Installing Delivery Shield

This page provides instructions to install Delivery Shield. Follow the steps provided below to complete the Delivery Shield installation.

Pre-requisites

Before starting with installation, make sure the following requirements are available and the setup is done as needed:

Kubernetes Cluster

  • Kubernetes cluster 1.20 or later with 3 nodes of each 4 cores and 16 GB memory. Execute the below command to check the kubernetes version.

kubectl version --short

  • Helm 3 is setup on the client system with 3.10.3 or later. If helm is not set up, follow instructions provided in Installing Helm. Execute the below command to check the helm version.

helm version

  • Kubernetes cluster should support automatic persistent volume provision. If not, configure it manually. For the tool chain we require minimum of 10 Gi. Recommended is 50 Gi. Other services (redis,dgraph,minio,ssd-db) require 8 Gi.

Network Requirements

  • Complete internet access is not required, but the following external endpoints must be reachable from the cluster:

https://api.first.org/data/v1/epss
https://services.nvd.nist.gov/rest/json/cves/2.0
https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/cves.json
https://api.vulncheck.com/v3/index/nist-nvd2
https://api.vulncheck.com/v3/index/vulncheck-kev
http://34.27.35.35:8070
http://212.2.244.234:8900
https://github.com/OpsMx/ssd-policies.git

If you have firewall restrictions or use a proxy, make sure these URLs are accessible.

Ingress Controller

  • SSD supports:

    • NGINX Ingress Controller

    • AWS Ingress Controller

  • Make sure to deploy one of these.

DNS

  • Ensure you have:

    • A valid DNS name (FQDN) pointing to your cluster’s LoadBalancer IP (OR)

    • An updated hosts file.

    • Update the below with valid host name(FQDN) or IP address

      Ip-address SSD.REPLACE.THIS.WITH.YOURCOMPANY.COM

      E.g: ssd.opsmx.com

TLS Certificates

  • TLS Certificates are generated using cert-manager.

  • Cert-manager must be installable on your cluster. If not, see Cert-Manager for instructions on how to install it.

Authentication

  • Delivery Shield supports:

    • Built-in admin user (username: admin with auto-generated password)

    • SAML (Okta)

    • Google SSO

  • If you plan to use SAML (Okta) or Google SSO, make sure your Okta configuration is ready.

Security Restrictions

  • Some proxies (like Cloudflare) can block internal websites. If you use such proxies, please notify SSD Support.

Installation instructions:

Follow the steps given below for installing Delivery Shield in your environment in the same cluster as the applications:

  • Clone the repo named enterprise-ssd repo by executing the following command. (please note that the organization name should be changed).

    git clone https://github.com/OpsMx/enterprise-ssd.git

  • Add opsmx helm repo to your local machine by executing the following command:

    helm repo add opsmxssd https://opsmx.github.io/enterprise-ssd/

If opsmx-ssd helm repo is already added, do a repo update before installing the chart by executing the following command: helm repo update

  • cd to the enterprise-ssd

    cd enterprise-ssd/charts/ssd

  • Customize the hosts for various installations using the options in the ssd-minimal-values.yaml under ssdUI. If any other ingress controller is installed, set createIngress flag to false and configure your ingress, see Ingress-Nginx Controller, for instructions on how to install nginx ingress.

  • Helm v3 expects the namespace to be present before helm install command is run. If it does not exists, execute the below command:

    kubectl create namespace opsmx-ssd
kubectl apply -f https://raw.githubusercontent.com/OpsMx/argocd-ssd/main/job/job.yaml -n <namespace>

  • The following yamls' are used to install different variations of SSD.

Values yamls
Description

ssd-minimal-values.yaml

This file is used for Installing SSD with default Authentication.

ssd-saml-values.yaml

This file is used for Installing SSD with SAML Authentication.

ssd-local-values.yaml

This file is used for Installing SSD locally in minikube/K3s.

  • Update only the host value in the ssd-minimal-values.yaml and namespace value under the kubedetector section (If the namespace value is updated the data will be displayed in SSD).

    NOTE: Please read the inline comments of ssd-minimal-values.yaml.

  • Install SSD by executing this command:

    helm install ssd opsmxssd/ssd -f ssd-minimal-values.yaml -n opsmx-ssd --timeout=600s

Monitoring the installation process

  • Wait for all pods to stabilize (about 2-3 min, depending on your cluster load). The "setup-job" in completed status indicates completion of the installation process.

Check the status by executing the following command:

$ kubectl -n opsmx-ssd get pods

Checking the installation

  • Get the SSD URL using the below command and access in a browser such as Chrome.

     kubectl -n opsmx-ssd get ingress

  • Fetch the SSD password from the secret using the below command and login to SSD.

    kubectl -n opsmx-ssd get secret ssd-initial-password -o jsonpath='{.data.ADMIN_PASSWORD}' | base64 -d

  • After logging into the SSD, wait for 5m and the data will be populated.

Troubleshooting

If you face any issues while installation check the installation logs in debug mode and fix it. In case you are not able to fix the issues feel free to contact OpsMx support team.

PreviousDelivery Shield Feature OverviewNextInstalling Delivery Shield on VMware

Last updated