VSP CMS Deployment

VSP CMS DEPLOYMENT

This section describes the process of setting up the VSP Infrastructure Pods:

NOTE:

Ensure that the Master and Worker Nodes are in sync with the NTP server

Log in to the Artifactory site using Virsec-provided credentials from the local machine
Navigate to the directory vsp > releases > public > 2 > 2.8 > <Patch_Version> > Helm
Right-click on the file cms-<version>.tgz, listed on the page and download it to the local system
Execute the below commands to ensure that the critical CMS pods are deployed on the same worker nodes all the time. This is a one-time activity and is required for first time installation only. Skip the below steps if the labels are already assigned to worker nodes

NOTE:

Execute the below commands in an on-premise setup only
1. kubectl label nodes <WORKERNODE_NAME> vsp-client-deployments=true
2. kubectl label nodes <WORKERNODE_NAME> vsp-kafka-deployments=true
3. kubectl label nodes <WORKERNODE_NAME> vsp-mongo-deployments=true
4. kubectl label nodes <WORKERNODE_NAME> vsp-redis-deployments=true
In the Artifactory site, navigate to the directory vsp > releases > public > 2 > 2.8 > <Patch_Version> > Helm
1. Right-click on the file vsp_create_cert_configmap.sh, listed on the page and download it to the local system
2. Log in to the Management Node and copy the downloaded file: vsp_create_cert_configmap.sh
3. Modify the permissions using the command:
  
  chmod +x vsp_create_cert_configmap.sh
4. Execute the command below:
  
  ./vsp_create_cert_configmap.sh
Create CMS certs config map using the command below:
1. kubectl create configmap cms-certs -n virsec
  
  NOTE:
  
  Refer Deploy Custom Certificates to CMS Client Service for more information for custom certificates configuration
Install VSP CMS by executing the below steps:
1. Log in to the Management Node
2. Copy the downloaded file cms-<version>.tgz
3. Execute the below command to display the configurable parameters:
  
  helm inspect values ./cms-<version>.tgz
4. Optional CMS Services Deployment: To deploy optional CMS services, configure the parameters as described below:
  1. Indicate true or false for all the optional services installation - Ticketing (Zendesk), Syslog, Splunk, Centralized logging, MSSP Portal, VSP APIs, Reporting
5. Secure Kafka Options: The options are available for Kafka are:
  
  1: For One-way SSL where the Client verifies the server
  
  2: For Two-way SSL where both the Client and Server verify each other. By default, the value is set to 2 if not specified
  1. Sample Usage: The example below depicts One-way SSL configuration:
    
    helm install vsp-cms ./cms-<RELEASE_VERSION>.tgz --set cloudProvider=eks --set kafka.secureKafkaMode="1" --namespace virsec
    
    NOTE:
    
    Refer Kafka Mode Switch after Installation for more information about switching Kafka Mode after installation
6. Method 1: Using helm install command
  
  NOTE:
  
  Provide the parameter “-f <CustomFileName>.yaml” in the below commands if selective optional CMS services need to be installed
  
  ‎
  1. For On-Premise environments:
    1. Helm 3:
      
      helm install vsp-cms ./cms-<RELEASE_VERSION>.tgz --namespace virsec
    2. Helm 2:
      
      helm install --name vsp-cms ./cms-<RELEASE_VERSION>.tgz --namespace virsec
  2. For AWS EKS/ GOOGLE GKE environments:
    1. Helm 3:
      
      helm install vsp-cms ./cms-<RELEASE_VERSION>.tgz --set cloudProvider=eks --namespace virsec
    2. Helm 2:
      
      helm install --name vsp-cms ./cms-<RELEASE_VERSION>.tgz --set cloudProvider=eks --namespace virsec
  3. Execute the commands provided in the output of the command helm install to complete CMS deployment
  4. Execute the Provided commands to retrieve CMS URL:
    
    (kubectl -n virsec get pods -l app=vsp-cms-client -o wide | grep vsp-cms | awk '{print $7}' | xargs -I {} kubectl -n virsec get node -o wide {} | tail -n 1 | awk '{print $6}' )| xargs -I {} kubectl patch service vsp-cms -n virsec -p '{"spec":{"externalIPs": [ "{}" ]}}'
    
    export LB_URL_IP=$(kubectl get svc -n virsec | grep vsp-cms | awk '{print $4}' | awk -F ',' '{print $1}')
    
    echo -e " -Setting Server IP envrioment variable. $LB_URL_IP"
    
    kubectl -n virsec set env deployment/vsp-cms-zuul-api-gateway SERVER_IP=$LB_URL_IP
    
    kubectl -n virsec set env deployment/vsp-cms-utility HOST_IP_LOCAL=$LB_URL_IP
    
    export SERVICE_IP=$(kubectl get svc --namespace virsec vsp-cms -o jsonpath='{.spec.externalIPs[0]}')
    
    $ echo https://$SERVICE_IP:443
7. Method 2: Using kubectl command
  
  NOTE:
  
  Provide the parameter “-f <CustomFileName>.yaml” in the below commands if selective optional CMS services need to be installed
  
  ‎
  1. For On-Premise environments:
    1. Helm 3:
      
      helm template vsp-cms ./cms-<RELEASE_VERSION>.tgz --namespace virsec > vsp-cms.yaml
    2. Helm 2:
      
      helm template --name vsp-cms ./cms-<RELEASE_VERSION>.tgz --namespace virsec > vsp-cms.yaml
  2. For AWS EKS/ GOOGLE GKE environments:
    1. Helm 3:
      
      helm template vsp-cms ./cms-<RELEASE_VERSION>.tgz --set cloudProvider=eks --namespace virsec > vsp-cms.yaml
    2. Helm 2:
      
      helm template --name vsp-cms ./cms-<RELEASE_VERSION>.tgz --set cloudProvider=eks --namespace virsec > vsp-cms.yaml
  3. Execute the below command to deploy VSP CMS:
    
    kubectl apply -f vsp-cms.yaml
  4. Execute the below commands to retrieve CMS URL:
    
    (kubectl -n virsec get pods -l app=vsp-cms-client -o wide | grep vsp-cms | awk '{print $7}' | xargs -I {} kubectl -n virsec get node -o wide {} | tail -n 1 | awk '{print $6}' )| xargs -I {} kubectl patch service vsp-cms -n virsec -p '{"spec":{"externalIPs": [ "{}" ]}}'
    
    export LB_URL_IP=$(kubectl get svc -n virsec | grep vsp-cms | awk '{print $4}' | awk -F ',' '{print $1}')
    
    echo -e " -Setting Server IP envrioment variable. $LB_URL_IP"
    
    kubectl -n virsec set env deployment/vsp-cms-zuul-api-gateway SERVER_IP=$LB_URL_IP
    
    kubectl -n virsec set env deployment/vsp-cms-utility HOST_IP_LOCAL=$LB_URL_IP
    
    export SERVICE_IP=$(kubectl get svc --namespace virsec vsp-cms -o jsonpath='{.spec.externalIPs[0]}')
    
    $ echo https://$SERVICE_IP:443
NOTE:

If a proxy server is configured for internet access, ensure that the root certificate information is added to the property file, as described in the Deploy Custom SSL Certificates topic of the Maintenance Section
In the Artifactory site, navigate to the directory vsp > releases > public > 2 > 2.8 > <Patch_Version> > Helm
1. Right-click on the file vsp_patch_cpm_service.sh, listed on the page and download it to the local system
2. Log in to the Management Node and copy the downloaded file: vsp_patch_cpm_service.sh
3. Modify the permissions using the command:
  
  chmod +x vsp_patch_cpm_service.sh
4. Execute the command below:
  
  ./vsp_patch_cpm_service.sh

EXPOSE VIRSEC KAFKA SERVICE EXTERNALLY (OPTIONAL)

Kafka Service must be exposed externally only when the Applications are deployed on different Kubernetes Cluster than VSP CMS.

Log in to the Artifactory site using Virsec-provided credentials from the local machine
Navigate to the directory vsp > releases > public > 2 > 2.8 > <Patch_Version> > Helm
Right-click on the file expose_kafka.sh, listed on the page and download it to the local system
To expose VSP Kafka service Externally, execute the below command:
1. ./expose_kafka.sh

<< PREVIOUS NEXT >>