Before deploying the Cequence Bridge, prepare your Kubernetes cluster environment by following the procedures in this section.
Creating a Cequence Bridge namespace
As a best practice, deploy the Cequence Bridge in a separate Kubernetes namespace.
- Run the following command to create the new namespace.
kubectl create namespace cequencebridge
- Run the following command to configure Cequence Bridge to be aware of the new namespace.
kubectl config set-context --current --namespace=cequencebridge
Creating platform secrets
Using the Cequence repositories requires Gitlab credentials with authorized access to the repositories. Your Cequence sales team or customer success team can assist you with establishing these credentials, or arrange to provide images directly.
To create a secret in the cluster, run the following command.
kubectl create secret docker-registry regcred --docker-server=registry.gitlab.com \
--docker-username=<your-username> --docker-password=<your-password> -n cequencebridge
To generate a secret using a Dockerfile, confirm that you have a properly configured docker-config.json file, then run the following command.
kubectl create secret generic regcred --from-file=.dockerconfigjson=./docker-config.json \
--type=kubernetes.io/dockerconfigjson -n cequencebridge
Generating a traffic client and secret
In order to send traffic from the Cequence Bridge to the Cequence UAP platform, you first need to create auth credentials in UAP to enable the Bridge to authenticate to UAP. In order to create the auth credentials, follow the following steps in your UAP management portal.
- Log in to the UAP management portal UI. (e.g. The URL should be https://ui.<your-tenant-name>.<domain>)
- Select General Settings > User Management.
The User Management pane appears. - Click the Clients tab.
- Click Add New Client.
The new client dialog box appears. - Type the client name in the Client Name field.
- Enable the Traffic Ingestion toggle.
- To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
- Click Save.
A dialog box with the client secret appears. - Click the blue Copy icon to copy the secret to the clipboard, then click Close.
The client is now set up. Note the client name for future use.
The client list appears. - Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.
Installing the Cequence Bridge using Helm
- Create a file named cequence-bridge-values.yaml. This article provides sample configurations for the HSL and HTTP use cases.
- Run the following commands to install the Cequence Bridge.
-
helm repo add cequence https://cequence.gitlab.io/helm-charts
helm repo update
helm upgrade --install cequence-bridge cequence/cequence-bridge \
--version 5.2.1 -n cequencebridge --values cequence-bridge-values.yaml
Connecting Traffic Sources to Cequence Bridge
The Cequence Bridge can connect to multiple traffic sources. The Cequence Bridge currently supports the HTTP and F5 High-Speed Logging (HSL) protocols.
When you connect an HTTP traffic sources to the Cequence Bridge, including Cequence Sensor or any API gateway integration, configure the HTTP configuration as shown below.
When you connect the F5 HSL traffic source, configure the F5 HSL configuration as shown below.
HTTP traffic configuration for the Cequence Bridge
cequenceBridge:
config:
reader:
type: "http"
server:
port: "9443"
logging:
output: "file"
level: "info"
apiEndpoint:
uapSubdomain: <UAP_SUB_DOMAIN>
auth:
clientId: <clientID>
clientSecret: <clientSecret>
service:
port: "9443"
targetPort: "9443"
scheme: http
ingress:
enabled: true
className: "nginx"
hosts:
- host: bridge.<UAP_SUB_DOMAIN>
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- bridge.<UAP_SUB_DOMAIN>
secretName: bridge-tls-secret
F5 HSL configuration for Cequence Bridge
To configure the Cequence Bridge for the F5 High Speed Logging integration, run the following command to generate a certificate and key that are loaded into a ConfigMap named cequence-bridge-certs-cm.
kubectl create configmap cequence-bridge-certs-cm --from-file \
/path/to/certsfolder -n cequencebridge
Configuration
service:
type: LoadBalancer
port: 8888
targetPort: 8888
imagePullSecrets:
- name: regcred
replicaCount: 1
cequenceBridge:
config:
reader:
type: "hsl"
tcpReader:
port: "8888"
tls:
enabled: true
certFile: "server.crt" # The name of the cert file should match the one in the certs folder used to create config map
keyFile: "server.key" # The name of the key file should match the one in the certs folder used to create config map
apiEndpoint:
uapSubdomain: "<UAP_SUB_DOMAIN>" # Replace this URL with the URL of your UAP installation
auth:
clientId: "bridge-client-1" # Client ID you created in the previous step
clientSecret: "xxxx" # Client secret you created in the previous step
configService:
host: "policy-engine.cqai.yourdomain.com" # Replace this URL with the URL of your UAP installation
port: 443
scheme: "https"
Verification
A successful installation of Cequence Bridge produces the following output.
url = "https://cequence-bridge-app-<NAME>.azurecontainerapps.io/api-transactions"
Note that the "NAME" attribute in the URL above is auto-assigned by Terraform, not configured by any configuration listed on this page.
Traffic sent to the above URL with the appropriate JSON body is visible in the Cequence UAP. Browse to the Sitemap Discovery page under "Threat Detection" to see if the requests you are sending via Cequence Bridge are making it to the UAP Platform.