Deploying a Cyberwatch satellite node on an existing Kubernetes cluster

This page describes the steps involved in deploying a Cyberwatch satellite node on an existing Kubernetes cluster. This procedure assumes that the user has a basic knowledge of the Kubernetes orchestrator and Helm.

Deployment steps

1. Have a Cyberwatch master node configured to allow connection of a satellite node and have SSH access to this master node.

2. Have a cluster that meets the software’s technical prerequisites.

3. Log in to the Helm repository:

   helm registry login harbor.cyberwatch.fr
   

   Fill in the username prefixed with cbw$, then fill in the password.

   These credentials are the ones in your Cyberwatch license, if you happen to not have it, please contact us at support@cyberwatch.com.

4. Create and edit the configuration file values.yml

   It’s necessary to store the file values.yml in a secure way. The file is required for the update of Docker images or for the update of the Helm chart.

   The following steps describe how to set up a minimal configuration file for deploying the Cyberwatch satellite.

   Here is an example of the values.yml in its minimal configuration:

   global:
     pki:
       root_ca: cbw-root-ca-cert
     image:
       registryCredentials:
         - name: cyberwatch-credentials
           registry: harbor.cyberwatch.fr/cbw-on-premise
           username: "changeme"
           password: "changeme"
   
   node:
     name: cyberwatch-node-name
     type: satellite
   
   nginx:
     resolver: "changeme"
   
   ingress:
     enabled: true
     hosts:
       - hostname: cyberwatch.example.com
         ingressClassName: nginx
         tls:
           enabled: true
   
   thirdParties:
     enabled: false
   
   database:
     external: true
     host: "changeme"
     password: "changeme"
     root_password: "changeme"
   
   redis:
     external: true
     host: "changeme"
     password: "changeme"
   
   key:
     base: "changeme"
     credential: "changeme"
   

5. Set the credentials used to pull the docker images. The username and password are the same as those used to login to the Helm chart repository.

   global:
     image:
       registryCredentials:
         - name: cyberwatch-credentials
           registry: harbor.cyberwatch.fr/cbw-on-premise
           username: "changeme"
           password: "changeme"
   

6. Configure the name of the node in the Cyberwatch application with the node.name parameter:

   node:
     name: cyberwatch-node-name
     type: satellite
   

7. Configure the nginx.resolver field to the IP address of the DNS service of the Kubernetes cluster

   1. Get the IP address of the kube-dns DNS resolver:

      kubectl -n kube-system get svc kube-dns
      

   2. Assign the IP address of the DNS resolver of the Kubernetes cluster to the field nginx.resolver.

      Example:

      nginx:
        resolver: 10.3.0.10
      

8. Configure the ingress

   1. One or more ingresses can be configured in the ingress.hosts field. Each ingress must have a unique hostname and an ingressClassName. The IngressClass available on the cluster can be listed using the command below:

      kubectl get ingressclasses
      

   2. Assign the selected value to the ingressClassName field and the domain name wich will accept requests to the hostname field.

      Example:

      ingress:
        enabled: true
        hosts:
          - hostname: cyberwatch.example.com
            ingressClassName: nginx
            tls:
            enabled: true
      

      The IP address that corresponds to the domain name must be the IP address of the cluster load balancer.

   If necessary, further information is available in the comments of the default chart Helm configuration file.

9. Configure access to databases and to the Cyberwatch application

   1. Assign IP addresses for the connections to the databases in the fields database.host et redis.host.

      database:
        external: true
        host: "changeme"
      
      redis:
        external: true
        host: "changeme"
      

   2. Connect to the master node via SSH and display the passwords:

      sudo cyberwatch show-secrets
      
      MYSQL_ROOT_PASSWORD=...
      MYSQL_PASSWORD=...
      REDIS_PASSWORD=...
      SECRET_KEY_BASE=...
      SECRET_KEY_CREDENTIAL=...
      

   3. Enter the database passwords obtained in the corresponding fields:

      database:
        external: true
        host: "changeme"
        password: "MYSQL_PASSWORD"
        root_password: "MYSQL_ROOT_PASSWORD"
      
      redis:
        external: true
        host: "changeme"
        password: "REDIS_PASSWORD"
      

   4. Enter your cyberwatch application login details:

      key:
        base: "SECRET_KEY_BASE"
        credential: "SECRET_KEY_CREDENTIAL"
      

10. Disable usage of container thirdParties by setting the following parameter:

    cron:
      enabled: false
    
    thirdParties:
      enabled: false
    

11. Create the cyberwatch namespace on the cluster:

    kubectl create namespace cyberwatch
    

12. Configure the root certificate allowing connection to the Cyberwatch master node:

    1. Connect to the master node via SSH and display the root certificate:

       sudo cyberwatch show-root-cert
       

    2. Store the root certificate in a file named ./cbw-root-ca-cert.pem:

       cat <<EOF > ./cbw-root-ca-cert.pem
       -----BEGIN CERTIFICATE-----
       ...
       -----END CERTIFICATE-----
       EOF
       

    3. Import root certificate as a secret on the Kubernetes cluster:

       kubectl -n cyberwatch create secret generic cbw-root-ca-cert --from-file=./cbw-root-ca-cert.pem
       

13. Generate a couple of SSH keys and save them as a secret:

    ssh-keygen -q -N '' -f ./id_ed25519 -t ed25519
    kubectl -n cyberwatch create secret generic web-scanner-ssh-authorized-keys --from-file=authorized_keys="./id_ed25519.pub"
    kubectl -n cyberwatch create secret generic ssh-private-key --from-file="./id_ed25519"
    

14. Deploy the Helm chart to your cluster:

    helm -n cyberwatch install cyberwatch oci://harbor.cyberwatch.fr/cbw-on-premise/cyberwatch-chart -f values.yml
    

    The deployment of the Helm chart will use the configurations of the values.yml file to configure the application.

15. Verify the status of all the pods:

    kubectl -n cyberwatch get pods
    

When all the pods are running, connect to the master node’s web interface to check the link with the satellite node. You can also check if sidekiq is communicating with the master node:

   kubectl -n cyberwatch logs $(kubectl -n cyberwatch get pods -l app=sidekiq  -o jsonpath='{.items[*].metadata.name}')

(Optional) Retrieve the chart Helm default configuration file

The above documentation shows the steps to follow to set up a minimal configuration of Cyberwatch.

It is possible to download the default chart Helm configuration file of Cyberwatch, in order to use an already complete file that indicates which default values can be updated.

Using this file is recommended if you wish to deviate from the minimal configuration described in this documentation, if you wish to set up a TLS certificate for example.

To retrieve the chart Helm default configuration file:

helm show values oci://harbor.cyberwatch.fr/cbw-on-premise/cyberwatch-chart > values.yml

This file can then be modified according to your needs, and the Helm chart deployed from this configuration.