async-api cdrplatform-async-api \
--set image.tag=159541 \
--set image.registry=glasswallhub.azurecr.io \
--atomic
7.11 - Metrics collation (removed from version 2.6.2)
The Metrics collation service captures events from CDRPlatform and stores them in MongoDB. Only deploy it when using Halo version 2.6.1 and below.
helm upgrade --install cdrplatform-metrics-collation cdrplatform-metrics-collation \
--set image.tag=120018 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=oracle \
--atomic
7.12 - Metrics projection
The Metrics projection service is used to pull reporting data from MongoDB to display in the Portal UI.
helm upgrade --install cdrplatform-metrics-projection cdrplatform-metrics-projection \
--set image.tag=157704 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=oracle \
--atomic
7.13 - Report extractor
The Report extractor service extracts analysis reports and publishes them for reporting.
helm upgrade --install cdrplatform-report-extractor cdrplatform-report-extractor \
--set image.tag=157606 \
--set image.registry=glasswallhub.azurecr.io \
--wait --atomic
7.11 - Tally accumulator
The Tally accumulator service tracks and maintains a tally of usage statistics.
helm upgrade --install cdrplatform-tally-accumulator cdrplatform-tally-accumulator \
--set image.tag=157659 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=oracle \
--wait --atomic
7.12 - Storage monitoring service
The Storage Monitoring service provides an API to subscribe to and track changes made to documents in configured storage services such as SharePoint.
TLS must be enabled for the webhook.
Add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters.
In the example below, the same Kubernetes secret created for the API Access service is used to retrieve the TLS certificates.
helm upgrade --install cdrplatform-storage-monitor cdrplatform-storage-monitor --wait --atomic \
--set image.tag="160331" \
--set image.repository="glasswallhub.azurecr.io/cdrplatform-storage-monitor" \
--set configuration.DATABASE__Provider="${database_provider}" \
--set configuration.WEBHOOKS__CallbackBaseAddress="https://<domain-name>" \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=<domain-name> \
--set ingress.tls.secretName=tls-secret \
--atomic
7.13 - Portal and API access
Use the command below to determine the external IP address associated with your cluster.
Note: the external IP is the same as the public IP address assigned to the Oracle Cloud load balancer.
kubectl get services --namespace cdrplatform nginx-ingress-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}'
You can now use the IP returned above to navigate to the Portal and API documentation (use https if TLS enabled):
Portal: http://<ip>
API Documentation: http://<ip>/swagger