Skip to content

Privacera Setup

Note

Please ensure you have completed the prerequisites before proceeding with the setup.

This section provides the steps to setup Privacera on AWS, Azure and GCP. The setup includes the following steps:

  1. Update the configuration file aws_pm_config_env.sh or azure_pm_config_env.sh or gcp_pm_config_env.sh with the required details.
  2. Install Privacera Manager
  3. Deploy Privacera in Kubernetes
  4. Configure AWS ALB for Privacera in AWS (Optional)
  5. Install Monitoring Components
  6. Post-Install Configuration

Download Scripts

The base installation is done using the Privacera Manager bootstrapping scripts. Go to the server where you want to install Privacera Manager and download the following files.

Bash
1
2
3
cd ~/
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/base-install/install_pm.sh -o install_pm.sh
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/base-install/bootstrap_privacera.sh  -o bootstrap_privacera.sh
Download the Cloud specific environment file by running the following commands. Select the tab corresponding to your cloud provider.

Bash
1
2
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/base-install/self-managed/aws/aws_pm_config_env.sh -o aws_pm_config_env.sh
chmod a+x *.sh
Bash
1
2
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/base-install/self-managed/azure/azure_pm_config_env.sh -o azure_pm_config_env.sh
chmod a+x *.sh
Bash
1
2
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/base-install/self-managed/gcp/gcp_pm_config_env.sh -o gcp_pm_config_env.sh
chmod a+x *.sh

For your reference, the files are in the public GitHub repository.

Update the Privacera bootstrapping configuration file

The configuration file contains the variables required for bootstrapping Privacera Manager and deploying Privacera in Kubernetes. Update them with the values specific to your deployment.

Tip

This is a one-time activity. After the initial bootstrapping, this configuration should be securely stored and deleted from the instance.

Configuration Variables Table

Update the aws_pm_config_env.sh file with the following variables.

Bash
1
 vi aws_pm_config_env.sh

Variable Name Description Sample Value
DEPLOYMENT_ENV_TYPE Deployment environment type, typically the cloud environment in which you are deploying. "AWS"
DEPLOYMENT_ENV_NAME Deployment environment name, typically the name of the deployment or project.Only letters, digits, and hyphens are allowed, and it should not exceed 63 characters, as it is used as the name of a Kubernetes namespace. "privacera-prod" or "privacera-dev"
PRIV_MGR_IMAGE Docker image for Privacera Manager, including the repository URL and image tag. "hub2.privacera.com/privacera-manager:9.0.15.1"
PRIV_MGR_PACKAGE URL for the Privacera Manager package, usually hosted on an S3 bucket or similar repository. "https://privacera-host/path/privacera-manager.tar.gz"
PRIVACERA_HUB_USER Username for accessing Privacera Hub, the central repository for Privacera images. "hub_user"
PRIVACERA_HUB_PASSWORD Password for accessing Privacera Hub. This should be securely stored. "hub_password"
ANSIBLE_VAULT_PASSWORD Password for Ansible Vault, used to encrypt and decrypt sensitive Ansible variables in the EC2 instance. "YourStrongPassword"
GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD Password for the global secrets keystore. Used to encrypt sensitive information in the Pod. "YourStrongPassword"
AWS_REGION AWS region where the deployment will occur. "us-east-1"
EFS_FSID Elastic File System (EFS) File System ID for shared storage in AWS. "fs-1234567890abcdef"
SSL_DEFAULT_PASSWORD Default password for SSL certificate management. Should be a strong password to secure SSL certificates generated by Privacera Manager. "YourStrongSSLPassword"
DB Database type used. Uncomment the appropriate line for your database: MySQL or PostgreSQL. MYSQL or POSTGRESQL or NATIVE
EXTERNAL_DB_HOST Hostname or IP address of the external database. "database.example.com" or "192.168.1.100"
EXTERNAL_DB_PORT (Optional) Port of the external database if different then default port. "3306"
EXTERNAL_DB_NAME Name of the external database. "privacera_db"
EXTERNAL_DB_USER Username for accessing the external database. "db_admin"
EXTERNAL_DB_PASSWORD Password for the external database user. This should be stored securely. "YourSecureDBPassword"
AWS_ROUTE_53_DOMAIN_NAME Domain name for AWS Route 53. If Privacera will create Route 53 entries, the service name will be prefixed with this domain. "privacera.yourdomain.com"
CERTIFICATE_ARN ARN of the AWS Certificate Manager (ACM) certificate to use with the ALB "arn:aws:acm:us-east-1:1223444:certificate/622eb4db-ea45b48"
SUBNETS Subnets in which the ALB will be deployed. Comma-separated list of subnet IDs. "subnet-1234abcd,subnet-5678efgh"
AWS_ALB_GROUP Group name for the ALB. Used for grouping ALBs within a cluster. "privacera-group"
PRIVACERA_AWS_ZONE_ID AWS Zone ID for the Route 53 hosted zone. "Z3M3LMPEXAMPLE"
AWS_NLB_RANGER_INTERNAL Set to true if the Network Load Balancer (NLB) for the Ranger plugin should be internal. "true" or "false"
SECURITY_GROUPS (Optional) Security groups to associate with the ALB. Comma-separated list of security group IDs. "sg-0123456789abcdef,sg-9876543210fedcba"

Update the azure_pm_config_env.sh file with the following variables.

Bash
1
 vi azure_pm_config_env.sh

Variable Name Description Sample Value
DEPLOYMENT_ENV_TYPE Deployment environment type, typically the cloud environment in which you are deploying. "AZURE"
DEPLOYMENT_ENV_NAME Deployment environment name, typically the name of the deployment or project.Only letters, digits, and hyphens are allowed, and it should not exceed 63 characters, as it is used as the name of a Kubernetes namespace. "privacera-prod" or "privacera-dev"
PRIV_MGR_IMAGE Docker image for Privacera Manager, including the repository URL and image tag. "hub2.privacera.com/privacera-manager:9.0.15.1"
PRIV_MGR_PACKAGE URL for the Privacera Manager package, usually hosted on an S3 bucket or similar repository. "https://privacera-host/path/privacera-manager.tar.gz"
PRIVACERA_HUB_USER Username for accessing Privacera Hub, the central repository for Privacera images. "hub_user"
PRIVACERA_HUB_PASSWORD Password for accessing Privacera Hub. This should be securely stored. "hub_password"
ANSIBLE_VAULT_PASSWORD Password for Ansible Vault, used to encrypt and decrypt sensitive Ansible variables in the virtual machine. "YourStrongPassword"
GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD Password for the global secrets keystore. Used to encrypt sensitive information in the Pod. "YourStrongPassword"
SSL_DEFAULT_PASSWORD Default password for SSL certificate management. Should be a strong password to secure SSL certificates generated by Privacera Manager. "YourStrongSSLPassword"
DB Database type used. Uncomment the appropriate line for your database: MySQL or PostgreSQL. MYSQL or POSTGRESQL or NATIVE
EXTERNAL_DB_HOST Hostname or IP address of the external database. "database.example.com" or "192.168.1.100"
EXTERNAL_DB_PORT (Optional) Port of the external database if different then default port. "3306"
EXTERNAL_DB_NAME Name of the external database. "privacera_db"
EXTERNAL_DB_USER Username for accessing the external database. "db_admin"
EXTERNAL_DB_PASSWORD Password for the external database user. This should be stored securely. "YourSecureDBPassword"

Update the gcp_pm_config_env.sh file with the following variables.

Bash
1
 vi gcp_pm_config_env.sh

Variable Name Description Sample Value
DEPLOYMENT_ENV_TYPE Deployment environment type, typically the cloud environment in which you are deploying. "GCP"
PROJECT_ID Project ID, typically the ID of the project in which you are working. "forward-design-112097654"
DEPLOYMENT_ENV_NAME Deployment environment name, typically the name of the deployment or project.Only letters, digits, and hyphens are allowed, and it should not exceed 63 characters, as it is used as the name of a Kubernetes namespace. "privacera-prod" or "privacera-dev"
PRIV_MGR_IMAGE Docker image for Privacera Manager, including the repository URL and image tag. "hub2.privacera.com/privacera-manager:9.0.15.1"
PRIV_MGR_PACKAGE URL for the Privacera Manager package, usually hosted on an S3 bucket or similar repository. "https://privacera-host/path/privacera-manager.tar.gz"
PRIVACERA_HUB_USER Username for accessing Privacera Hub, the central repository for Privacera images. "hub_user"
PRIVACERA_HUB_PASSWORD Password for accessing Privacera Hub. This should be securely stored. "hub_password"
ANSIBLE_VAULT_PASSWORD Password for Ansible Vault, used to encrypt and decrypt sensitive Ansible variables in the virtual machine. "YourStrongPassword"
GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD Password for the global secrets keystore. Used to encrypt sensitive information in the Pod. "YourStrongPassword"
SSL_DEFAULT_PASSWORD Default password for SSL certificate management. Should be a strong password to secure SSL certificates generated by Privacera Manager. "YourStrongSSLPassword"
DB Database type used. Uncomment the appropriate line for your database: MySQL or PostgreSQL. MYSQL or POSTGRESQL or NATIVE
EXTERNAL_DB_HOST Hostname or IP address of the external database. "database.example.com" or "192.168.1.100"
EXTERNAL_DB_PORT (Optional) Port of the external database if different then default port. "3306"
EXTERNAL_DB_NAME Name of the external database. "privacera_db"
EXTERNAL_DB_USER Username for accessing the external database. "db_admin"
EXTERNAL_DB_PASSWORD Password for the external database user. This should be stored securely. "YourSecureDBPassword"

Notes

  • Optional Fields: In AWS setup, SECURITY_GROUPS is optional and should be included only if needed.
  • Database Configuration: Uncomment the appropriate database type (MYSQL or POSTGRESQL) that applies to your setup. For PoCs, you can set to NATIVE to deploy MariaDB in the same Kubernetes cluster.

Install Privacera Manager

On the instance, after updating the configuration file, run the pm_install.sh script which will doenload and extract the Privacera Manager packages for you.

Bash
1
bash install_pm.sh aws_pm_config_env.sh
Bash
1
bash install_pm.sh azure_pm_config_env.sh
Bash
1
bash install_pm.sh gcp_pm_config_env.sh

After the installation is complete, you will see files and directories created in the ~/privacera/privacera-manager/ directory.

Bash
1
ls ~/privacera/privacera-manager/

Configure Privacera for base installation

Run the bootstrap_privacera.sh script to configure Privacera for the base installation.

Bash
1
bash bootstrap_privacera.sh aws_pm_config_env.sh
Bash
1
bash bootstrap_privacera.sh azure_pm_config_env.sh
Bash
1
bash bootstrap_privacera.sh gcp_pm_config_env.sh

The script will create the necessary configuration files and directories for Privacera Manager. You can verify the configuration files and directories created in the ~/privacera/privacera-manager/config/custom-vars/ directory.

Just make sure the .yml files are created in the directory.

Bash
1
ls ~/privacera/privacera-manager/config/custom-vars/

Tip

This script sets all the common configurations required for Privacera. If you need to customize the configurations, you can update the .yml files in the ~/privacera/privacera-manager/config/custom-vars/ directory. Please note once you update the configuration files, you shouldn't run the bootstrap_privacera.sh script again, otherwise it will overwrite the changes.

Generate Kubernetes Deployment Files and Helm Charts

Run the following command to generate the Kubernetes deployment files and Helm charts for Privacera.

Note

The setup command will ask you to enter vault password. This is the same that you entered in the configuration file for ANSIBLE_VAULT_PASSWORD variable.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup

Apply the Privacera Helm Charts

Run the following command to apply the Privacera Helm charts.

Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade

The above command will deploy Privacera in the Kubernetes cluster. You can verify the deployment by checking the pods.

Bash
1
source ~/aws_pm_config_env.sh; kubectl get pods -n $DEPLOYMENT_ENV_NAME
Bash
1
source ~/azure_pm_config_env.sh; kubectl get pods -n $DEPLOYMENT_ENV_NAME
Bash
1
source ~/gcp_pm_config_env.sh; kubectl get pods -n $DEPLOYMENT_ENV_NAME

If any of the pods are showing up, then you can go to the next step to configure the AWS ALB for Privacera.

Configure AWS ALB for Privacera (Optional)

Note

This section is only applicablr only if you have AWS based setup.

Run the following command to get the AWS ALB external URL.

DEPLOYMENT_ENV_NAME

You can get your deployment by running the command

Bash
1
    grep DEPLOYMENT_ENV_NAME ~/privacera/privacera-manager/config/vars.privacera.yml

Tip

You could create another terminal to run the below step or you can save the AWS ALB external URL in a text file and then update the below file

Bash
1
2
3
source ~/aws_pm_config_env.sh; kubectl -n $DEPLOYMENT_ENV_NAME get ingress \
privacera-ingress-resource \
-o jsonpath='{.status.loadBalancer.ingress[0].hostname}'; echo ""; echo "Above is your AWS_ALB_EXTERNAL_URL"
The above command will display the AWS ALB external URL. You can need to update the below file with the AWS ALB external URL.

If nothing is printed, then it means the ALB is not created.

You might do the following: 1. If it is new installation, then wait for some time and run the command again. 2. Describe on the ingress object to see if there were errors creating the ingress object.

Bash
1
kubectl -n $DEPLOYMENT_ENV_NAME describe ingress privacera-ingress-resource -n $DEPLOYMENT_ENV_NAME

Bash
1
2
cd ~/privacera/privacera-manager
vi config/custom-vars/vars.aws.alb.ingress.yml

Update the AWS_ALB_EXTERNAL_URL variable with the AWS ALB external URL you got from the previous command.

YAML
1
AWS_ALB_EXTERNAL_URL: "<PLEASE_CHANGE>"

Once the above configuration is done, you have to re-run Privacera setup and install step.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup && ./pm_with_helm.sh install

After the post-install configuration is complete, you can see the service URLs in the service-urls.txt file.

Bash
1
cat ~/privacera/privacera-manager/output/service-urls.txt

Verify the Privacera Installation

Check the Pod Status

You can run the following command to use k9s to check the pod status

Bash
1
source ~/aws_pm_config_env.sh; kubectl get pods -n $DEPLOYMENT_ENV_NAME
Bash
1
source ~/azure_pm_config_env.sh; kubectl get pods -n $DEPLOYMENT_ENV_NAME
Bash
1
source ~/gcp_pm_config_env.sh; kubectl get pods -n $DEPLOYMENT_ENV_NAME

You can also use k9s to check the pod status.

Bash
1
2
cd ~/privacera/privacera-manager
source ~/aws_pm_config_env.sh; ./privacera-manager.sh k9s -n $DEPLOYMENT_ENV_NAME
Bash
1
2
cd ~/privacera/privacera-manager
source ~/azure_pm_config_env.sh; ./privacera-manager.sh k9s -n $DEPLOYMENT_ENV_NAME
Bash
1
2
cd ~/privacera/privacera-manager
source ~/gcp_pm_config_env.sh; ./privacera-manager.sh k9s -n $DEPLOYMENT_ENV_NAME

Tip

To exit k9s, you can press ctrl+c and then q or ':q' to exit.

Install Monitoring Components

Run the following command to install monitoring components.

Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh install-monitoring

This command deploys Privacera monitoring components in the Kubernetes cluster. To verify the deployment, check the running pods by using the following command:

Tip

Replace <MONITORING-NAMESPCE> with your monitoring namespace name. Default namespace name is privacera-monitoring.

Bash
1
kubectl get pods -n <MONITORING-NAMESPACE>

If any of the pods are showing up, then you can go to the next step of Post-install.

Post-Install Configuration

Note

If you are doing the DNS entries manually then make sure to do it before running post-install (Only applicable for AWS).

Some of the Post Install tasks are: - Route 53 Entries (only for AWS) - Generate the plugin tarball

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Note

If you encounter any issues during the post-install step, please refer to the Troubleshooting section.

Verify the Privacera Installation

URLs for Privacera Components

If the installation is successful, you can get the URLs for the Privacera components using the following command.

Bash
1
cat ~/privacera/privacera-manager/output/service-urls.txt

Common URLs for Privacera components are:

Privacera Portal: https://portal-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>

Privacera Diagnostic Tool

You can run the Privacera Diagnostic Tool to check the health of the Privacera components. The URL path for the diagnostic tool can be found from the service-urls.txt file. It will be in the format:

https://diagnostics-server-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>

Privacera Health Monitoring

You can run the Privacera Health Monitoring tool to check the health of the Privacera components. The URL path for the health monitoring tool can be found from the service-urls.txt file. It will be in the format:

https://grafana-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>

Delete the Configuration Files

Once the base installation is complete, you could delete the configuration files securely. For security reasons, you should delete the configuration files from the instance. Further configuration changes can be done following the instructions in each service. The configuration files are stored in the folder ~/privacera/privacera-manager/config/custom-vars

Bash
1
rm ~/aws_pm_config_env.sh
Bash
1
rm ~/azure_pm_config_env.sh
Bash
1
rm ~/gcp_pm_config_env.sh

Comments