Privacera Setup¶
Note
Please ensure you have completed the prerequisites before proceeding with the setup.
This section provides the steps to setup Privacera on AWS, Azure and GCP. The setup includes the following steps:
- Update the configuration file
aws_pm_config_env.sh
orazure_pm_config_env.sh
orgcp_pm_config_env.sh
with the required details. - Install Privacera Manager
- Deploy Privacera in Kubernetes
- Configure AWS ALB for Privacera in AWS (Optional)
- Install Monitoring Components
- Post-Install Configuration
Download Scripts¶
The base installation is done using the Privacera Manager bootstrapping scripts. Go to the server where you want to install Privacera Manager and download the following files.
For your reference, the files are in the public GitHub repository.
Update the Privacera bootstrapping configuration file¶
The configuration file contains the variables required for bootstrapping Privacera Manager and deploying Privacera in Kubernetes. Update them with the values specific to your deployment.
Tip
This is a one-time activity. After the initial bootstrapping, this configuration should be securely stored and deleted from the instance.
Configuration Variables Table¶
Update the aws_pm_config_env.sh
file with the following variables.
Bash | |
---|---|
Variable Name | Description | Sample Value |
---|---|---|
DEPLOYMENT_ENV_TYPE | Deployment environment type, typically the cloud environment in which you are deploying. | "AWS" |
DEPLOYMENT_ENV_NAME | Deployment environment name, typically the name of the deployment or project.Only letters, digits, and hyphens are allowed, and it should not exceed 63 characters, as it is used as the name of a Kubernetes namespace. | "privacera-prod" or "privacera-dev" |
PRIV_MGR_IMAGE | Docker image for Privacera Manager, including the repository URL and image tag. | "hub2.privacera.com/privacera-manager:9.0.15.1" |
PRIV_MGR_PACKAGE | URL for the Privacera Manager package, usually hosted on an S3 bucket or similar repository. | "https://privacera-host/path/privacera-manager.tar.gz" |
PRIVACERA_HUB_USER | Username for accessing Privacera Hub, the central repository for Privacera images. | "hub_user" |
PRIVACERA_HUB_PASSWORD | Password for accessing Privacera Hub. This should be securely stored. | "hub_password" |
ANSIBLE_VAULT_PASSWORD | Password for Ansible Vault, used to encrypt and decrypt sensitive Ansible variables in the EC2 instance. | "YourStrongPassword" |
GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD | Password for the global secrets keystore. Used to encrypt sensitive information in the Pod. | "YourStrongPassword" |
AWS_REGION | AWS region where the deployment will occur. | "us-east-1" |
EFS_FSID | Elastic File System (EFS) File System ID for shared storage in AWS. | "fs-1234567890abcdef" |
SSL_DEFAULT_PASSWORD | Default password for SSL certificate management. Should be a strong password to secure SSL certificates generated by Privacera Manager. | "YourStrongSSLPassword" |
DB | Database type used. Uncomment the appropriate line for your database: MySQL or PostgreSQL. | MYSQL or POSTGRESQL or NATIVE |
EXTERNAL_DB_HOST | Hostname or IP address of the external database. | "database.example.com" or "192.168.1.100" |
EXTERNAL_DB_PORT (Optional) | Port of the external database if different then default port. | "3306" |
EXTERNAL_DB_NAME | Name of the external database. | "privacera_db" |
EXTERNAL_DB_USER | Username for accessing the external database. | "db_admin" |
EXTERNAL_DB_PASSWORD | Password for the external database user. This should be stored securely. | "YourSecureDBPassword" |
AWS_ROUTE_53_DOMAIN_NAME | Domain name for AWS Route 53. If Privacera will create Route 53 entries, the service name will be prefixed with this domain. | "privacera.yourdomain.com" |
CERTIFICATE_ARN | ARN of the AWS Certificate Manager (ACM) certificate to use with the ALB | "arn:aws:acm:us-east-1:1223444:certificate/622eb4db-ea45b48" |
SUBNETS | Subnets in which the ALB will be deployed. Comma-separated list of subnet IDs. | "subnet-1234abcd,subnet-5678efgh" |
AWS_ALB_GROUP | Group name for the ALB. Used for grouping ALBs within a cluster. | "privacera-group" |
PRIVACERA_AWS_ZONE_ID | AWS Zone ID for the Route 53 hosted zone. | "Z3M3LMPEXAMPLE" |
AWS_NLB_RANGER_INTERNAL | Set to true if the Network Load Balancer (NLB) for the Ranger plugin should be internal. | "true" or "false" |
SECURITY_GROUPS (Optional) | Security groups to associate with the ALB. Comma-separated list of security group IDs. | "sg-0123456789abcdef,sg-9876543210fedcba" |
Update the azure_pm_config_env.sh
file with the following variables.
Bash | |
---|---|
Variable Name | Description | Sample Value |
---|---|---|
DEPLOYMENT_ENV_TYPE | Deployment environment type, typically the cloud environment in which you are deploying. | "AZURE" |
DEPLOYMENT_ENV_NAME | Deployment environment name, typically the name of the deployment or project.Only letters, digits, and hyphens are allowed, and it should not exceed 63 characters, as it is used as the name of a Kubernetes namespace. | "privacera-prod" or "privacera-dev" |
PRIV_MGR_IMAGE | Docker image for Privacera Manager, including the repository URL and image tag. | "hub2.privacera.com/privacera-manager:9.0.15.1" |
PRIV_MGR_PACKAGE | URL for the Privacera Manager package, usually hosted on an S3 bucket or similar repository. | "https://privacera-host/path/privacera-manager.tar.gz" |
PRIVACERA_HUB_USER | Username for accessing Privacera Hub, the central repository for Privacera images. | "hub_user" |
PRIVACERA_HUB_PASSWORD | Password for accessing Privacera Hub. This should be securely stored. | "hub_password" |
ANSIBLE_VAULT_PASSWORD | Password for Ansible Vault, used to encrypt and decrypt sensitive Ansible variables in the virtual machine. | "YourStrongPassword" |
GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD | Password for the global secrets keystore. Used to encrypt sensitive information in the Pod. | "YourStrongPassword" |
SSL_DEFAULT_PASSWORD | Default password for SSL certificate management. Should be a strong password to secure SSL certificates generated by Privacera Manager. | "YourStrongSSLPassword" |
DB | Database type used. Uncomment the appropriate line for your database: MySQL or PostgreSQL. | MYSQL or POSTGRESQL or NATIVE |
EXTERNAL_DB_HOST | Hostname or IP address of the external database. | "database.example.com" or "192.168.1.100" |
EXTERNAL_DB_PORT (Optional) | Port of the external database if different then default port. | "3306" |
EXTERNAL_DB_NAME | Name of the external database. | "privacera_db" |
EXTERNAL_DB_USER | Username for accessing the external database. | "db_admin" |
EXTERNAL_DB_PASSWORD | Password for the external database user. This should be stored securely. | "YourSecureDBPassword" |
Update the gcp_pm_config_env.sh
file with the following variables.
Bash | |
---|---|
Variable Name | Description | Sample Value |
---|---|---|
DEPLOYMENT_ENV_TYPE | Deployment environment type, typically the cloud environment in which you are deploying. | "GCP" |
PROJECT_ID | Project ID, typically the ID of the project in which you are working. | "forward-design-112097654" |
DEPLOYMENT_ENV_NAME | Deployment environment name, typically the name of the deployment or project.Only letters, digits, and hyphens are allowed, and it should not exceed 63 characters, as it is used as the name of a Kubernetes namespace. | "privacera-prod" or "privacera-dev" |
PRIV_MGR_IMAGE | Docker image for Privacera Manager, including the repository URL and image tag. | "hub2.privacera.com/privacera-manager:9.0.15.1" |
PRIV_MGR_PACKAGE | URL for the Privacera Manager package, usually hosted on an S3 bucket or similar repository. | "https://privacera-host/path/privacera-manager.tar.gz" |
PRIVACERA_HUB_USER | Username for accessing Privacera Hub, the central repository for Privacera images. | "hub_user" |
PRIVACERA_HUB_PASSWORD | Password for accessing Privacera Hub. This should be securely stored. | "hub_password" |
ANSIBLE_VAULT_PASSWORD | Password for Ansible Vault, used to encrypt and decrypt sensitive Ansible variables in the virtual machine. | "YourStrongPassword" |
GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD | Password for the global secrets keystore. Used to encrypt sensitive information in the Pod. | "YourStrongPassword" |
SSL_DEFAULT_PASSWORD | Default password for SSL certificate management. Should be a strong password to secure SSL certificates generated by Privacera Manager. | "YourStrongSSLPassword" |
DB | Database type used. Uncomment the appropriate line for your database: MySQL or PostgreSQL. | MYSQL or POSTGRESQL or NATIVE |
EXTERNAL_DB_HOST | Hostname or IP address of the external database. | "database.example.com" or "192.168.1.100" |
EXTERNAL_DB_PORT (Optional) | Port of the external database if different then default port. | "3306" |
EXTERNAL_DB_NAME | Name of the external database. | "privacera_db" |
EXTERNAL_DB_USER | Username for accessing the external database. | "db_admin" |
EXTERNAL_DB_PASSWORD | Password for the external database user. This should be stored securely. | "YourSecureDBPassword" |
Notes
- Optional Fields: In AWS setup,
SECURITY_GROUPS
is optional and should be included only if needed. - Database Configuration: Uncomment the appropriate database type (
MYSQL
orPOSTGRESQL
) that applies to your setup. For PoCs, you can set toNATIVE
to deploy MariaDB in the same Kubernetes cluster.
Install Privacera Manager¶
On the instance, after updating the configuration file, run the pm_install.sh
script which will doenload and extract the Privacera Manager packages for you.
After the installation is complete, you will see files and directories created in the ~/privacera/privacera-manager/
directory.
Bash | |
---|---|
Configure Privacera for base installation¶
Run the bootstrap_privacera.sh
script to configure Privacera for the base installation.
The script will create the necessary configuration files and directories for Privacera Manager. You can verify the configuration files and directories created in the ~/privacera/privacera-manager/config/custom-vars/
directory.
Just make sure the .yml
files are created in the directory.
Bash | |
---|---|
Tip
This script sets all the common configurations required for Privacera. If you need to customize the configurations, you can update the .yml
files in the ~/privacera/privacera-manager/config/custom-vars/
directory. Please note once you update the configuration files, you shouldn't run the bootstrap_privacera.sh
script again, otherwise it will overwrite the changes.
Generate Kubernetes Deployment Files and Helm Charts¶
Run the following command to generate the Kubernetes deployment files and Helm charts for Privacera.
Note
The setup
command will ask you to enter vault password. This is the same that you entered in the configuration file for ANSIBLE_VAULT_PASSWORD
variable.
Apply the Privacera Helm Charts¶
Run the following command to apply the Privacera Helm charts.
The above command will deploy Privacera in the Kubernetes cluster. You can verify the deployment by checking the pods.
If any of the pods are showing up, then you can go to the next step to configure the AWS ALB for Privacera.
Configure AWS ALB for Privacera (Optional)¶
Note
This section is only applicablr only if you have AWS based setup.
Run the following command to get the AWS ALB external URL.
DEPLOYMENT_ENV_NAME
You can get your deployment by running the command
Bash | |
---|---|
Tip
You could create another terminal to run the below step or you can save the AWS ALB external URL in a text file and then update the below file
Bash | |
---|---|
If nothing is printed, then it means the ALB is not created.
You might do the following: 1. If it is new installation, then wait for some time and run the command again. 2. Describe on the ingress object to see if there were errors creating the ingress object.
Bash | |
---|---|
Update the AWS_ALB_EXTERNAL_URL
variable with the AWS ALB external URL you got from the previous command.
YAML | |
---|---|
Once the above configuration is done, you have to re-run Privacera setup
and install
step.
After the post-install configuration is complete, you can see the service URLs in the service-urls.txt
file.
Bash | |
---|---|
Verify the Privacera Installation¶
Check the Pod Status¶
You can run the following command to use k9s to check the pod status
You can also use k9s to check the pod status.
Tip
To exit k9s, you can press ctrl+c
and then q
or ':q' to exit.
Install Monitoring Components¶
Run the following command to install monitoring components.
This command deploys Privacera monitoring components in the Kubernetes cluster. To verify the deployment, check the running pods by using the following command:
Tip
Replace <MONITORING-NAMESPCE>
with your monitoring namespace name. Default namespace name is privacera-monitoring
.
Bash | |
---|---|
If any of the pods are showing up, then you can go to the next step of Post-install.
Post-Install Configuration¶
Note
If you are doing the DNS entries manually then make sure to do it before running post-install
(Only applicable for AWS).
Some of the Post Install tasks are: - Route 53 Entries (only for AWS) - Generate the plugin tarball
Note
If you encounter any issues during the post-install
step, please refer to the Troubleshooting section.
Verify the Privacera Installation¶
URLs for Privacera Components¶
If the installation is successful, you can get the URLs for the Privacera components using the following command.
Bash | |
---|---|
Common URLs for Privacera components are:
Privacera Portal: https://portal-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>
Privacera Diagnostic Tool¶
You can run the Privacera Diagnostic Tool to check the health of the Privacera components. The URL path for the diagnostic tool can be found from the service-urls.txt
file. It will be in the format:
https://diagnostics-server-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>
Privacera Health Monitoring¶
You can run the Privacera Health Monitoring tool to check the health of the Privacera components. The URL path for the health monitoring tool can be found from the service-urls.txt
file. It will be in the format:
https://grafana-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>
Delete the Configuration Files¶
Once the base installation is complete, you could delete the configuration files securely. For security reasons, you should delete the configuration files from the instance. Further configuration changes can be done following the instructions in each service. The configuration files are stored in the folder ~/privacera/privacera-manager/config/custom-vars