Deploying External S-TAP with Helm

Use Kubernetes with Helm to deploy your External S-TAPs.

Before you begin

Before you can use Helm, take the following steps:
  • Make sure that Git and Kubernetes are installed in your environment.
  • Download and unpack Helm. For more information, see the Installing Helm topic from the Helm Docs website.
  • Provide the following information:
    • DB host endpoint IP/address - The database hostname or IP address.
    • DB host endpoint port - The database host port number.
    • DB host endpoint type - The database type. For more information about supported data sources, see System Requirements for Guardium® 11.3.
    • Guardium appliance IP/address - The Guardium collector hostname or IP address.

About this task

Helm helps automate your External S-TAP® deployment.


  1. After you download and unpack Helm, install Helm. For Linux®, run the following commands:
    $  curl -fsSL -o
    $ chmod 700
    $ ./
  2. From Git, clone the External S-TAP Helm charts:
    $ git clone
    $ cd Guardium_External_S-TAP/charts
  3. From the /charts directory, open the overrides_example.yaml file.
  4. Search for required parameters in overrides_example.yaml and enter the appropriate values for your site. Parameters are described in the overrides_example.yaml file.
    Based on your environment, determine how to install the certificate for your site. Uncomment the lines for the method that you select, as follows:
    • To install External S-TAP with a default certificate, uncomment the following lines:
      #secret: "estap-secret"
      #secretWriterServiceAccountName: "estap-secret-writer"
    • To install External S-TAP with a certificate that is stored in the collector, uncomment the following line:
      #secret: estap-token
    • To install External S-TAP with a certificate stored in a Kubernetes secret, uncomment the following line:
      #secret: "estap-secret"
    • To use a certificate stored in a Kubernetes secret, create the Kubernetes secret by using one of the following methods:
       kubectl create secret generic <secret-name> --from-literal=estap-token=<TOKEN>


       kubectl create secret tls <secret-name> --key="your-certificate.key" --cert="your-certificate.crt"
    • If needed, use the following command to import the ca.pem file from the secret to the production environment, as follows:
      oc get secret/estap-secret'{{- print (index .data "ca.pem")}}' | base6 -d
    • Be sure to look at all of the parameters to make sure that they are correct for your environment. For example, make sure that the Container image tag references your current Guardium version.

      When you are done, save the overrides_example.yaml file.

  5. Run one of the following commands to either install or upgrade the Helm chart:
    • To install the Helm chart:
      $ helm install -f overrides_example.yaml my-estap-deployment estap
    • To upgrade an existing Helm chart:
      $ helm upgrade -f overrides_example.yaml my-estap-deployment estap
    • Where,
      • my-estap-deployment - The name for this deployment. Specify the name in the Estap Settings section of the yaml file.
      • estap - The name of the External S-TAP Helm chart.

What to do next

The External S-TAP is now available for use. View and manage the External S-TAP from the Guardium UI. For more information, see Edit External S-TAP group tab.

Deleting the Helm installation files

About this task

To delete the Helm installation files, use the helm delete command to ensure that all of the necessary files are properly removed. For example,
$ helm delete <name>

Where <name> is the name of the deployment to delete. For example, my-estap-deployment.