InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

GCP - GKE - Helm

Deploying InsightCloudSec to GCP GKE Using Helm

Overview

This document provides steps for deploying a scalable instance of InsightCloudSec on GCP using GKE and Cloud SQL. If you have questions or issues, reach out to [email protected].

📘

Value Names (DivvyCloud vs. InsightCloudSec)

Some components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.

Prerequisites

Before you get started with this setup, ensure that you have the following:

  • A GCP account with the appropriate admin permissions
  • Permission to create/modify resources in CloudSQL, MemoryStore, and Kubernetes

Note: The content on this page applies to self-hosted customers. For hosted customers we recommend that you contact your CSM or [email protected] with any questions or concerns.

Steps for Completing the GKE Scalable Deployment

CloudSQL

1. To ensure that the CloudSQL API is enabled, go to “APIs” in the GCP console. Then:

  • Click on “Library” on the left
  • Search for and select “Cloud SQL Admin API” and ensure it is enabled.
Cloud SQL Admin API (API Enabled)Cloud SQL Admin API (API Enabled)

Cloud SQL Admin API (API Enabled)

2. Create a Cloud SQL database and complete the description for this db instance using the recommended specs:

  • Engine: MySQL 5.7
  • Instance type: db-n1-standard-4
  • 100 GB volume (Enable automatic storage increases)
  • Private IP
  • Availability: High availability (regional)
Create an SQL DatabaseCreate an SQL Database

Create an SQL Database

Complete the settings as outlined in the example below

SQL SettingsSQL Settings

SQL Settings

3. Once the instance comes up, click on your database to view the details.

Instance DetailsInstance Details

Instance Details

🚧

Save your Instance details

Copy the instance connection name; you’ll need it later to complete the configuration.

4. Click on the "Users" tab and create a new user:

  • Username = divvy
  • Password = [your choice]
Creating a New UserCreating a New User

Creating a New User

5. Go to Overview and click on "Connect using cloud shell".

Connect Using Cloud ShellConnect Using Cloud Shell

Connect Using Cloud Shell

6. Once the shell comes up, in the mysql> prompt, paste in the following, line by line:

CREATE DATABASE divvy;

CREATE DATABASE divvykeys;

GRANT ALL PRIVILEGES on divvy.* to 'divvy'@'%';

GRANT ALL PRIVILEGES on divvykeys.* to 'divvy'@'%';

GRANT RELOAD ON *.* TO 'divvy'@'%';

FLUSH PRIVILEGES;

SQL CommandsSQL Commands

SQL Commands

Create a Memorystore Instance

Next you will need to create a Memorystore (Redis) instance in the GCP Console.

1. Open the GCP Console and locate the "Memorystore" option under "Storage".

2. Click "Create Instance" and complete the form as follows:

  • Instance ID - your instance ID
  • Display Name - your display name
  • Version - 4.0
  • Instance tier - Standard (recommended for inclusion of failover)
  • Location - ensure that Region and Zone match the Cloud SQL database you specified
  • Instance capacity - 3GB (recommended)
Memorystore (Redis) instance in GCPMemorystore (Redis) instance in GCP

Memorystore (Redis) instance in GCP

3. Click "Create" and wait for the instance to build. Note the associated IP address.

Memorystore (Redis) instance IP AddressMemorystore (Redis) instance IP Address

Memorystore (Redis) instance IP Address

Create Static IP

1. To create a static IP, go to VPC network

  • From the left menu bar, choose External IP addresses
  • Click Reserve Static Address
    • Name: divvy
  • Ensure static address is in the same region as GKE cluster, CloudSQL, and MemoryStore instances
  • Click Reserve

🚧

Region Settings

Ensure GKE cluster, CloudSQL, and MemoryStore instances are in the same region and VPC network.

Create a Static IPCreate a Static IP

Create a Static IP

2. Copy the Static IP and save this information.

External Static IPExternal Static IP

External Static IP

Create a Cluster

1. To create a cluster, close the cloud shell window, and go to IAM & Admin.

  • From the left menu bar, choose Service Accounts
  • Create a GCP Service Account by choosing from top menu bar, then use the following:
    • Name: GKEtoCloudSQL
    • Role: Cloud SQL Client (Cloud SQL / Cloud SQL Client)
    • Leave the “Grant users access to this service account” blank

2. Create a key (JSON) and download/save the JSON.

3. Go to Kubernetes Engine, and select "create cluster", using the following:

  • Name: divvycloud-gke
  • In the box for the default-pool, update the machine type to 2vCPUs n1-standard-2

4. Click on More options and select "Enable AutoScaling":

  • Minimum number of nodes: 2
  • Max number of nodes: 6
Create ClusterCreate Cluster

Create Cluster

5. In the Networking section, ensure the "Enable VPC-native traffic routing (uses alias IP)" box is checked.

6. Once the cluster is created, click on "Connect" and then "Run in Cloud Shell" to connect to the cluster.

Connect to ClusterConnect to Cluster

Connect to Cluster

Run in Cloud Shell to Connect to ClusterRun in Cloud Shell to Connect to Cluster

Run in Cloud Shell to Connect to Cluster

7. Paste these commands, one by one, into the terminal:

curl -O https://s3.amazonaws.com/get.divvycloud.com/prodserv/gcp/gke/divvycloud-gke-nginx-lb.zip

unzip divvycloud-gke-nginx-lb.zip

cd divvycloud-gke-nginx-lb/

8. Update the InsightCloudSec version on line 4 of the values.yaml file to the latest version. You can see the latest version here.

9. Paste this command into the terminal:
kubectl create namespace divvycloud

CommandsCommands

Commands

Create a Cloud SQLProxy Secret

1. To create a CloudSQLProxy secret:

  • In the terminal, create a file called service_account.json
  • Paste in the JSON from the service account and save the file

2. Run the following command
kubectl create secret generic -n divvycloud cloudsql-instance-credentials --from-file=credentials.json=service_account.json

CommandCommand

Command

Create TLS Certificate Secret

1. To create a TLS Certificate Secret:

  • Create a certificate and key file
  • Upload those into the cluster:
  • kubectl create secret tls divvycloud --key hostname.key --cert hostname.crt
TLS Certificate SheetTLS Certificate Sheet

TLS Certificate Sheet

Edit the YAML File and Complete the Setup

1. Open the file called "values.yaml" and enter your required parameters.
The standard parameters are:

  • useExternalDb: True
  • cloudSQLInstanceName: [Cloud SQL Instance Connection Name (saved from database creation)]
  • databaseUser: [ divvy user created (default is divvy)]
  • databasePassword: [ divvy password created]
  • useExternalRedis: [true]
  • redisHost:[IP Address from the created Memorystore instance above]
  • loadBalancerIP:[IP Address from the created static IP above]
  • secretName: divvycloud
  • hosts:[Hostname record that is pointed at your static IP, it must match the tls certificate]

2. In the terminal window, run these commands:

make app/install-notiller

2a. To upgrade, update the InsightCloudSec version in values.yaml and re-run the install command:

make app/install-notiller

3. Connect to your InsightCloudSec/DivvyCloud instance by doing the following:

  • Close the cloud shell window
  • In the Kubernetes engine, go to the Services & Ingress tab
  • Once the interface server is up, the endpoint displayed there will be the hostname you connect to for your InsightCloudSec instance. You will need to create a DNS record to point to the static IP you created earlier. A connection directly to the IP address without a hostname will be ignored.

📘

Reaching the SIte

If the site can’t be reached, please wait a few minutes and try again. During a clean installation, there are a large number of MySQL schema updates that must be executed.

Site Can't Be ReachedSite Can't Be Reached

Site Can't Be Reached

4. When all is ready, you will see the following:

Getting Started With InsightCloudSecGetting Started With InsightCloudSec

Getting Started With InsightCloudSec

Updated 4 days ago

GCP - GKE - Helm


Deploying InsightCloudSec to GCP GKE Using Helm

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.