Deploying External S-TAP with Helm

Use Kubernetes with Helm to automate your External S-TAPs deployment.

Before you begin

Before you use Helm, take the following steps:
  • Make sure that Git and Kubernetes are installed in your environment.
  • Download and unpack Helm. For more information, see Installing Helm from the Helm Docs website.
  • Gather the following information to use during installation:
    • DB host endpoint IP/address - The database hostname or IP address.
    • DB host endpoint port - The database host port number.
    • DB host endpoint type - The database type. For more information about supported data sources, see System requirements.
    • Guardium appliance IP/address - The Guardium® collector hostname or IP address.

Procedure

  1. Install Helm. On Linux®, run the following commands:
     curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
     chmod 700 get_helm.sh
     ./get_helm.sh
  2. In Git, clone the External S-TAP Helm charts:
     git clone https://github.com/IBM/Guardium_External_S-TAP
     cd Guardium_External_S-TAP/charts
  3. From the /charts directory, open the overrides_example.yaml file.
  4. Search for required parameters in overrides_example.yaml and enter the appropriate values for your site. Parameters are described in the overrides_example.yaml file.
  5. Based on your environment, determine how to install the certificate for your site. Uncomment the lines for the method that you select, as follows:
    • To install External S-TAP with a default certificate, uncomment the following lines:
      #secret: "estap-secret"
      #secretWriterServiceAccountName: "estap-secret-writer"
    • To install External S-TAP with a certificate that is stored in the collector, uncomment the following line:
      #secret: estap-token
    • To install External S-TAP with a certificate stored in a Kubernetes secret, uncomment the following line:
      #secret: "estap-secret"
    Tip: To use a certificate stored in a Kubernetes secret, create the Kubernetes secret by using one of the following methods:
    •  kubectl create secret generic <secret-name> --from-literal=estap-token=<TOKEN>
    • Or
       kubectl create secret tls <secret-name> --key="your-certificate.key" --cert="your-certificate.crt"
    If needed, use the following command to import the ca.pem file from the secret to the production environment, as follows:
     kubectl get secret/estap-secret template- {{ 'print (index .data "ca.pem")' | base64 -d}}

    Make sure that all the parameters are correct for your environment. For example, make sure that the Container image tag references your current Guardium version.

    When you are done, save the overrides_example.yaml file.

  6. Run one of the following commands to either install or upgrade the Helm chart:
    • To install the Helm chart:
       helm install -f overrides_example.yaml my-estap-deployment estap
    • To upgrade an existing Helm chart:
       helm upgrade -f overrides_example.yaml my-estap-deployment estap
    where,
    • my-estap-deployment is the name for this deployment. Specify the name in the Estap Settings section of the yaml file.
    • estap is the name of the External S-TAP Helm chart.

What to do next

The External S-TAP is now available for use. View and manage the External S-TAP from Guardium. For more information, see Edit External S-TAP group tab.
You can now delete the Helm installation files by using the helm delete command to make sure that all the necessary files are properly removed. For example,
 helm delete my-estap-deployment

where my-estap-deployment is the name of the deployment to delete.