Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 2. Select your installation platform
As as systems administrator, you can select two different installation platforms to run Red Hat Trusted Profile Analyzer (RHTPA). You can deploy RHTPA to Red Hat OpenShift Container Platform using Amazon Web Services (AWS) or other service providers with a Helm chart from Red Hat. You can also deploy RHTPA to Red Hat Enterprise Linux by using Ansible.
Deploying RHTPA to Red Hat Enterprise Linux is currently a Technical Preview feature.
Select your target installation platform:
2.1. Installing Trusted Profile Analyzer by using Ansible
You can install the Red Hat Trusted Profile Analyzer (RHTPA) on Red Hat Enterprise Linux by using a Red Hat provided Ansible Playbook. This Ansible deployment of RHTPA allows you to specify your own PostgreSQL database, OpenID Connect (OIDC) provider, Simple Storage Service (S3), and Simple Queue Service (SQS) infrastructure.
Deploying RHTPA on Red Hat Enterprise Linux by using Ansible is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. See the support scope for Red Hat Technology Preview features for more details.
Prerequisites
- Red Hat Enterprise Linux version 9.3 or later.
- A Red Hat user account to access the Red Hat Hybrid Cloud Console.
Procedure
- Log in to the Red Hat Hybrid Cloud Console with your Red Hat credentials.
- From the home page, click the Services drop-down menu, and click Red Hat Ansible Automation Platform.
- From the navigational menu, expand Automation Hub, and click Collections.
- In the search field type rhtpa and press enter.
- Click the trusted_profile_analyzer link on the Red Hat Trusted Profile Analyzer tile.
Click the Documentation tab, and follow the steps there to complete the installation of RHTPA on Red Hat Enterprise Linux.
NoteFor a detailed overview of all the configuration parameters, click the tpa_single_node link under the Roles section.
2.2. Installing Trusted Profile Analyzer by using Helm with Amazon Web Services
You can install Red Hat’s Trusted Profile Analyzer (RHTPA) service on OpenShift by using a Helm chart from Red Hat. This procedure guides you on integrating Amazon Web Services (AWS) with RHTPA by using a customized values file for Helm.
If the secret values change after the installation, OpenShift redeploys RHTPA.
Prerequisites
A Red Hat OpenShift Container Platform cluster running version 4.14 or later.
- Support for the Ingress resource to serve publicly trusted certificates that use HTTPS.
- The ability to provision Transport Layer Security (TLS) certificates for Helm.
An AWS account with access to the following services:
- Simple Storage Service (S3)
- Simple Queue Service (SQS)
- Relational Database Service (RDS) using a PostgreSQL database instance.
- Cognito with an existing Cognito domain.
Have the following unversioned S3 bucket names created:
-
bombastic-UNIQUE_ID -
vexination-UNIQUE_ID v11y-UNIQUE_IDImportantThese bucket names must be unique across all AWS accounts in all AWS regions within the same partition. See Amazon’s S3 documentation for more information on bucket naming rules.
-
Have the following standard SQS queue names created:
-
bombastic-failed-default -
bombastic-indexed-default -
bombastic-stored-default -
vexination-failed-default -
vexination-indexed-default -
vexination-stored-default -
v11y-failed-default -
v11y-indexed-default -
v11y-stored-default
-
-
Access to the OpenShift web console with the
cluster-adminrole. -
A workstation with the
oc, and thehelmbinaries installed.
Procedure
On your workstation, open a terminal, and log in to OpenShift by using the command-line interface:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORTExample
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443NoteYou can find your login token and URL from the OpenShift web console to use on the command line. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, and click Display Token to view the command.
Create a new project for the RHTPA deployment:
Syntax
oc new-project PROJECT_NAMEExample
$ oc new-project trusted-profile-analyzerOpen a new file for editing:
Example
$ vi values-rhtpa-aws.yaml-
Copy and paste the RHTPA values file template into the new
values-rhtpa-aws.yamlfile. Update the
values-rhtpa-aws.yamlfile with your relevant AWS information.- Replace REGIONAL_ENDPOINT with your Amazon S3 storage, and Amazon SQS endpoint URLs.
- Replace COGNITO_DOMAIN_URL with your Amazon Cognito URL. You can find this information in the AWS Cognito Console, under the App Integration tab.
- Replace REGION, USER_POOL_ID, and FRONTEND_CLIENT_ID and WALKER_CLIENT_ID with your relevant Amazon Cognito information. You can find this information in the AWS Cognito Console, in the User pool overview section, and in the App clients and analytics section under the App Integration tab.
-
Replace UNIQUE_ID with your unique bucket names for
bombastic-,vexination-, andv11y-. - Save the file, and quit the editor.
Create the S3 storage secret resource by using your AWS credentials:
Syntax
apiVersion: v1 kind: Secret metadata: name: storage-credentials namespace: PROJECT_NAME type: Opaque data: aws_access_key_id: AWS_ACCESS_KEY aws_secret_access_key: AWS_SECRET_KEYExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: storage-credentials namespace: trusted-profile-analyzer type: Opaque data: aws_access_key_id: RHTPASTORAGE1EXAMPLE aws_secret_access_key: xBalrKUtnFEMI/K7RDENG/aPxRfzCYEXAMPLEKEY EOFCreate the SQS event bus secret resource by using your AWS credentials:
Syntax
apiVersion: v1 kind: Secret metadata: name: event-bus-credentials namespace: PROJECT_NAME type: Opaque data: aws_access_key_id: AWS_ACCESS_KEY aws_secret_access_key: AWS_SECRET_KEYExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: event-bus-credentials namespace: trusted-profile-analyzer type: Opaque data: aws_access_key_id: RHTPAEVENTBS1EXAMPLE aws_secret_access_key: mBaliKUtnFEMI/K6RDENG/aPxRfzCYEXAMPLEKEY EOFCreate a OpenID Connect (OIDC) walker client secret resource:
Syntax
apiVersion: v1 kind: Secret metadata: name: oidc-walker namespace: PROJECT_NAME type: Opaque data: client-secret: SECRETExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: oidc-walker namespace: trusted-profile-analyzer type: Opaque data: client-secret: 5460cc91-4e20-4edd-881c-b15b169f8a79 EOFCreate two PostgreSQL database secret resources by using your Amazon RDS credentials.
A PostgreSQL standard user secret resource:
Syntax
apiVersion: v1 kind: Secret metadata: name: postgresql-credentials namespace: PROJECT_NAME type: Opaque data: db.host: DB_HOST db.name: DB_NAME db.user: USERNAME db.password: PASSWORD db.port: PORTExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: postgresql-credentials namespace: trusted-profile-analyzer type: Opaque data: data: db.host: rds.us-east-1.amazonaws.com db.name: rhtpadb db.user: jdoe db.password: example1234 db.port: 5432 EOFA PostgreSQL administrator secret resource:
Syntax
apiVersion: v1 kind: Secret metadata: name: postgresql-admin-credentials namespace: PROJECT_NAME type: Opaque data: db.host: DB_HOST db.name: DB_NAME db.user: USERNAME db.password: PASSWORD db.port: PORTExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: postgresql-admin-credentials namespace: trusted-profile-analyzer type: Opaque data: data: db.host: rds.us-east-1.amazonaws.com db.name: rhtpadb db.user: admin db.password: example1234 db.port: 5432 EOF- From the AWS Management Console, configure the Amazon Virtual Private Cloud (VPC) security group to allow port 5432.
Set up your shell environment:
Syntax
export NAMESPACE=PROJECT_NAME export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')Example
$ export NAMESPACE=trusted-profile-analyzer $ export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')Add the OpenShift Helm chart repository:
Example
$ helm repo add openshift-helm-charts https://charts.openshift.io/Get the latest chart information from the Helm chart repositories:
Example
$ helm repo updateRun the Helm chart:
Syntax
helm install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values PATH_TO_VALUES_FILE --set-string appDomain=$APP_DOMAIN_URLExample
$ helm install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa-aws.yaml --set-string appDomain=$APP_DOMAIN_URLNoteYou can run this Helm chart many times to apply the currently configured state from the values file.
Once the installation finishes, you can log in to the RHTPA console by using a user’s credentials from the Cognito user pool. You can find the RHTPA console URL by running the following command:
Example
$ oc -n $NAMESPACE get route --selector app.kubernetes.io/name=spog-ui -o jsonpath='https://{.items[0].status.ingress[0].host}{"\n"}'A scheduled Cron job runs each day to gather the latest Common Vulnerabilities and Exposures (CVE) data for RHTPA. Instead of waiting, you can manually start this Cron job by running the following command:
Example
$ oc -n $NAMESPACE create job --from=cronjob/v11y-walker v11y-walker-nowOnce the Cron job finishes, delete this Cron job:
Example
$ oc -n $NAMESPACE delete job v11y-walker-now
2.3. Installing Trusted Profile Analyzer by using Helm with other services
You can install Red Hat’s Trusted Profile Analyzer (RHTPA) service on OpenShift by using a Helm chart from Red Hat. You need to have a Simple Storage Service (S3) compatible storage infrastructure, an OpenID Connect (OIDC) provider, a PostgreSQL database, and use Red Hat AMQ Streams for OpenShift. This procedure guides you on integrating these various services with RHTPA by using a customized values file for Helm.
If the secret values change after the installation, OpenShift redeploys RHTPA.
Prerequisites
A Red Hat OpenShift Container Platform cluster running version 4.14 or later.
- Support for the Ingress resource to serve publicly trusted certificates that use HTTPS.
Have the following unversioned S3 bucket names created:
-
bombastic-default -
vexination-default -
v11y-default
-
The AMQ Streams on OpenShift service with the following topic names created:
-
bombastic-failed-default -
bombastic-indexed-default -
bombastic-stored-default -
vexination-failed-default -
vexination-indexed-default -
vexination-stored-default -
v11y-failed-default -
v11y-indexed-default -
v11y-stored-default
-
- An OIDC provider for authentication.
- A new PostgreSQL database.
-
Access to the OpenShift web console with the
cluster-adminrole. -
A workstation with the
oc, and thehelmbinaries installed.
Procedure
On your workstation, open a terminal, and log in to OpenShift by using the command-line interface:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORTExample
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443NoteYou can find your login token and URL from the OpenShift web console to use on the command line. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, and click Display Token to view the command.
Create a new project for the RHTPA deployment:
Syntax
oc new-project PROJECT_NAMEExample
$ oc new-project trusted-profile-analyzerOpen a new file for editing:
Example
$ vi values-rhtpa.yaml-
Copy and paste the RHTPA values file template into the new
values-rhtpa.yamlfile. Update the
values-rhtpa.yamlfile with your information.- Replace S3_ENDPOINT_URL with your relevant S3 storage information.
- Replace AMQ_ENDPOINT_URL, and USER_NAME with your relevant AMQ Streams information.
- Replace OIDC_ISSUER_URL, FRONTEND_CLIENT_ID and WALKER_CLIENT_ID with your relevant OIDC information.
- Save the file, and quit the editor.
Create the S3 storage secret resource with your credentials:
Syntax
apiVersion: v1 kind: Secret metadata: name: s3-credentials namespace: PROJECT_NAME type: Opaque data: user: USER_NAME password: PASSWORDExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: s3-credentials namespace: trusted-profile-analyzer type: Opaque data: user: root password: example123 EOFCreate the AMQ Streams secret resource with your credentials:
Syntax
apiVersion: v1 kind: Secret metadata: name: kafka-credentials namespace: PROJECT_NAME type: Opaque data: client_password: PASSWORDExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: kafka-credentials namespace: trusted-profile-analyzer type: Opaque data: client_password: example123 EOFCreate a OIDC walker client secret resource:
Syntax
apiVersion: v1 kind: Secret metadata: name: oidc-walker namespace: PROJECT_NAME type: Opaque data: client-secret: SECRETExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: oidc-walker namespace: trusted-profile-analyzer type: Opaque data: client-secret: 5460cc91-4e20-4edd-881c-b15b169f8a79 EOFCreate the two PostgreSQL database secret resources with your database credentials.
A PostgreSQL standard user secret resource:
Syntax
apiVersion: v1 kind: Secret metadata: name: postgresql-credentials namespace: PROJECT_NAME type: Opaque data: db.host: DB_HOST db.name: DB_NAME db.user: USERNAME db.password: PASSWORD db.port: PORTExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: postgresql-credentials namespace: trusted-profile-analyzer type: Opaque data: data: db.host: postgresql.example.com db.name: rhtpadb db.user: jdoe db.password: example1234 db.port: 5432 EOFA PostgreSQL administrator secret resource:
Syntax
apiVersion: v1 kind: Secret metadata: name: postgresql-admin-credentials namespace: PROJECT_NAME type: Opaque data: db.host: DB_HOST db.name: DB_NAME db.user: USERNAME db.password: PASSWORD db.port: PORTExample
$ cat <<EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: postgresql-admin-credentials namespace: trusted-profile-analyzer type: Opaque data: data: db.host: postgresql.example.com db.name: rhtpadb db.user: admin db.password: example1234 db.port: 5432 EOF
Set up your shell environment:
Syntax
export NAMESPACE=PROJECT_NAME export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')Example
$ export NAMESPACE=trusted-profile-analyzer $ export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')Add the OpenShift Helm chart repository:
Example
$ helm repo add openshift-helm-charts https://charts.openshift.io/Get the latest chart information from the Helm chart repositories:
Example
$ helm repo updateRun the Helm chart:
Syntax
helm install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values PATH_TO_VALUES_FILE --set-string appDomain=$APP_DOMAIN_URLExample
$ helm install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa.yaml --set-string appDomain=$APP_DOMAIN_URLNoteYou can run this Helm chart many times to apply the currently configured state from the values file.
Once the installation finishes, you can log in to the RHTPA console by using a user’s credentials from your OIDC provider. You can find the RHTPA console URL by running the following command:
Example
$ oc -n $NAMESPACE get route --selector app.kubernetes.io/name=spog-ui -o jsonpath='https://{.items[0].status.ingress[0].host}{"\n"}'A scheduled Cron job runs each day to gather the latest Common Vulnerabilities and Exposures (CVE) data for RHTPA. Instead of waiting, you can manually start this Cron job by running the following command:
Example
$ oc -n $NAMESPACE create job --from=cronjob/v11y-walker v11y-walker-nowOnce the Cron job finishes, delete this Cron job:
Example
$ oc -n $NAMESPACE delete job v11y-walker-now
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}