Rechercher
SupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 1. Select your installation platform

download PDF

To install Red Hat Trusted Profile Analyzer (RHTPA), you can select two different installation paths based on your choice of service providers. You can use Amazon Web Services (AWS), or use a variety of service providers that meet certain criteria for installing Trusted Profile Analyzer running on Red Hat’s OpenShift Container Platform.

Select your installation path:

1.1. Installing Trusted Profile Analyzer by using Helm with Amazon Web Services

You can install Red Hat’s Trusted Profile Analyzer (RHTPA) service on OpenShift by using a Helm chart from Red Hat. This procedure guides you on integrating Amazon Web Services (AWS) with RHTPA by using a customized values file for Helm.

Important

If the secret values change after the installation, OpenShift redeploys RHTPA.

Prerequisites

  • A Red Hat OpenShift Container Platform cluster running version 4.14 or later.

    • Support for the Ingress resource to serve publicly trusted certificates that use HTTPS.

  • An AWS account with access to the following services:

    • Simple Storage Service (S3)
    • Simple Queue Service (SQS)
    • Relational Database Service (RDS) using a PostgreSQL database instance.
    • Cognito with an existing Cognito domain.

  • Have the following S3 bucket names created:

    • bombastic-default
    • vexination-default
    • v11y-default

  • Have the following standard SQS queue names created:

    • bombastic-failed-default
    • bombastic-indexed-default
    • bombastic-stored-default
    • vexination-failed-default
    • vexination-indexed-default
    • vexination-stored-default
    • v11y-failed-default
    • v11y-indexed-default
    • v11y-stored-default
  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, and the helm binaries installed.

Procedure

  1. On your workstation, open a terminal, and log in to OpenShift by using the command-line interface:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL from the OpenShift web console to use on the command line. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, and click Display Token to view the command.

  2. Create a new project for the RHTPA deployment:

    Syntax

    oc new-project PROJECT_NAME

    Example

    $ oc new-project trusted-profile-analyzer

  3. Open a new file for editing:

    Example

    $ vi values-rhtpa-aws.yaml

  4. Copy and paste the RHTPA values file template into the new values-rhtpa-aws.yaml file.

  5. Update the values-rhtpa-aws.yaml file with your relevant AWS information.

    1. Replace REGIONAL_ENDPOINT with your Amazon S3 storage, and Amazon SQS endpoint URLs.
    2. Replace COGNITO_DOMAIN_URL with your Amazon Cognito URL. You can find this information in the AWS Cognito Console, under the App Integration tab.
    3. Replace REGION, USER_POOL_ID, and FRONTEND_CLIENT_ID and WALKER_CLIENT_ID with your relevant Amazon Cognito information. You can find this information in the AWS Cognito Console, in the User pool overview section, and in the App clients and analytics section under the App Integration tab.
    4. Save the file, and quit the editor.

  6. Create the S3 storage secret object by using your AWS credentials:

    Syntax

    apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  aws_access_key_id: AWS_ACCESS_KEY
  aws_secret_access_key: AWS_SECRET_KEY

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  aws_access_key_id: RHTPASTORAGE1EXAMPLE
  aws_secret_access_key: xBalrKUtnFEMI/K7RDENG/aPxRfzCYEXAMPLEKEY

  7. Create the SQS event bus secret object by using your AWS credentials:

    Syntax

    apiVersion: v1
kind: Secret
metadata:
  name: event-bus-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  aws_access_key_id: AWS_ACCESS_KEY
  aws_secret_access_key: AWS_SECRET_KEY

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: event-bus-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  aws_access_key_id: RHTPAEVENTBS1EXAMPLE
  aws_secret_access_key: mBaliKUtnFEMI/K6RDENG/aPxRfzCYEXAMPLEKEY

  8. Create two PostgreSQL database secret objects by using your Amazon RDS credentials.

    1. A PostgreSQL standard user secret object:

      Syntax

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT

      Example

      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: jdoe
  db.password: example1234
  db.port: 5432

    2. A PostgreSQL administrator secret object:

      Syntax

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT

      Example

      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: admin
  db.password: example1234
  db.port: 5432

  9. Set up your shell environment:

    Syntax

    export NAMESPACE=PROJECT_NAME
export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')

    Example

    $ export NAMESPACE=trusted-profile-analyzer
$ export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')

  10. Add the OpenShift Helm chart repository:

    Example

    $ helm repo add openshift-helm-charts https://charts.openshift.io/

  11. Get the latest chart information from the Helm chart repositories:

    Example

    $ helm repo update

  12. Run the Helm chart:

    Syntax

    helm install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values PATH_TO_VALUES_FILE --set-string appDomain=$APP_DOMAIN_URL

    Example

    $ helm install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa-aws.yaml --set-string appDomain=$APP_DOMAIN_URL

    Note

    You can run this Helm chart many times to apply the currently configured state from the values file.

  13. Once the installation finishes, you can log in to the RHTPA console by using a user’s credentials from the Cognito user pool. You can find the RHTPA console URL by running the following command:

    Example

    $ oc -n $NAMESPACE get route --selector app.kubernetes.io/name=spog-ui -o jsonpath='https://{.items[0].status.ingress[0].host}{"\n"}'

  14. A scheduled Cron job runs each day to gather the latest Common Vulnerabilities and Exposures (CVE) data for RHTPA. Instead of waiting, you can manually start this Cron job by running the following command:

    Example

    $ oc -n $NAMESPACE create job --from=cronjob/v11y-walker v11y-walker-now

    Once the Cron job finishes, delete this Cron job:

    Example

    $ oc -n $NAMESPACE delete job v11y-walker-now

Additional resources

1.2. Installing Trusted Profile Analyzer by using Helm with other services

You can install Red Hat’s Trusted Profile Analyzer (RHTPA) service on OpenShift by using a Helm chart from Red Hat. You need to have a Simple Storage Service (S3) compatible storage infrastructure, an OpenID Connect (OIDC) provider, a PostgreSQL database, and use Red Hat AMQ Streams for OpenShift. This procedure guides you on integrating these various services with RHTPA by using a customized values file for Helm.

Important

If the secret values change after the installation, OpenShift redeploys RHTPA.

Prerequisites

  • A Red Hat OpenShift Container Platform cluster running version 4.14 or later.

    • Support for the Ingress resource to serve publicly trusted certificates that use HTTPS.

  • Have the following S3 bucket names created:

    • bombastic-default
    • vexination-default
    • v11y-default

  • The AMQ Streams on OpenShift service with the following topic names created:

    • bombastic-failed-default
    • bombastic-indexed-default
    • bombastic-stored-default
    • vexination-failed-default
    • vexination-indexed-default
    • vexination-stored-default
    • v11y-failed-default
    • v11y-indexed-default
    • v11y-stored-default
  • An OIDC provider for authentication.
  • A new PostgreSQL database.
  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, and the helm binaries installed.

Procedure

  1. On your workstation, open a terminal, and log in to OpenShift by using the command-line interface:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL from the OpenShift web console to use on the command line. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, and click Display Token to view the command.

  2. Create a new project for the RHTPA deployment:

    Syntax

    oc new-project PROJECT_NAME

    Example

    $ oc new-project trusted-profile-analyzer

  3. Open a new file for editing:

    Example

    $ vi values-rhtpa.yaml

  4. Copy and paste the RHTPA values file template into the new values-rhtpa.yaml file.

  5. Update the values-rhtpa.yaml file with your information.

    1. Replace S3_ENDPOINT_URL with your relevant S3 storage information.
    2. Replace AMQ_ENDPOINT_URL, and USER_NAME with your relevant AMQ Streams information.
    3. Replace OIDC_ISSUER_URL, FRONTEND_CLIENT_ID and WALKER_CLIENT_ID with your relevant OIDC information.
    4. Save the file, and quit the editor.

  6. Create the S3 storage secret object with your credentials:

    Syntax

    apiVersion: v1
kind: Secret
metadata:
  name: s3-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  user: USER_NAME
  password: PASSWORD

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: s3-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  user: root
  password: example123

  7. Create the AMQ Streams secret object with your credentials:

    Syntax

    apiVersion: v1
kind: Secret
metadata:
  name: kafka-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  client_password: PASSWORD

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: kafka-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  client_password: example123

  8. Create the two PostgreSQL database secret objects with your database credentials.

    1. A PostgreSQL standard user secret object:

      Syntax

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT

      Example

      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: jdoe
  db.password: example1234
  db.port: 5432

    2. A PostgreSQL administrator secret object:

      Syntax

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT

      Example

      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: admin
  db.password: example1234
  db.port: 5432

  9. Set up your shell environment:

    Syntax

    export NAMESPACE=PROJECT_NAME
export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')

    Example

    $ export NAMESPACE=trusted-profile-analyzer
$ export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')

  10. Add the OpenShift Helm chart repository:

    Example

    $ helm repo add openshift-helm-charts https://charts.openshift.io/

  11. Get the latest chart information from the Helm chart repositories:

    Example

    $ helm repo update

  12. Run the Helm chart:

    Syntax

    helm install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values PATH_TO_VALUES_FILE --set-string appDomain=$APP_DOMAIN_URL

    Example

    $ helm install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa.yaml --set-string appDomain=$APP_DOMAIN_URL

    Note

    You can run this Helm chart many times to apply the currently configured state from the values file.

  13. Once the installation finishes, you can log in to the RHTPA console by using a user’s credentials from your OIDC provider. You can find the RHTPA console URL by running the following command:

    Example

    $ oc -n $NAMESPACE get route --selector app.kubernetes.io/name=spog-ui -o jsonpath='https://{.items[0].status.ingress[0].host}{"\n"}'

  14. A scheduled Cron job runs each day to gather the latest Common Vulnerabilities and Exposures (CVE) data for RHTPA. Instead of waiting, you can manually start this Cron job by running the following command:

    Example

    $ oc -n $NAMESPACE create job --from=cronjob/v11y-walker v11y-walker-now

    Once the Cron job finishes, delete this Cron job:

    Example

    $ oc -n $NAMESPACE delete job v11y-walker-now

Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.