The Cequence Unified API Protection (UAP) platform that protects your web applications and APIs from cyber threats. This guide walks you through deploying the Cequence UAP platform on a Kubernetes (k8s) cluster using automated installation scripts.
When to use this method
Choose this deployment when you have an existing Kubernetes cluster and want to deploy Cequence UAP as containerized applications. This method is ideal for organizations already using Kubernetes for container orchestration and want to integrate security into their existing infrastructure.
This deployment strategy integrates with your existing Kubernetes infrastructure, leverages container orchestration for scalability, is available with various Kubernetes platforms from mulitple providers, and supports high availability and automated scaling.
Important: While installing to a shared cluster can work, Cequence recommends provisioning a dedicated Kubernetes cluster specifically for the Cequence UAP platform.
Dedicated Cluster (Recommended)
- Pros: Complete resource isolation, no interference from other applications, easier troubleshooting, dedicated security policies, simplified compliance
- Cons: Higher infrastructure costs, additional cluster management overhead
Shared Cluster
- Pros: Lower infrastructure costs, simplified management, resource sharing efficiency
- Cons: Potential resource conflicts, security isolation challenges, more complex troubleshooting, possible performance impact from other workloads
Before You Start: What You Need
Below are the prerequisites for deployment of Cequence UAP Platform on Kubernetes distributions.
Kubernetes Cluster Requirements
You need administrator access to an existing Kubernetes cluster in order to install software.
Supported Kubernetes Platforms
- Standard Kubernetes, such as Rancher RKE
- Red Hat OpenShift
- Google Anthos
- Amazon EKS, Azure AKS, or similar managed services
Cluster Configuration
The following components handle data storage, web traffic routing, and security.
- Default storage class: Configured for persistent data storage
- Ingress controller: Preferably NGINX, for handling incoming web traffic. Your ingress controller requires valid certificates. Note that OpenShift deployments have a default ingress controller.
- Valid SSL certificates: For secure web access
Access and Credentials
Cequence software is distributed as container images that you download. You need credentials to the Cequence image registry in order to download these container images. Your Cequence support team can provide you with these credentials.
Make sure you have Internet connectivity during the install process to enable the installer to download any needed software packages.
Network Setup
Domain Names (DNS)
- A domain you control, such as
yourcompany.com. - Ability to create subdomains or wildcard DNS entries
DNS Configuration Options
Option A: Create individual entries:
auth.uap.yourcompany.comui.uap.yourcompany.comedge.uap.yourcompany.compolicy-engine.uap.yourcompany.com
Option B: Use a wildcard entry: *.uap.yourcompany.com
Installation process
Installing the Cequence UAP platform on Kubernetes is composed of several steps, each of which involves a number of substeps.
Step 1: Prepare your installation files
- Download and extract the installer package compressed archive file to the
utils/uap-installerdirectory. Set file permissions to make the scripts executable by running the following commands.
chmod +x ./uap-installer.sh chmod -R +x ./scripts/
Step 2: Configure the installation
Navigate to the utils/uap-installer/env folder and open the variables.properties file in a text editor. The default values in this file work for most cases. Only change the values that are specific to your environment.
Logging
Variable Name | Description | Default Values |
|---|---|---|
| Set it as true to enable the debug mode in shell script. This will show every statement that is being run while execution | false |
Application variables
| Name | Description | Default value |
|---|---|---|
NAMESPACE | Defines the namespace in which UAP Platform is being installed | cequence |
INGRESS_CLASS_NAME | Defines the ingress class name to use while creating ingress resources | nginx |
IS_REDIS_REQUIRED | true, the installer script goes ahead and installs Redis on the given cluster | true |
IS_AIRFLOW_REQUIRED | true, the installer script goes ahead and installs Airflow on the given cluster | false |
IS_SPYDERUI_REQUIRED | When set as true, the installer script installs SpyderUI on the given cluster | false |
IS_GIT_SYNC_REQUIRED | When set as true, the installer script sets git sync as true in the airflow override file. | false |
LOAD_VERSION_REQUIRED | If set It is required, when we need to install a custom version other than the latest version of charts | false |
AIRFLOW_DATADOG_APIKEY | Defines the Datadog API key, which is used by airflow pods for reading data. Installer script uses the value to create secret by the name - airflow-datadog-api-key | N/A |
CQPRIME_DATADOG_APIKEY | Defines the CQ Prime Datadog API key, which is used by airflow pods for reading data. Installer script uses the value to create secret by the name - cqprime-datadog-api-key | N/A |
SUBDOMAIN | Defines the subdomain to be used while creating hostname for ingress resources | N/A |
REGISTRY | Defines custom registry that will be used for pulling images. | registry.gitlab.com |
Step 3: Running the installer script
After configuring the variables above, run uap-installer.sh using the following command:
./uap-installer.sh
The script prompts you for several inputs during installation.
Cluster type
You will be asked to select the type of cluster in which you are installing the Cequence UAP platform. Select one of the following:
Default (Rancher Kubernetes Engine)
OpenShift
Google Anthos
Subdomain
If you did not specify the subdomain in the variables.properties file, the script will prompts you for a subdomain now.
example: rke2.subdomain.com
Ingress Creation
When you choose y at this prompt the script creates the ingress resources for handling the incoming ingress request to the cluster. By default, the script assumes that the cluster already has an ingress controller installed, preferably the nginx ingress controller
Route Creation
The script, provides an option to either go with the default creation routes resources or to create their own routes resources manually.
Custom Storage Class Name
You can provide a custom storage class to be used instead of the default storage class by typing the name of the custom storage class at the prompt and pressing enter to continue.
Cequence Repository Access
The script prompt you to provide the credentials to download Docker images from the Cequence repository. These credentials are available from your Cequence team.
Verify your inputs
Before beginning the installation process, the script shows the selected values for the various configuration elements. Confirm that these values are correctly set. Confirm correct values and begin installation by typing y, or type n to restart and enter the values again.
Checking your work
A successful deployment results in a confirmation screen similar to the example below.