Privacera Setup for AWS¶
Note
Please ensure you have completed the prerequisites before proceeding with the setup.
This section provides the steps to setup Privacera on AWS. The setup includes the following steps:
- Update the configuration file
aws_pm_config_env.sh
with the required details. - Install Privacera Manager
- Deploy Privacera in Kubernetes
- Configure AWS ALB for Privacera (Optional)
- Post-Install Configuration
Download Scripts¶
The base installation is done using the Privacera Manager bootstrapping scripts. Go to the server where you want to install Privacera Manager and download the following files.
For your reference, the files are in the public GitHub repository.
Update the Privacera bootstrapping configuration file¶
The configuration file aws_pm_config_env.sh
contains the variables required for bootstrapping Privacera Manager and deploying Privacera in Kubernetes. Update them with the values specific to your deployment.
Tip
This is a one-time activity. After the initial bootstrapping, this configuration should be securely stored and deleted from the instance.
Configuration Variables Table¶
Variable Name | Description | Sample Value |
---|---|---|
DEPLOYMENT_ENV_NAME | Deployment environment name, typically the name of the deployment or project. | "privacera-prod" or "privacera-dev" |
PRIV_MGR_IMAGE | Docker image for Privacera Manager, including the repository URL and image tag. | "hub2.privacera.com/privacera-manager:rel_9.0.0.3" |
PRIV_MGR_PACKAGE | URL for the Privacera Manager package, usually hosted on an S3 bucket or similar repository. | "https://privacera-host/path/privacera-manager.tar.gz" |
PRIVACERA_HUB_USER | Username for accessing Privacera Hub, the central repository for Privacera images. | "hub_user" |
PRIVACERA_HUB_PASSWORD | Password for accessing Privacera Hub. This should be securely stored. | "hub_password" |
ANSIBLE_VAULT_PASSWORD | Password for Ansible Vault, used to encrypt and decrypt sensitive Ansible variables in the EC2 instance. | "YourStrongPassword" |
GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD | Password for the global secrets keystore. Used to encrypt sensitive information in the Pod. | "YourStrongPassword" |
AWS_REGION | AWS region where the deployment will occur. | "us-east-1" |
EFS_FSID | Elastic File System (EFS) File System ID for shared storage in AWS. | "fs-1234567890abcdef" |
SSL_DEFAULT_PASSWORD | Default password for SSL certificate management. Should be a strong password to secure SSL certificates generated by Privacera Manager. | "YourStrongSSLPassword" |
DB | Database type used. Uncomment the appropriate line for your database: MySQL or PostgreSQL. | MYSQL or POSTGRESQL or NATIVE |
EXTERNAL_DB_HOST | Hostname or IP address of the external database. | "database.example.com" or "192.168.1.100" |
EXTERNAL_DB_PORT (Optional) | Port of the external database if different then default port. | "3306" |
EXTERNAL_DB_NAME | Name of the external database. | "privacera_db" |
EXTERNAL_DB_USER | Username for accessing the external database. | "db_admin" |
EXTERNAL_DB_PASSWORD | Password for the external database user. This should be stored securely. | "YourSecureDBPassword" |
AWS_ROUTE_53_DOMAIN_NAME | Domain name for AWS Route 53. If Privacera will create Route 53 entries, the service name will be prefixed with this domain. | "privacera.yourdomain.com" |
CERTIFICATE_ARN | ARN of the AWS Certificate Manager (ACM) certificate to use with the ALB | "arn:aws:acm:us-east-1:1223444:certificate/622eb4db-ea45b48" |
SUBNETS | Subnets in which the ALB will be deployed. Comma-separated list of subnet IDs. | "subnet-1234abcd,subnet-5678efgh" |
AWS_ALB_GROUP | Group name for the ALB. Used for grouping ALBs within a cluster. | "privacera-group" |
PRIVACERA_AWS_ZONE_ID | AWS Zone ID for the Route 53 hosted zone. | "Z3M3LMPEXAMPLE" |
AWS_NLB_RANGER_INTERNAL | Set to true if the Network Load Balancer (NLB) for the Ranger plugin should be internal. | "true" or "false" |
SECURITY_GROUPS (Optional) | Security groups to associate with the ALB. Comma-separated list of security group IDs. | "sg-0123456789abcdef,sg-9876543210fedcba" |
Notes
- Optional Fields:
SECURITY_GROUPS
is optional and should be included only if needed. - Database Configuration: Uncomment the appropriate database type (
MYSQL
orPOSTGRESQL
) that applies to your setup. For PoCs, you can set toNATIVE
to deploy MariaDB in the same Kubernetes cluster.
Install Privacera Manager¶
On the EC2 instance, after updating the configuration file, run the aws_pm_install.sh
script to install Privacera Manager.
Bash | |
---|---|
~/privacera/privacera-manager/
directory. Bash | |
---|---|
Configure Privacera for base installation¶
Run the aws_bootstrap_privacera.sh
script to configure Privacera for the base installation.
Bash | |
---|---|
The script will create the necessary configuration files and directories for Privacera Manager. You can verify the configuration files and directories created in the ~/privacera/privacera-manager/config/custom-vars/
directory.
Just make sure the .yml
files are created in the directory.
Bash | |
---|---|
Tip
This script sets all the common configurations required for Privacera. If you need to customize the configurations, you can update the .yml
files in the ~/privacera/privacera-manager/config/custom-vars/
directory. Please note once you update the configuration files, you shouldn't run the aws_bootstrap_privacera.sh
script again, otherwise it will overwrite the changes.
Generate Kubernetes Deployment Files and Helm Charts¶
Run the following command to generate the Kubernetes deployment files and Helm charts for Privacera.
Note
The setup
command will ask you to enter vault password. This is the same that you entered in the configuration file for ANSIBLE_VAULT_PASSWORD
variable.
Apply the Privacera Helm Charts¶
Run the following command to apply the Privacera Helm charts.
The above command will deploy Privacera in the Kubernetes cluster. You can verify the deployment by checking the pods.
Bash | |
---|---|
If any of the pods are showing up, then you can go to the next step to configure the AWS ALB for Privacera.
Configure AWS ALB for Privacera (Optional)¶
Run the following command to get the AWS ALB external URL.
Bash | |
---|---|
Tip
You could create another terminal to run the below step or you can save the AWS ALB external URL in a text file and then update the below file
Update the AWS_ALB_EXTERNAL_URL
variable with the AWS ALB external URL you got from the previous command.
YAML | |
---|---|
Post-Install Configuration¶
Some of the Post Install tasks are: - Route 53 Entries - Generate the plugin tarball
Verify the Privacera Installation¶
Check the Pod Status¶
You can run the following command to use k9s to check the pod status
Bash | |
---|---|
You can also use k9s to check the pod status.
Bash | |
---|---|
Tip
To exit k9s, you can press ctrl+c
and then q
or ':q' to exit.
URLs for Privacera Components¶
If the installation is successful, you can get the URLs for the Privacera components using the following command.
Bash | |
---|---|
Common URLs for Privacera components are:
Privacera Portal: https://portal-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>
Privacera Diagnostic Tool¶
You can run the Privacera Diagnostic Tool to check the health of the Privacera components. The URL path for the diagnostic tool can be found from the service-urls.txt
file. It will be in the format:
https://diagnostics-server-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>
Privacera Health Monitoring¶
You can run the Privacera Health Monitoring tool to check the health of the Privacera components. The URL path for the health monitoring tool can be found from the service-urls.txt
file. It will be in the format:
https://grafana-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>
Delete the Configuration Files¶
Once the base installation is complete, you could the configuration files securely. For security reasons, you should delete the configuration files from the EC2 instance.
Bash | |
---|---|