Step 8 - Install CDR components.md

Finally, install the CDR application services. For these charts, ensure you set the image tag to the corresponding tag found in the release notes.

The examples below are pre-populated with the tags for v2.16.0:

8.1 - Engine

enable_reversing_labs=""
helm upgrade --install cdrplatform-engine cdrplatform-engine \
  --set image.tag=165275 \
  --set image.registry=glasswallhub.azurecr.io \
  --set configuration.ENABLE_REVERSING_LABS="${enable_reversing_labs}" \
  --set cloud_provider=gcp \
  --atomic

8.2 - Synchronous API

helm upgrade --install cdrplatform-sync-api cdrplatform-sync-api \
  --set image.tag=166415 \
  --set image.registry=glasswallhub.azurecr.io \
  --set cloud_provider=gcp

8.3 - API access service

The API Access service acts as a gateway to the Glasswall Halo Synchronous API and the Policy Management API.

It exposes CDR functionality over HTTP. If your environment requires HTTPS with TLS or SSL, follow the installation instructions for enabling TLS or SSL. Otherwise, follow the instructions for installation without TLS or SSL.

8.3A - For deployments without TLS/SSL

helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
 --set image.registry=glasswallhub.azurecr.io \
 --set image.tag=165925 \
 --atomic

8.3B - For deployments with TLS/SSL

To use SSL certificates on CDR API, create a private key and certificate for the domain to be used.

Create a Kubernetes secret using the key and CRT files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

kubectl create secret tls tls-secret --key server.key --cert server.crt

This secret can then be used to enable TLS on the ingress ensuring that the domain name is set on the command below:

domain_name=""
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag=165925 \
  --set image.registry=glasswallhub.azurecr.io \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${domain_name} \
  --set ingress.tls.secretName=tls-secret \
  --atomic

8.3C - Enable admin access without authentication

When Single Sign-On (SSO) login is not enabled in the portal, administrative features, such as license management and policy configuration are not accessible. To enable access to these admin features without setting up SSO, deploy the Helm chart with the following configuration:

helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.tag=166435 \
  --set image.registry=glasswallhub.azurecr.io \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain} \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.AutoAdmin="true" \
  --atomic

8.3D - To enable basic API authentication

The Authentication in the Glasswall Halo is disabled by default, when enabled the authentication will be enabled for both Glasswall Halo Synchronous API and Policy Management API. If authentication needs to be enabled:

• Create two secrets in Google Secrets Manager: one for the organisation ID and one for the organisation tokens.

  • When specifying multiple tokens, separate them with commas.
  • Ensure that individual tokens do not contain commas.

• Secrets in Google Secrets Manager must follow the naming conventions below.

  • Organisation ID secret

    • Must start with organisation
    • Must end with -id
    • Include a numeric index between the prefix and suffix
    • Examples: organisation0-id, organisation1-id, organisation2-id

  • Organisation tokens secret

    • Must start with organisation
    • Must end with -tokens
    • Include a numeric index between the prefix and suffix
    • Examples: organisation0-tokens, organisation1-tokens, organisation2-tokens

• Set configuration.AuthenticationScheme=Basic while deploying the Helm chart. For example:

helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
 --set image.registry=glasswallhub.azurecr.io \
 --set image.tag=165925 \
 --set configuration.AuthenticationScheme=Basic \
 --atomic

8.4 - Portal

To deploy the Halo Portal service, run the commands below.

8.4A - For deployments without TLS/SSL

Note: the ip_address mentioned in this command refers to the load balancer's public IP address. This can be retrieved through the "Portal & API Access" steps below.

ip_address=""
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.registry=glasswallhub.azurecr.io \
  --set configuration.BackendUrl="${ip_address}" \
  --set image.tag=166435 \
  --set configuration.HaloVersion=2.16.0 \
  --set configuration.OIDC=null

8.4B - For deployments with TLS/SSL

If TLS is required, add the --set ingress.tls.enable_tls=true parameter and set portal_domain=<domain name>.

In the example below, the same Kubernetes secret created for the API Access service is used to retrieve the TLS certificates.

portal_domain=""
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.tag=166435 \
  --set image.registry=glasswallhub.azurecr.io \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain} \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.BackendUrl="https://${portal_domain}" \
  --atomic

8.5 - Portal access

The Portal access service acts a backend for Halo Portal. It enables the Halo Portal to access the Policy Management API and Synchronous API.

8.5A - For deployments with TLS/SSL

If TLS is required, add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters.

In the example below, the same Kubernetes secret created for the API access service is used to retrieve the TLS certificates.

domain_name=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.registry=glasswallhub.azurecr.io \
  --set image.tag=166410 \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${domain_name} \
  --set ingress.tls.secretName=tls-secret \
  --set configuration.AuthenticationScheme=None \
  --atomic

8.5B - For deployments without TLS/SSL and authentication

helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.registry=glasswallhub.azurecr.io \
  --set configuration.AuthenticationScheme=None \
  --set image.tag=166410 \
  --atomic

8.6 - MongoDB

MongoDB operator

helm install community-operator mongodb/community-operator --namespace cdrplatform \
  --set operator.version=0.9.0 \
  --set agent.version=107.0.0.8465-1 

MongoDB installation

helm upgrade -i cdrplatform-mongodb cdrplatform-mongodb -n cdrplatform --atomic \
  --set cloud_provider=gcp 

• Retrieve the connection string from the Kubernetes secret

kubectl get secret mongodb-cdrplatform-cdrp-user -o jsonpath='{.data.connectionString\.standard}' | base64 -d

• Update the Kubernetes secret with the MongoDB connection string (remove and recreate)

kubectl create secret generic cdrplatform-secrets -n cdrplatform --from-literal=mongodb-cdrp-password=<Add-Value> --from-literal=mongodb-admin-password=<Add-Value> --from-literal=mongodb-connectionstring=<Add-Value>

8.7 - Policy Management API

The Policy Management API is used to manage policies for Glasswall Halo content management flags. This is an optional service, install this if you would like to create and use custom polices.

helm upgrade --install cdrplatform-policy-api cdrplatform-policy-api \
  --set image.registry=glasswallhub.azurecr.io \
  --set image.tag=165921 \
  --set cloud_provider=gcp

Policy API swagger page can be accessed using

http://<ip>/swagger/index.html

8.8 - License management API

The License management service is used to manage licenses in Glasswall Halo.

helm upgrade --install cdrplatform-license-management cdrplatform-license-management -n license-management\
  --set image.registry=glasswallhub.azurecr.io \
  --set image.tag=157724 \
  -n license-management

8.9 - Clean up service

The Clean up service deletes the original and rebuilt files from the persistent storage after the files are processed.

helm upgrade --install cdrplatform-cleanup cdrplatform-cleanup \
  --set image.registry=glasswallhub.azurecr.io \
  --set cloud_provider=gcp \
  --set image.tag=165228

8.10 - Asynchronous API

The Asynchronous API can be deployed using the command below. A MongoDB database is a pre-requisite for the Asynchronous API.

helm upgrade --install cdrplatform-async-api cdrplatform-async-api \
  --set image.tag=166413 \
  --set image.registry=glasswallhub.azurecr.io \
  --set cloud_provider=gcp

8.11 - Metrics collation (removed since version 2.6.2)

The Metrics Collation service captures events from the CDR Platform and stores them in MongoDB. Deploy this service only when using Halo version 2.6.1 or earlier.

helm upgrade --install cdrplatform-metrics-collation cdrplatform-metrics-collation \
  --set image.tag=120018 \
  --set image.registry=glasswallhub.azurecr.io \
  --set cloud_provider=gcp

8.12 - Metrics projection

The Metrics projection service is used to pull reporting data from MongoDB to display in the Portal UI.

helm upgrade --install cdrplatform-metrics-projection cdrplatform-metrics-projection \
  --set image.tag=166407 \
  --set image.registry=glasswallhub.azurecr.io \
  --set cloud_provider=gcp

8.13 - Report extractor

The Report extractor service extracts analysis reports and publishes them for reporting.

helm upgrade --install cdrplatform-report-extractor cdrplatform-report-extractor \
  --set image.tag=166411 \
  --set image.registry=glasswallhub.azurecr.io \
  --set cloud_provider=gcp

8.14 - Tally accumulator

The Tally accumulator service tracks and maintains a tally of usage statistics.

 helm upgrade --install cdrplatform-tally-accumulator cdrplatform-tally-accumulator \
 --set image.tag=165227 \
 --set image.registry=glasswallhub.azurecr.io \
 --set cloud_provider=gcp

8.15 - Storage monitoring service

The Storage monitoring service provides an API to subscribe to and track changes made to documents in configured storage services such as SharePoint and OneDrive.

TLS must be enabled for the Webhook.

• Add the --set ingress.tls.enable_tls=true and --set ingress.tls.domain=<domain name> parameters.

In the example below, the same Kubernetes secret created for the API Access service is used to retrieve the TLS certificates.

domain_name=""
helm upgrade --install cdrplatform-storage-monitor cdrplatform-storage-monitor --wait --atomic \
    --set image.tag="165098" \
    --set image.repository="glasswallhub.azurecr.io/cdrplatform-storage-monitor" \
    --set configuration.DATABASE__Provider="${database_provider}" \
    --set configuration.WEBHOOKS__CallbackBaseAddress="https://${domain_name}" \
    --set ingress.tls.enabled=true \
    --set ingress.tls.domain=${domain_name} \
    --set ingress.tls.secretName=tls-secret \
    --atomic

8.16 - Portal & API access

Use the command below to determine the external-IP associated with your cluster:

Note: external-IP will be the same as the public IP address attached to the AWS load balancer.

kubectl get services --namespace cdrplatform nginx-ingress-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}'

You can now use the returned IP above to navigate to the Portal and API documentation.

Note: use HTTPs if TLS is enabled.

Portal: http://<ip>
API documentation: http://<ip>/swagger/index.html

---

Need help →

---

Congratulations, you have successfully deployed Glasswall Halo!