Deploying Resilient Package Proxy (RPP)

Describes how to deploy the Resilient Package Proxy (RPP).

The following steps describe how to deploy RPP.

Note: Ensure that you have deployed the Log Forwarder before deploying the RPP. For more information about deploying the Log Forwarder, refer to the section Deploying the Log Forwarder.

Run the following command on the Jump box to generate the common certificate from the ESA certificates.

CertificatesSetup_Linux_x64_<Version>.sh -u <User> -p <Password> -h <Hostname or IP address of ESA> --port <Port number of ESA> -d <Directory>

For example:

CertificatesSetup_Linux_x64_<Version>.sh -u admin -p admin12345 -h 10.10.10.10 --port 8443 -d rpproxy

For more information about generating the ESA certificates, refer to the section Creating Certificates.

The following files are created:

CA.pem
cert.key
cert.pem
secret.txt

2. Run the following command to create a Kubernetes secret using the common certificate generated in step 1.

kubectl -n <Namespace> create secret generic common-cert --from-file=CA.pem=./CA.pem  --from-file=cert.key=./cert.key --from-file=cert.pem=./cert.pem --from-file=secret.txt=./secret.txt

Specify this secret as the value of the commonCertSecrets parameter in the values.yaml file. In this case, this secret is used in the following ways:

RPP uses the certificate as an upstream server certificate to download the policy packages from the ESA.
The protector uses the certificate as a client certificate to download the policy packages from the RPP.

If you do not specify any value for the commonCertSecrets parameter, then you need to specify separate values for the rpp/upstream/certificateSecret and service/certificateSecret parameters.

3. Run the following command on the Jump box to generate the upstream certificate between the ESA and the RPP.

CertificatesSetup_Linux_x64_<Version>.sh -u <User> -p <Password> -h <Hostname or IP address of ESA> --port <Port number of ESA> -d <Directory>

For example:

CertificatesSetup_Linux_x64_<Version>.sh -u admin -p admin12345 -h 10.10.10.10 --port 8443 -d <Full_Path>/rpproxy

For more information about generating the ESA certificates, refer to the section Creating Certificates.

The following files are created:

CA.pem
cert.key
cert.pem
secret.txt

Note: This certificate is created only if you are not using the common certificate.

4. Run the following command to create a Kubernetes secret using the upstream certificate generated in step 3.

kubectl -n <Namespace> create secret generic upstream-cert --from-file=CA.pem=./CA.pem  --from-file=cert.key=./cert.key --from-file=cert.pem=./cert.pem --from-file=secret.txt=./secret.txt

Note: This secret is created only if you are not using the common certificate.

Specify this secret as the value of the rpp/upstream/certificateSecret parameter in the values.yaml file.

5. Run the following command to generate the service TLS certificate.

CreateCertificate_Linux_x64_<Version>.sh server --name <Directory> --dns <Release_Name>.<namespace>.svc

For example:

CreateCertificate_Linux_x64_<Version>.sh server --name rpproxy --dns rpp.iap-java.svc

For more information about generating the server certificates, refer to the section Creating Certificates.

The following client certificates files are created in the rpproxy folder:

cert.pem
cert.key
CA.pem
secret.txt

These certificates are used by the protector as a server certificate to authenticate the RPP to download policy packages.

Ensure that the namespace and release name that you specify in this command are the same names that you specify in step 7 while deploying the RPP Helm chart.

Note: This certificate is created only if you are not using the common certificate.

6. Run the following command to generate the secret for the service TLS certificate.

kubectl -n <Namespace> create secret generic service-certs --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem> --from-file=secret.txt=<path-to-secret.txt>

For more information about generating the client certificates, refer to the section Creating Certificates.

Note: This secret is created only if you are not using the common certificate.

Specify this secret as the value of the service/certificateSecret parameter in the values.yaml file.

7. On the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the RPP.

For more information about the extracted Helm charts, refer to the section Initializing the Linux instance.

The rp-proxy > values.yaml file contains the default configuration values for deploying the RPP container on the Kubernetes cluster.

...

podSecurityContext:
  fsGroup: 1000

...

#-- k8s secret for storing common certificates
# eg. kubectl command: 
#     kubectl -n $RPP_NAMESPACE create secret generic common-certs \
#     --from-literal=CA.pem=<path-to-CA.pem> --from-literal=cert.key=<path-to-cert.key> \
#     --from-literal=cert.pem=<path-to-cert.pem> --from-literal=secret.txt=<path-to-secret.txt>
commonCertSecrets:

rpp:
  #-- upstream configuration
  # host: Upstream host to connect
  # port: Upstream port to connect
  upstream:
    host:
    port: 25400
    #-- certificateSecret : k8s secret for storing upstream tls certificates 
    # NOTE : Only to be set when not using common certificate secret
    # eg. kubectl command: 
    #     kubectl -n $RPP_NAMESPACE create secret generic upstream-certs \
    #     --from-literal=CA.pem=<path-to-CA.pem> --from-literal=cert.key=<path-to-cert.key> \
    #     --from-literal=cert.pem=<path-to-cert.pem> --from-literal=secret.txt=<path-to-secret.txt>
    certificateSecret:

  #-- logging configuration
  # logLevel: Specifies the logging level for rpproxy
  # INFO (default)
  # ERROR
  # WARN
  # DEBUG
  # TRACE
  # logHost: Host to forward the logs (Default : 127.0.0.1)
  # logPort: Port to forward the logs (Default : 15780)
  logging:
    logLevel: "INFO"
    logHost: "127.0.0.1"
    logPort: 15780

  #-- service configuration
  # certificateSecret : k8s secret for storing service tls certificates
  # NOTE : Only to be set when not using common certificate secret
  # eg. kubectl command: 
  #     kubectl -n $RPP_NAMESPACE create secret generic service-certs \
  #     --from-literal=CA.pem=<path-to-CA.pem> --from-literal=cert.key=<path-to-cert.key> \
  #     --from-literal=cert.pem=<path-to-cert.pem> --from-literal=secret.txt=<path-to-secret.txt>
  # cacheTTL: 
  # TTL sets the duration (in seconds) of which a cached item is considered fresh.
  # When a cached item's TTL expires, the item will be revalidated.
  service:
    certificateSecret:
    cacheTTL: 60

...

Modify the default values in the values.yaml file as required.

Field	Description
podSecurityContext	Specify the privilege and access control settings for the pod. The default values are set as follows: fsGroup - 1000
commonCertSecrets	Specify the Kubernetes secret, which you have created in step 2, for storing the common certificates. If you specify the value of this parameter, then do not specify the values for the `rpp/upstream/certificateSecret` and `service/certificateSecret` parameters. The same common certificate will be used by RPP to download the policy packages from the ESA and by the protector to download the policy packages from the RPP.
rpp/upstream/host	Specify the host name or IP address of the upstream server that is providing the policy packages. The upstream server can be another RPP or the ESA.
rpp/upstream/port	Specify the port number of the upstream server that is providing the policy packages. The default value is 25400.
rpp/upstream/certificateSecret	Specify the Kubernetes secret, which you have created in step 4, that contains the certificate used to authenticate the ESA. Note: This certificate is set only if you are not using the commonCertSecrets parameter.
logging/logLevel	Specify the details about the application log level during runtime. You can set one of the following values: INFO ERROR WARN DEBUG TRACE The default value is INFO.
logging/logHost	Specify the service hostname of the Log Forwarder, where the logs are forwarded. The default value is `<`Helm_Installation_Name`>`-`<`Helm_Chart_Name`>`.`<`Namespace`>`.svc. For example, iaplog-logforwarder.iap-java.svc.
logging/logPort	Specify the service port of the Log Forwarder, where the logs are forwarded. The default value is 15780.
service/certificateSecret	Specify the Kubernetes secret, which you have created in step 6, that enables the protector to authenticate the RPP. Note: This certificate is set only if you are not using the commonCertSecrets parameter.
service/cacheTTL	Specify the duration to refresh the cache. When a cache TTL expires, the cache has to be revalidated or updated. This interval controls the refresh time of the policy. The default value in seconds is 60.

Run the following command to deploy the RPP on the Kubernetes cluster.

helm install <Release_Name> --namespace <Namespace where you want to deploy the RPP container> <Location of the directory that contains the Helm charts>

For example:

helm install rpp --namespace iap-java >Custom_path>/spring-apjava-dynamic/rpproxy/

<Custom_path> is the directory where you have extracted the installation package.

Ensure that you specify the same release name and namespace that you have used while creating the service TLS certificate in step 5.

Run the following command to check the status of the pods.

kubectl get pods -n <Namespace>

For example:

kubectl get pods -n iap-java

NAME                                         READY   STATUS    RESTARTS        AGE

rpp-rpproxy-5fd7d859b6-p9544                 1/1     Running   0               11h

Feedback

Was this page helpful?

Last modified : January 17, 2026