Deploying the REST Container
Describes how to deploy the REST Container with RPP.
The following steps describe how to deploy the REST Container.
- Run the following command to generate the client certificate for connecting to the RPP.
CreateCertificate_Linux_x64_<Version>.sh client --name <Directory> --dns <Release_Name>.<namespace>.svc
For example:
CreateCertificate_Linux_x64_<Version>.sh client --name rpproxy-client --dns rpp.iap-rest.svc
For more information about generating the client certificates, refer to the section Creating Certificates.
The following client certificates files are created in the rpproxy-client folder:
- cert.pem
- cert.key
- CA.pem
- secret.txt
This certificate is used by the protector as a client certificate to authenticate the RPP to download policy packages.
Ensure that the namespace and release name that you specify in this command are the same names that you specify in step 7 while deploying the RPP Helm chart.
2. Run the following command to generate the secret for the RPP client certificate created in step 1.
kubectl -n <RPP_Namespace> create secret generic rpp-client-certs --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem> --from-file=secret.txt=<path-to-secret.txt>
For more information about generating the client certificates, refer to the section Creating Certificates.
Specify this secret as the value of the protector/policy/certificates parameter in the values.yaml file.
3. Run the following command to generate the TLS certificate for the server that hosts the REST Container endpoint.
CreateCertificate_Linux_x64_<Version>.sh server --name <Directory> --dns <DNS_Name> --noenc
CreateCertificate_Linux_x64_<Version>.sh server --name rest-server --dns test-sampleapp-10-v1.example.com --noenc
The following server certificates files are created in the rest-server folder:
- cert.pem
- cert.key
- CA.pem
For more information about generating the certificates, refer to step 6 in section Creating Certificates
4. Run the following command to generate a secret using the server certificate for the REST Container endpoint.
kubectl -n <Namespace> create secret generic pty-rest-server-secret --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem>
For more information about generating the server certificates, refer to the section Creating Certificates.
Specify this secret as the value of the service/certificates parameter in the values.yaml file.
- Run the following command to generate the client certificate for accessing the REST Container endpoint.
CreateCertificate_Linux_x64_<Version>.sh client --name <Directory> --dns <Namespace_name> --noenc
CreateCertificate_Linux_x64_<Version>.sh client --name rest-client --dns test-sampleapp-10-v1.example.com --noenc
The following client certificates files are created in the rest-client folder:
- cert.pem
- cert.key
- CA.pem
These certificates are used in the curl command for invoking the REST APIs.
For more information about generating the certificates, refer to step 6 in section Creating Certificates
On the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the REST Container.
The dynamic > values.yaml file contains the default configuration values for deploying the RPP container on the Kubernetes cluster.
# -- create image pull secrets and specify the name here.
# remove the [] after 'imagePullSecrets:' once you specify the secrets
imagePullSecrets: []
# - name: regcred
nameOverride: ""
fullnameOverride: ""
# REST protector image configuration
iaprestImage:
# -- rest protector image registry address
repository:
# -- rest protector image tag name
tag:
# -- The pullPolicy for a container and the tag of the image affect
# when the kubelet attempts to pull (download) the specified image.
pullPolicy: IfNotPresent
# Docker Hub Image (Root User): docker.io/nginx:stable
# To use nginx image that runs with non-root permissions
# Ref. https://hub.docker.com/r/nginxinc/nginx-unprivileged
nginxImage:
# -- nginx image registry address
repository:
# -- nginx image tag name
tag:
# -- The pullPolicy for a container and the tag of the image affect
# when the kubelet attempts to pull (download) the specified image.
pullPolicy: IfNotPresent
# specify CPU and memory requirement of REST protector container
iaprestResources:
limits:
cpu: 1000m
memory: 3000Mi
requests:
cpu: 500m
memory: 800Mi
# specify CPU and memory requirement of nginx proxy container
nginxResources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 200Mi
...
## -- pod service account to be used
## leave the field empty if not applicable
serviceAccount:
# The name of the service account to use.
name:
# Specify any additional annotation to be associated with pod
podAnnotations:
checksum/nginx-config: '{{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }}'
checksum/rest-config: '{{ include (print $.Template.BasePath "/rest-configmap.yaml") . | sha256sum }}'
## set the Pod's security context object
## leave the field empty if not applicable
podSecurityContext:
fsGroup: 1000
## set the iapRest Container's security context object
## leave the field empty if not applicable
iaprestContainerSecurityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged : false
runAsNonRoot : true
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
## set the nginx Container's security context object
## leave the field empty if not applicable
nginxContainerSecurityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged : false
runAsNonRoot : true
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
# protector configuration
protector:
# Policy information for the protector initialization
policy:
# Cadence determines how often the protector connects with ESA / proxy to
# fetch the policy updates in background. Default is 60 seconds.
# So by default, every 60 seconds protector tries to fetch the policy updates.
# If the cadence is set to "0", then the protector will get the policy only
# once, which is not recommended.
#
# Default 60.
cadence: 60
# -- Host/IP to the service providing Resilient Packages either rpproxy
# service or ESA.
host:
# -- certificates used to communicate with service providing Resilient packages.
# specify certificate secret name.
# -- TLS certificate rp-proxy service.
# kubectl -n $NAMESPACE create secret generic pty-rpp-tls \
# --from-file=cert.pem=./certs/cert.pem \
# --from-file=cert.key=./certs/cert.key \
# --from-file=CA.pem=./ca/CA.pem \
# --from-file=secret.txt=./certs/secret.txt
certificates:
# Logforwarder configuration
logs:
# -- In case that connection to fluent-bit is lost, set how audits/logs are handled
#
# drop : Protector throws logs away if connection to the fluentbit is lost.
# error : (default) Protector returns error without protecting/unprotecting
# data if connection to the fluentbit is lost.
mode: error
# -- Host/IP to fluent-bit where audits/logs will be forwarded from the protector
#
# Default localhost
host:
# nginx configuration
nginx:
# configure audit records generate by nginx service.
# The generated records are sent to stdout.
# Error logs are enabled by default.
logs:
# -- configure http client request access logs, by default the records
# are sent to stdout
request_logs: false
# -- configure kubelet health check probe access logs, by default the records
# are sent to stdout.
probe_logs: false
# -- specify the initial no. of rest Pod replicas
replicaCount: 1
# HPA configuration
autoScaling:
# -- lower limit on the number of replicas to which the autoscaler
# can scale down to.
minReplicas: 1
# -- upper limit on the number of replicas to which
# the autoscaler can scale up. It cannot be less that minReplicas.
maxReplicas: 10
# -- CPU utilization threshold which triggers the autoscaler
targetCPU: 70
# Kubernetes service configuration, represents a HTTP service to host
# REST protector endpoint.
service:
# -- Configure service type: LoadBalancer or ClusterIP for rest protector
# endpoint
type: ClusterIP
port: 443
# -- secret name containing server TLS certificates to host
# rest protector endpoint.
# kubectl -n $NAMESPACE create secret generic pty-rest-tls \
# --from-file=cert.pem=./certs/cert.pem \
# --from-file=cert.key=./certs/cert.key \
# --from-file=CA.pem=./ca/CA.pem
certificates:
# -- Specify k8s service related annotations
# annotation can configure internal load balancer
# AWS internal load balancer
#service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# AZURE internal load balancer
#service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# GCP internal load balancer
#networking.gke.io/load-balancer-type: "Internal"
annotations:
#service.beta.kubernetes.io/aws-load-balancer-internal: "true"
#service.beta.kubernetes.io/azure-load-balancer-internal: "true"
#networking.gke.io/load-balancer-type: "Internal"
- Modify the default values in the values.yaml file as required.
| Field | Description |
|---|---|
| iaprestImage | Specify the repository and tag details for the REST Container image. |
| nginxImage | Specify the repository and tag details for the NGINX image. For example:
|
| iaprestResources | Specify the CPU and memory requirements for the REST Container. |
| nginxResources | Specify the CPU and memory requirements for the NGINIX container. |
| serviceAccount/name | Specify the name of the pod service account. Leave the field empty if it is not applicable. |
| podSecurityContext | Specify the privilege and access control settings for the pod. The default values are set as follows:
|
Container Security Context:
| Specify the privilege and access control settings for the REST Container and the NGINX containers respectively. |
| protector/policy/cadence | Specify the time interval in seconds after which the protector connects with the RPProxy to retrieve the policy package. By default, the value is set to 60. Ensure that the value is note set to 0. Else, the protector will retrieve the policy only once. |
| protector/policy/host | Specify the host name or IP address of the RPProxy. |
| protector/policy/certificates | Specify the name of the secret for the certificate, which you have created in step 2 that is used to authenticate the RPProxy for downloading the policy package. |
| protector/logs/mode | Specify one of the following options in case the connection to the Log Forwarder is lost:
By default, the value is set to error. |
| protector/logs/host | Specify the service hostname of the Log Forwarder, where the logs are forwarded. The default value is <Helm_Installation_Name>-<Helm_Chart_Name>.<Namespace>.svc. For example, iaplog-logforwarder.iaprest.svc. |
| nginx/logs/request_logs | Specify whether to enable or disable the HTTP client request access logs. By default, the value is set to False. |
| nginx/logs/probe_logs | Specify whether to enable or disable the Kubelet health check probe access logs. By default, the value is set to False. |
| replicaCount | Specify the initial number of the REST pod replicas. |
| autoScaling | Specify the configurations required for the Horizontal Pod Autoscaling. |
| service/type | Specify the service type for the REST Container. By default, this value is set to ClusterIP. Change this value to LoadBalancer to send an HTTPS request to the REST Container pod from outside the cluster. |
| service/port | Specify the service port number for the REST container. By default, the value is set to 443. |
| service/certificates | Specify the name of the secret, which you have created in step 4 that contains the server TLS certificates to the host the REST protector endpoint. |
| service/annotations | Specify the annotations for the respective Cloud platforms if you want to use the internal load balancer instead of the NGINX ingress. By default, this value is left blank. |
- Run the following command to deploy the REST Container on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace where you want to deploy the REST container> <Location of the directory that contains the Helm charts>
For example:
helm install iap-rest-dynamic --namespace iap-rest dynamic/
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-rest
NAME READY STATUS RESTARTS AGE
iap-rest-iap-rest-dynamic-7b97d5dff7-grqph 2/2 Running 0 11h
log1-logforwarder-f6gvj 1/1 Running 0 11h
log1-logforwarder-ls4hn 1/1 Running 0 11h
log1-logforwarder-phk4t 1/1 Running 0 11h
log1-logforwarder-z2mz7 1/1 Running 0 11h
rpp-rpproxy-5fd7d859b6-p9544 1/1 Running 0 11h
Feedback
Was this page helpful?