Prerequisites

Before you begin the process of deploying Glasswall Halo, ensure that you have the following tools and resources installed and setup.

System requirements

The following guide has been written assuming it is being run on a Linux shell. If running on a different shell, some of the commands may need to be modified to run.

If running on Windows, please ensure you are using Windows subsystem for Linux.

Required tools

• Helm
• Kubectl
• AWS CLI

Required AWS resources

1. EKS cluster

• Recommended total of at least 8 vCPU and 32 GB RAM.
• Minimum node size is 4 vCPU and 16 GB RAM.
• For production workloads a minimum of 2 nodes is recommended.
• Make sure the EKS cluster has an IAM OIDC provider.
  • Please refer to AWS documentation to determine if the cluster has an IAM OIDC provider or if you need to create one.
• In the steps below, the EKS cluster is referred to as: eksname

Note : Glasswall Halo does not support ARM64 node VMs.

For guidance on creating an EKS cluster please refer to:

• Create EKS Cluster - Console
• Create EKS Cluster - CLI
• AWS Elastic Kubernetes Service - Best Practices

2. EFS

An AWS Elastic File System (EFS) is used to create persistent volumes in EKS.

• Create the EFS in the same VPC where the EKS is created.

For guidance on creating EFS please refer to:

• Create EFS - Console
• Create EFS - CLI

3. IAM roles for service accounts

Two IAM roles need to be created for 2 Kubernetes service accounts deployed through the Helm charts. The Amazon Resource Names (ARN) of these roles are required during deployment of the Helm charts.

• Role 1: role-cdrp-efs-csi-<suffix\>
• Role 2: role-cdrp-ext-secrets-<suffix\>

• This shell script can be used to create the IAM roles.
• Pass AWS region, EKS cluster name, filesystem ID and suffix as 4 arguments to the script. for e.g.

bash create-aws-roles.sh eu-west-1 eks-cdrp-dev fs-582a03f3 dev

For guidance on creating IAM roles for service accounts, please refer to AWS documentation.

4. MongoDB database

MongoDB stores Glasswall Halo content management policies and is used by the cdrplatform-policy-api service.

• Deploy a DocumentDB instance that is compatible with the MongoDB API.

• You can skip this step if you do not require the Policy Management API or the Asynchronous API.

• If DocumentDB is not available in AWS GovCloud, use the MongoDB Kubernetes Operator to deploy MongoDB in the EKS cluster.

Note: alternatively, MongoDB can be deployed directly within your cluster using the MongoDB Helm charts, as described in Step 7.

Access to Glasswall Artifact Registry

• You are provided with a token & token ID to access Glasswall's Artifact Registry.
• This allows you to directly pull container images and Helm charts from your AKS cluster.
• In the steps below, the token and token ID will be referred to as: token and token_id.

---

Continue

Need help?