Deploying a Cyberwatch satellite node on an existing Kubernetes cluster
This page describes the steps involved in deploying a Cyberwatch satellite node on an existing Kubernetes cluster. This procedure assumes that the user has a basic knowledge of the Kubernetes orchestrator and Helm.
Requirements
Have a Cyberwatch master node configured to allow connection of a satellite node and have SSH access to this master node.
If the master node uses external databases. These databases must be accessible to the Kubernetes cluster.
Have an environment with Helm (version > 3.8.0) and Kubectl installed, configured to access the Kubernetes cluster.
The Kubernetes cluster must have installed:
- a DNS resolver such as
core-dns; - a working
ingress-controller, the OVH documentation provides an example to set up one; - a storage class able to dynamically handle
PersistentVolumesthrough aStorageClass.
To make sure the cluster has a DNS resolver:
kubectl cluster-info- a DNS resolver such as
Deployment steps
Log in to the Helm repository:
helm registry login harbor.cyberwatch.frFill in the username prefixed with
cbw$, then fill in the password.These credentials are the ones in your Cyberwatch license, if you happen to not have it, please contact us at support@cyberwatch.fr.
Create and edit the configuration file
values.yml.It’s necessary to store the file
values.ymlin a secure way. The file is required for the update of Docker images or for the update of the Helm chart.The following steps describe how to set up a minimal configuration file for deploying the Cyberwatch satellite.
Here is an example of the
values.ymlin its minimal configuration:global: pki: root_ca: cbw-root-ca-cert image: registryCredentials: - name: cyberwatch-credentials registry: harbor.cyberwatch.fr/cbw-on-premise username: "changeme" password: "changeme" node: name: cyberwatch-node-name type: satellite nginx: resolver: "changeme" ingress: enabled: true ingressClassName: "changeme" host: "changeme" tls: selfSigned: true cron: enabled: false thirdParties: enabled: false database: external: true host: "changeme" password: "changeme" root_password: "changeme" redis: external: true host: "changeme" password: "changeme" key: base: "changeme" credential: "changeme"Set the credentials used to pull the docker images. The username and password are the same as those used to login to the Helm chart repository.
global: image: registryCredentials: - name: cyberwatch-credentials registry: harbor.cyberwatch.fr/cbw-on-premise username: "changeme" password: "changeme"Configure the name of the node in the Cyberwatch application with the
node.nameparameter:node: name: cyberwatch-node-name type: satelliteConfigure the
nginx.resolverfield to the IP address of the DNS service of the Kubernetes cluster.Get the IP address of the
kube-dnsDNS resolver:kubectl -n kube-system get svc kube-dnsAssign the IP address of the DNS resolver of the Kubernetes cluster to the field
nginx.resolver.Example:
nginx: resolver: 10.3.0.10
Configure the ingress.
The field
ingress.ingressClassNameis used to define whichIngressClasswill be used to implement theIngress. This value must be pointing to a validIngressClassname. AvailableIngressClasson the cluster can be listed with the command below:kubectl get ingressclassesAssign the selected value to the
ingress.ingressClassNamefield and the domain name that will accept requests to theingress.hostfield.Example:
ingress: enabled: true ingressClassName: nginx host: cyberwatch.example.com tls: selfSigned: trueThe IP address that corresponds to the domain name must be the IP address of the cluster load balancer.
Configure access to databases and to the Cyberwatch application
Assign IP addresses for the connections to the databases in the fields
database.hostetredis.host.database: external: true host: "changeme" redis: external: true host: "changeme"Connect to the master node via SSH and display the passwords:
sudo cyberwatch show-secrets MYSQL_ROOT_PASSWORD=... MYSQL_PASSWORD=... REDIS_PASSWORD=... SECRET_KEY_BASE=... SECRET_KEY_CREDENTIAL=...Enter the database passwords obtained in the corresponding fields:
database: external: true host: "changeme" password: "MYSQL_PASSWORD" root_password: "MYSQL_ROOT_PASSWORD" redis: external: true host: "changeme" password: "REDIS_PASSWORD"Enter your cyberwatch application login details:
key: base: "SECRET_KEY_BASE" credential: "SECRET_KEY_CREDENTIAL"
Disable usage of containers
cronandthirdPartiesby setting the following parameter:cron: enabled: false thirdParties: enabled: falseCreate the cyberwatch namespace on the cluster.
kubectl create namespace cyberwatchConfigure the root certificate allowing connection to the Cyberwatch master node.
Connect to the master node via SSH and display the root certificate:
sudo cyberwatch show-root-certStore the root certificate in a file named
./cbw-root-ca-cert.pem:cat <<EOF > ./cbw-root-ca-cert.pem -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- EOFImport root certificate as a secret on the Kubernetes cluster:
kubectl -n cyberwatch create secret generic cbw-root-ca-cert --from-file=./cbw-root-ca-cert.pem
Generate a couple of SSH keys and save them as a secret.
ssh-keygen -q -N '' -f ./id_ed25519 -t ed25519 kubectl -n cyberwatch create secret generic web-scanner-ssh-authorized-keys --from-file=authorized_keys="./id_ed25519.pub" kubectl -n cyberwatch create secret generic ssh-private-key --from-file="./id_ed25519"Deploy the Helm chart to your cluster:
helm -n cyberwatch install cyberwatch oci://harbor.cyberwatch.fr/cbw-on-premise/cyberwatch-chart -f values.ymlThe deployment of the Helm chart will use the configurations of the
values.ymlfile to configure the application.Verify the status of all the pods:
kubectl -n cyberwatch get pods
When all the pods are running, connect to the master node’s web interface to check the link with the satellite node. You can also check if sidekiq is communicating with the master node:
kubectl -n cyberwatch logs $(kubectl -n cyberwatch get pods -l app=sidekiq -o jsonpath='{.items[*].metadata.name}')