Step 7 - Install CDR components
Finally, install the Glasswall Halo application services. For each Helm chart, ensure that the image tag is set to the corresponding version listed in the release notes.
The examples below are pre populated with the tags for v2.16.0.
7.1 - Engine
To integrate Halo with ReversingLabs, set the enable_reversing_labs variable to true. Ensure that the ReversingLabs secrets have been created in AWS Secrets Manager, as described in Step 3.
enable_reversing_labs=""
helm upgrade --install cdrplatform-engine cdrplatform-engine \
--set image.tag=165275 \
--set image.registry=glasswallhub.azurecr.io \
--set configuration.ENABLE_REVERSING_LABS="${enable_reversing_labs}" \
--set cloud_provider=aws \
--timeout 10m \
--atomic
7.2 - Synchronous API
helm upgrade --install cdrplatform-sync-api cdrplatform-sync-api \
--set image.tag=166415 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=aws
7.3 - API Access service
The API Access service acts as a gateway to the Glasswall Halo Synchronous API and the Policy Management API.
It exposes CDR functionality over HTTP. If your environment requires HTTPS with TLS or SSL, follow the instructions to install the service with TLS or SSL enabled. Otherwise, follow the instructions for installation without TLS or SSL.
7.3A - for deployments without tls/ssl
helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=165925 \
--atomic
7.3B - Deployments with TLS or SSL
To use SSL certificates with the CDR API, create a private key and certificate for the required domain.
Create a Kubernetes secret from the private key and certificate files using the command below. This command creates a secret named tls-secret using server.key as the private key and server.crt as the certificate.
In this example, the private key must not be passphrase protected.
kubectl create secret tls tls-secret --key server.key --cert server.crt
This secret can then be used to enable TLS on the ingress ensuring that the domain name is set on the command below:
helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=165925 \
--set cloud_provider=aws \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${domain_name} \
--set ingress.tls.secretName=tls-secret \
--atomic
7.3C - Enable API authentication
Authentication for the Glasswall Halo API is disabled by default. To enable authentication, complete the steps below.
-
Create two secrets in AWS Secrets Manager.
- One secret for the organisation ID
- One secret for the organisation tokens
When specifying multiple tokens, separate them with commas. Ensure that individual tokens do not contain commas.
-
Secrets in AWS Secrets Manager must follow the naming conventions below.
-
Organisation ID secret
- Must start with
organisation - Must end with
-id - Include a numeric index between the prefix and suffix
- Examples:
organisation0-id,organisation1-id,organisation2-id
- Must start with
-
Organisation tokens secret
- Must start with
organisation - Must end with
-tokens - Include a numeric index between the prefix and suffix
- Examples:
organisation0-tokens,organisation1-tokens,organisation2-tokens
- Must start with
-
-
Set
configuration.AuthenticationScheme=Basicwhile deploying the Helm chart. For example:
helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=165925 \
--set configuration.AuthenticationScheme=Basic \
--atomic
7.4 - MongoDB
Note: if you have previously configured and setup MongoDB within AWS and if you do not wish to manage and install MongoDB within your cluster, you can skip this step, and proceed to installing the Portal Services below.
MongoDB operator
helm install community-operator mongodb/community-operator --namespace cdrplatform \
--set operator.version=0.9.0 \
--set agent.version=107.0.0.8465-1 \
--atomic
Install MongoDB
helm upgrade -i cdrplatform-mongodb cdrplatform-mongodb -n cdrplatform --atomic \
--set cloud_provider=aws
After MongoDB is deployed, retrieve the MongoDB connection string and store it in AWS Secrets Manager.
- Retreive the connection string from the k8s secret
mongodb_conn_str=$(kubectl get secret mongodb-cdrplatform-cdrp-user -o jsonpath='{.data.connectionString\.standard}' | base64 -d)
- Create a new secret in the AWS Secrets Manager with the MongoDB connection string.
aws secretsmanager create-secret --name "mongodb-connectionstring" --secret-string "${mongodb_conn_str}" --region "${region}"
7.5 - Portal
To deploy the Portal service, run the commands below.
7.5A - Deployments without TLS or SSL
Note: The <ip-address> referenced in these commands is the public IP address of the load balancer. This can be retrieved by following the Portal and API Access steps below.
helm upgrade --install cdrplatform-portal cdrplatform-portal \
--set image.registry=glasswallhub.azurecr.io \
--set configuration.OIDC=null \
--set image.tag=166435 \
--set configuration.BackendUrl=http://<ip-address> \
--set configuration.HaloVersion=2.16.0 \
--atomic
7.5B - Deployments with TLS or SSL
If TLS is required, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain_name> parameters.
In the example below, the same Kubernetes secret created for the API Access service is used to retrieve the TLS certificates.
helm upgrade --install cdrplatform-portal cdrplatform-portal \
--set image.tag=166435 \
--set image.registry=glasswallhub.azurecr.io \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${domain_name} \
--set ingress.tls.secretName=tls-secret \
--set configuration.BackendUrl=https://${domain_name} \
--set configuration.OIDC=null \
--set configuration.HaloVersion=2.16.0 \
--atomic
7.5C - Enable admin access without authentication
When Single Sign On login is not enabled for the Portal, administrative features such as license management and policy configuration are not accessible.
To enable access to these administrative features without configuring SSO, deploy the Helm chart with the following configuration.
helm upgrade --install cdrplatform-portal cdrplatform-portal \
--set image.tag=166435 \
--set image.registry=glasswallhub.azurecr.io \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${portal_domain} \
--set ingress.tls.secretName=tls-secret \
--set configuration.AutoAdmin="true" \
--atomic
7.5D - Configure Halo Portal to authenticate APIs
If API authentication is enabled, replace ${organisation1_id} and ${organisation1_tokens} with the appropriate secret names created in AWS Secrets Manager.
helm upgrade --install cdrplatform-portal cdrplatform-portal \
--set image.tag=166435 --set image.registry=glasswallhub.azurecr.io \
--set configuration.EnableAuth=true \
--set AuthSecrets.orgIdKey=${organisation1-id} \
--set AuthSecrets.orgTokenKey=${organisation1-tokens} \
--atomic
7.6 - Policy Management API
The Policy Management API is used to manage policies for Glasswall Halo content management flags. This is an optional service, install this if you would like to create and use custom polices.
helm upgrade --install cdrplatform-policy-api cdrplatform-policy-api \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=165921 --set cloud_provider=aws \
--atomic
Policy API swagger page can be accessed using
http://<ip>/swagger/index.html
7.7 - Portal access
The Portal Access service acts as a backend for Portal. It enables the Portal to access the Policy Management API and Synchronous API.
7.7A - Deployments with TLS or SSL
If TLS is required, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain_name> parameters.
In the example below, the same Kubernetes secret created for the API Access service is used to retrieve the TLS certificates.
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=166410 \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${domain_name} \
--set ingress.tls.secretName=tls-secret \
--set configuration.AuthenticationScheme=None \
--atomic
7.7B - for deployments without TLS/SSL
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
--set image.registry=glasswallhub.azurecr.io \
--set configuration.AuthenticationScheme=None \
--set image.tag=166410 \
--atomic
7.8 - License management
The License management service is used to manage licenses in Glasswall Halo.
helm upgrade --install cdrplatform-license-management cdrplatform-license-management -n license-management \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=157724 \
--set cloud_provider=aws \
--atomic
7.9 - Clean up service
The Clean up service deletes the original and rebuilt files from the persistent storage after the files are processed.
helm upgrade --install cdrplatform-cleanup cdrplatform-cleanup \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=165228 \
--set cloud_provider=aws \
--atomic
7.10 - Asynchronous API
The Asynchronous API can be deployed using the command below. A MongoDB database is a prerequisite for the Async API.
helm upgrade --install cdrplatform-async-api cdrplatform-async-api \
--set image.tag=166413 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=aws \
--atomic
7.11 - Metrics collation (removed from v2.6.2 onwards)
Create collection and enable change streams
MongoDB, including AWS DocumentDB, does not enable change streams for collections by default. For more information, refer to the AWS documentation on enabling change streams.
To enable change streams, run the following command.
mongosh ${mongodb-connection-string}
use cdrplatform
db.createCollection('CDRMetricsCollection')
db.adminCommand({
modifyChangeStreams: 1,
database: "cdrplatform",
collection: "CDRMetricsCollection",
enable: true
});
Metrics collation service captures events from CDRPlatform and stores them in MongoDB.
helm upgrade --install cdrplatform-metrics-collation cdrplatform-metrics-collation \
--set image.tag=120018 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=aws \
--atomic
7.12 - Metrics projection
The Metrics projection service is used to pull reporting data from MongoDB to display it in the Portal UI.
helm upgrade --install cdrplatform-metrics-projection cdrplatform-metrics-projection \
--set image.tag=166407 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=aws \
--atomic
7.13 - Report extractor
The Report extractor service extracts analysis reports and publishes them for reporting.
helm upgrade --install cdrplatform-report-extractor cdrplatform-report-extractor \
--set image.tag=166411 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=aws \
--atomic
7.14 - Tally accumulator
The Tally accumulator service tracks and maintains a tally of usage statistics.
helm upgrade --install cdrplatform-tally-accumulator cdrplatform-tally-accumulator \
--set image.tag=165227 \
--set image.registry=glasswallhub.azurecr.io \
--set cloud_provider=aws \
--atomic
7.15 - Storage monitoring service
The Storage Monitoring service provides an API to subscribe to and track changes made to documents in configured storage services such as SharePoint.
TLS must be enabled for the webhook.
Add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain_name> parameters.
In the example below, the same Kubernetes secret created for the API Access service is used to retrieve the TLS certificates.
helm upgrade --install cdrplatform-storage-monitor cdrplatform-storage-monitor --wait --atomic \
--set image.tag="165098" \
--set image.repository="glasswallhub.azurecr.io/cdrplatform-storage-monitor" \
--set configuration.DATABASE__Provider="${database_provider}" \
--set configuration.WEBHOOKS__CallbackBaseAddress="https://${domain_name}" \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${domain_name} \
--set ingress.tls.secretName=tls-secret \
--atomic
7.16 - Portal & API access
Use the command below to determine the external-ip associated with your cluster:
Note: external-ip will be the same as the public ip address attached to the AWS load balancer.
kubectl get services --namespace cdrplatform nginx-ingress-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].hostname}'
You can now use the IP returned above to navigate to the Portal and API documentation (use https if TLS enabled):
Portal: http://<ip>
API documentation: http://<ip>/swagger