Contents x
Install Glasswall Halo in minikube
    • PDF
    Contents

    Install Glasswall Halo in minikube

      • PDF
      Article Summary

      Prerequisites

      • Access to Glasswall's Artifact Registry
        • In the steps below, the Token and Token ID will be referred to as: token and token_ID.
      • Install & setup Docker
      • Install & setup minikube
        • Ensure it is running via minikube start
      • Minimum system requirements:
        • 4 CPU cores
        • 16 GB memory
      • Install Helm & kubectl

      Step 1 - Get access to Glasswall's Artifact Registry

      Glasswall's Artifact Registry stores container images and Helm charts which you need to complete your Glasswall Halo installation.

      • Run the command below to set minikube as the context
      kubectl config set-context minikube

      All services associated with Glasswall Halo are deployed to a namespace within the target cluster.

      • Create the namespace and then set the default context for the subsequent commands to be this newly created namespace.
      kubectl create namespace "cdrplatform"
kubectl config set-context --current --namespace="cdrplatform"
      • To pull container images and Helm charts from Glasswall Artifact Registry, you need to use your token and token_ID in the following two commands.
      kubectl create secret docker-registry acr-secret \
 --docker-server="glasswallhub.azurecr.io" --docker-username="${token_ID}" --docker-password="${token}"
      • Login to the Helm registry using your token_ID and token as shown below.
      helm registry login "glasswallhub.azurecr.io" -u "${token_ID}" -p "${token}"

      See Glasswall Artifact Registry for a complete list of hosted container images and Helm charts.

      Step 2 - Pull Helm charts

      Glasswall Halo consists of Glasswall Helm charts hosted in our authenticated Glasswall Artifact Registry, along side a few industry recognized third-party charts.

      • Before the charts can be installed, the right versions need to be pulled by Helm.
      • An example pull command is shown below; this needs to be executed for each Helm chart listed.
      helm pull oci://glasswallhub.azurecr.io/<repository> --version <version> --untar --untardir .
      • The following example is pre-populated with the versions for v2.4.12.
      helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-rabbitmq --version 0.6.2 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-external-secrets --version 0.3.3 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-storage --version 0.5.2 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-engine --version 0.1.19 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-sync-api --version 0.2.6 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-portal --version 0.2.1 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-policy-api --version 0.1.0 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-api-access --version 0.1.4 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-portal-access --version 0.0.3 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-license-management --version 0.1.0 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-cleanup --version 0.0.2 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-async-api --version 0.1.1 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-metrics-collation --version 0.0.1 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-metrics-projection --version 0.0.2 --untar --untardir .
helm pull oci://glasswallhub.azurecr.io/helm/cdrplatform-report-extractor --version 0.0.2 --untar --untardir .
      • In order to gain access to the repositories from which our prerequisite components are installed, they must be added:
      helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add kedacore https://kedacore.github.io/charts
helm repo add mongodb https://mongodb.github.io/helm-charts
helm repo update

      Step 3 - Install and configure the Helm charts

      Now that you have access to the Helm charts, they can be deployed.

      • Install the components. The examples below are pre-populated with the tags for v2.4.12.

      Prerequisites

      helm upgrade --install cdrplatform-storage cdrplatform-storage --set cloud_provider=local

helm upgrade --install rabbitmq-cluster-operator bitnami/rabbitmq-cluster-operator --wait \
  --version 3.15.2 \
  --set clusterOperator.image.tag=2.7.0 \
  --set msgTopologyOperator.image.tag=1.13.0 \
  --set credentialUpdaterImage.tag=1.0.4 \
  --set rabbitmqImage.tag=3.12.12-debian-11-r6

helm upgrade --install keda kedacore/keda --wait \
  --version 2.13.0

helm upgrade --install cdrplatform-rabbitmq -n cdrplatform cdrplatform-rabbitmq --wait \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-rabbitmq \
  --set image.tag=77417 \
  --set cloud_provider=local \
  --set replicas=1

      Step 4 - Install Engine

      helm upgrade --install cdrplatform-engine cdrplatform-engine \
  --set cloud_provider=local \
  --set image.tag=104651 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-engine

      Step 5 - Sync API

      helm upgrade --install cdrplatform-sync-api cdrplatform-sync-api \
  --set cloud_provider=local \
  --set image.tag=104651 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-sync-api

      Step 6 - API Access Service

      The API Access service acts as a gateway service to access Glasswall Halo's Synchronous API and Policy API.

      helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
 --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
 --atomic --set image.tag=104645

      For deployments with TLS/SSL

      To configure the CDR API with SSL certificates, create a private key and certificate for the domain to be used.

      Create a Kubernetes secret using the key and crt files using the command below. With this command we create a secret with the name "tls-secret" from the files server.key (private key) and server.crt (certificate). The key should not be passphrase protected in this example.

      You can reference the following links for instructions on how to generate a local self-signed certificate as well as configure the desired domain name in your local host file. The domain name should point to 127.0.0.1 in the case of linux and macOS, in the case of windows if 127.0.0.1 (IPv4) doesn't work try ::1 (IPv6).

      kubectl create secret tls tls-secret --key server.key --cert server.crt

      This secret can then be used to enable TLS on the ingress as shown in the example below. Make sure to set the $domain_name variable prior to running the command:

      helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
  --set cloud_provider=local \
  --set image.tag=104645 \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=$domain_name \
  --set ingress.tls.secretName=tls-secret

      Enable API Authentication [Optional]

      The Authentication in the Glasswall Halo API is disabled by default. If authentication needs to be enabled:

      • Create 2 secret in kubernetes manually, one for the organisation ID and another for Orgnization token.

      • The secrets should follow below naming convention

        • The secret for organisation ID should start with organisation and end with -id with a number in between. For example organisation1-id.
        • The secret for organisation tokens should start with organisation and end with -tokens with a number in between. For example organisation1-tokens.

      The below example command can be used to create the secrets manually in Kubernetes, make sure to set the organisation_id and organisation_tokens variables prior to running the command.

      Note: $organisation_tokens can take a comma-delimited list of password values.

      kubectl create secret generic cdrplatform-secrets \
  --from-literal=organisation1-id="$organisation_id" \
  --from-literal=organisation1-tokens="$organisation_tokens"

      If enabling API Auth, update configuration.configuration.AuthenticationScheme=Basic

      For Example:

      helm upgrade --install cdrplatform-api-access -n cdrplatform cdrplatform-api-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
  --set image.tag=104645 \
  --set configuration.AuthenticationScheme=Basic \
  --atomic
      • To enable API key based authentication in Menlo, set configuration.MenloAuthenticationScheme=ApiKey. Make sure menlo-api-key secret has been added to the cdrplatform-secrets secret.
      helm upgrade --install cdrplatform-api-access  cdrplatform-api-access \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-api-access \
  --set image.tag=104645 \
  --set configuration.MenloAuthenticationScheme=ApiKey \
  --atomic

      Step 7 - Install Portal

      To deploy Portal service, run the below command. If enabling API Auth, update configuration.EnableAuth=true.

      helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.tag=104561 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal \
  --set configuration.BackendUrl=http://localhost:8080 \
  --set configuration.OIDC=null \
  --atomic

      Step 8 - Portal Access

      Portal Access acts a backend for Portal. It enables Portal to access Policy API and Sync API

      Without authentication

      helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
 --set image.repository=glasswallhub.azurecr.io/cdrplatform-portal-access \
 --set image.tag=104650 \
 --set configuration.AuthenticationScheme=None \
 --atomic

      Step 9 - License Management

      The License Management service is used to manage licenses in Glasswall Halo.

      helm upgrade --install cdrplatform-license-management cdrplatform-license-management -n license-management \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-license-management \
  --set image.tag=99809 \
  -n license-management \
  --atomic

      Step 10 - Clean up Service

      Clean up service deletes the original and rebuilt files from the persistent storage after the files are processed

      helm upgrade --install cdrplatform-cleanup cdrplatform-cleanup \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-cleanup \
  --set cloud_provider=local \
  --set image.tag=104082 \
  --atomic

      Step 11 - MongoDB

      MongoDB Operator

      helm install community-operator mongodb/community-operator --namespace cdrplatform \
  --set operator.version=0.9.0 \
  --set agent.version=107.0.0.8465-1 \
  --atomic

      MongoDB

      helm upgrade -i cdrplatform-mongodb cdrplatform-mongodb -n cdrplatform --atomic \
  --set cloud_provider=local

      Step 12 - Policy API

      Policy API

      The Policy API is used to manage policies for Glasswall Halo content management flags.

      Note: this is an optional service, so only install this if you would like to create and use custom polices.

      helm upgrade --install cdrplatform-policy-api  cdrplatform-policy-api \
  --set image.tag=102917 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-policy-api \
  --set secretsFromRef[0].STORAGE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
  --set secretsFromRef[0].STORAGE__ConnectionString.key="connectionString.standard" \
  --atomic

      Step 13 - Async API

      The Asynchronous API can be deployed using the command below. A MongoDB database is a pre-requisite for the Async API.

      helm upgrade --install cdrplatform-async-api cdrplatform-async-api \
  --set image.tag=104647 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-async-api \
  --set secretsFromRef[0].STORAGE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
  --set secretsFromRef[0].STORAGE__ConnectionString.key="connectionString.standard" \
  --atomic

      Step 14 - Metrics Collation

      The Metrics Collation service captures events from Glasswall Halo and stores them in MongoDB.

      helm upgrade --install cdrplatform-metrics-collation cdrplatform-metrics-collation \
  --set image.tag=104050 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-collation \
  --set cloud_provider=local \
  --set secretsFromRef[0].STORAGE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
  --set secretsFromRef[0].STORAGE__ConnectionString.key="connectionString.standard" \
  -f cdrplatform-metrics-collation/values.yaml \
  --atomic

      Step 15 - Metrics Projection

      The Metrics Projection service is used to pull reporting data from MongoDB to display in the Portal UI.

      helm upgrade --install cdrplatform-metrics-projection cdrplatform-metrics-projection \
  --set image.tag=104784 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-metrics-projection \
  --set cloud_provider=local \
  --set secretsFromRef[0].STORAGE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
  --set secretsFromRef[0].STORAGE__ConnectionString.key="connectionString.standard" \
  -f cdrplatform-metrics-projection/values.yaml \
  --atomic

      Step 16 - Report Extractor

      The Report Extractor service extracts analysis reports and publishes them for reporting.

      helm upgrade --install cdrplatform-report-extractor cdrplatform-report-extractor \
  --set image.tag=104665 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-report-extractor \
  --atomic

      Step 17 - Tally Accumulator

      The Tally accumulator service tracks and maintains a tally of usage statistics.

      helm upgrade --install cdrplatform-tally-accumulator cdrplatform-tally-accumulator --wait --atomic \
  --set image.tag=104053 \
  --set image.repository=glasswallhub.azurecr.io/cdrplatform-tally-accumulator \
  --set cloud_provider=local \
  --set secretsFromRef[0].STORAGE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
  --set secretsFromRef[0].STORAGE__ConnectionString.key="connectionString.standard" \
  -f cdrplatform-tally-accumulator/values.yaml \
  -n cdrplatform

      Step 18 - Expose API and Portal service to the host system via localhost.

      Run the minikube tunnel command in a separate terminal window:

      minikube tunnel

      Step 19 - API and Portal Access

      To access the API or Portal, navigate to the urls below in a browser:

      #API
http://localhost/swagger/index.html

#Portal
http://localhost/

      If TLS/SSL was configured, use the urls below while replacing <domain_name> with the domain name you configure earlier.

      #API
https://<domain_name>/swagger/index.html

#Portal
https://<domain_name>/
      Was this article helpful?
      What's Next