Before deploying the Cequence Bridge, prepare your Kubernetes cluster environment by following the procedures in this section.
Compute resource requirements
Between 100 and 500 RPs
- CPU Limits: 500m
- CPU Requested: 200m
- Memory Limits: 800Mi
- Memory Requested: 300Mi
Up to 1000 RPs
- CPU Limits: 1
- CPU Requested: 500m
- Memory Limits: 2Gi
- Memory Requested: 1Gi
Prerequisite
Cequence Bridge requires TLS version 1.2 or 1.3.
Creating a Cequence Bridge namespace
As a best practice, deploy the Cequence Bridge in a separate Kubernetes namespace.
- Run the following command to create the new namespace.
kubectl create namespace cequencebridge
- Run the following command to configure Cequence Bridge to be aware of the new namespace.
kubectl config set-context --current --namespace=cequencebridge
Creating platform secrets
Using the Cequence repositories requires Gitlab credentials with authorized access to the repositories. Your Cequence sales team or customer success team can assist you with establishing these credentials, or arrange to provide images directly.
To create a secret in the cluster, run the following command.
kubectl create secret docker-registry regcred --docker-server=registry.gitlab.com \
--docker-username=<your-username> --docker-password=<your-password> -n cequencebridge
To generate a secret using a Dockerfile, confirm that you have a properly configured docker-config.json file, then run the following command.
kubectl create secret generic regcred --from-file=.dockerconfigjson=./docker-config.json \
--type=kubernetes.io/dockerconfigjson -n cequencebridge
Generating a traffic client and secret
In order to send traffic from the Cequence Bridge to the Cequence UAP platform, you first need to create auth credentials in UAP to enable the Bridge to authenticate to UAP. In order to create the auth credentials, follow the following steps in your UAP management portal.
- Log in to the UAP management portal UI. (e.g. The URL should be https://ui.<your-tenant-name>.<domain>)
- Select General Settings > User Management.
The User Management pane appears. - Click the Clients tab.
- Click Add New Client.
The new client dialog box appears. - Type the client name in the Client Name field.
- Enable the Traffic Ingestion toggle.
- To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
- Click Save.
A dialog box with the client secret appears. - Click the blue Copy icon to copy the secret to the clipboard, then click Close.
The client is now set up. Note the client name for future use.
The client list appears. - Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.
Installing the Cequence Bridge using Helm
- Create a file named cequence-bridge-values.yaml. This article provides sample configurations for the HSL and HTTP use cases.
- Run the following commands to install the Cequence Bridge.
-
helm repo add cequence https://cequence.gitlab.io/helm-charts
helm repo update
helm upgrade --install cequence-bridge cequence/cequence-bridge \
--version 5.3.1 -n cequencebridge --values cequence-bridge-values.yaml
Connecting Traffic Sources to Cequence Bridge
The Cequence Bridge can connect to multiple traffic sources. The Cequence Bridge currently supports the HTTP, F5 High-Speed Logging (HSL), and ICAP (Internet Content Adaptation Protocol) protocols for traffic ingestion.
HTTP traffic configuration for the Cequence Bridge
To configure the Cequence Bridge for ingesting traffic from HTTP traffic sources to the Bridge, including Cequence Sensor and/or any API gateway integration, use the configuration as shown below.
cequenceBridge:
config:
reader:
type: "http"
server:
port: "9443"
logging:
output: "file"
level: "info"
apiEndpoint:
uapSubdomain: <UAP_SUB_DOMAIN>
auth:
clientId: <clientID>
clientSecret: <clientSecret>
service:
port: "9443"
targetPort: "9443"
scheme: http
ingress:
enabled: true
className: "nginx"
hosts:
- host: bridge.<UAP_SUB_DOMAIN>
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- bridge.<UAP_SUB_DOMAIN>
secretName: bridge-tls-secret
F5 HSL configuration for Cequence Bridge
To configure the Cequence Bridge for ingesting traffic from F5 using the F5 High Speed Logging integration, follow the steps shown below.
Create ConfigMap to load certificate and key
Run the following command to load the certificate and key, used by the Bridge, into a ConfigMap named cequence-bridge-certs-cm.
kubectl create configmap cequence-bridge-certs-cm --from-file \
/path/to/certsfolder -n cequencebridge
Bridge Configuration
service:
type: LoadBalancer
port: 8888
targetPort: 8888
imagePullSecrets:
- name: regcred
replicaCount: 1
cequenceBridge:
config:
reader:
type: "hsl"
server:
port: "8888"
tls:
enabled: true
certFile: "server.crt" # The name of the cert file should match the one in the certs folder used to create config map
keyFile: "server.key" # The name of the key file should match the one in the certs folder used to create config map
apiEndpoint:
uapSubdomain: "<UAP_SUB_DOMAIN>" # Replace this URL with the URL of your UAP installation
auth:
clientId: "bridge-client-1" # Client ID you created in the previous step
clientSecret: "xxxx" # Client secret you created in the previous step
configService:
host: "policy-engine.cqai.yourdomain.com" # Replace this URL with the URL of your UAP installation
port: 443
scheme: "https"
NetScaler ICAP configuration for Cequence Bridge
To configure the Cequence Bridge for ingesting traffic from NetScaler using the NetScaler ICAP integration, use the configuration as shown below.
Create ConfigMap to load certificate and key
Run the following command to load the certificate and key, used by the Bridge, into a ConfigMap named cequence-bridge-certs-cm.
kubectl create configmap cequence-bridge-certs-cm --from-file \
/path/to/certsfolder -n cequencebridge
Bridge Configuration
service:
type: LoadBalancer
port: 1345
targetPort: 1345
imagePullSecrets:
- name: regcred
replicaCount: 1
cequenceBridge:
image:
repository: registry.gitlab.com/cequence/releases/dataplane/cequence-bridge # -- Image repository to pull the cequence-bridge image from.
pullPolicy: IfNotPresent # -- Image pull policy.
tag: 5.3.1-icap
config:
reader:
type: "icap"
server:
port: "1345"
tls:
enabled: true
certFile: "server.crt" # The name of the cert file should match the one in the certs folder used to create config map
keyFile: "server.key" # The name of the key file should match the one in the certs folder used to create config map
apiEndpoint:
uapSubdomain: "<UAP_SUB_DOMAIN>" # Replace this URL with the URL of your UAP installation
auth:
clientId: "bridge-client-1" # Client ID you created in the previous step
clientSecret: "xxxx" # Client secret you created in the previous step
configService:
host: "policy-engine.cqai.yourdomain.com" # Replace this URL with the URL of your UAP installation
port: 443
scheme: "https"
Using secure connections
Cequence Bridge supports secure connections for traffic transmissions. Specific configuration requirements depend on the value set for the READER_TYPE parameter:
Value | Connects using |
F5 HSL | SSL over TCP |
ICAP | HTTPS |
HTTP | HTTPS |
To receive traffic over a secure connection, configure the SSL certificate.
F5 HSL
Add the following section to the Docker compose file.
environment: ... - READER_USE_SSL=true - READER_CERT_FILE="server2048.crt" - READER_KEY_FILE="server2048.key" volumes: - /path/to/certfile/server2048.crt:/certs/server2048.crt # Replace with the server certificate path - /path/to/keyfile//server2048.key:/certs/server2048.key # Replace with the server key path
Set the READER_USE_SSL environment variable to true to enable secure connections between F5 and Cequence Bridge. Mount the certificate and key files to the paths specified in the volumes: section added to the Docker compose file.
Set the value of the READER_USE_SSL environment variable to false to send traffic in plaintext.
When Cequence Bridge runs in a Kubernetes environment, add the following overrides to the Helm chart to enable secure communication.
reader: ... server: # -- Reader server port for http-reader, hsl or ICAP server. port: "9443" tls: # -- Enables secure connection between the client and cequence-bridge when set to true. enabled: true # -- TLS server cert filename # The certs ConfigMap must be created before deploying the Intelligent Bridge # Helm chart. The certs ConfigMap must be named cequence-bridge-certs-cm # # To create the config-map, use the command: # `kubectl create configmap cequence-bridge-certs-cm --from-file /path/to/certsfolder` # certFile: "server.crt" # -- TLS server key filename keyFile: "server.key"
Note: When you use a self-signed certificate, verify that certificate verification is disabled from F5 when F5 sends data over HSL.
HTTP
Configure the values of the READER_USE_SSL, READER_CERT_FILE, and READER_KEY_FILE to enable secure communication.
Set the READER_USE_SSL environment variable to true to enable secure connections to Cequence Bridge.
Set the value of the READER_USE_SSL environment variable to false to send traffic in plaintext.
The HTTP reader supports client authentication when the reader receives data from HTTP clients. Client authentication verification is enabled by default when Cequence Bridge is in HTTP reader mode. Add the following configuration to your Docker compose file or Helm chart to disable client authentication verification.
- Docker: Set AUTH_ENABLED in the environment section to false.
- Helm: set authEnabled in the reader section to true.
ICAP
Secure communication configuration is similar to HSL secure communications. Please consult that
section for configuration details.
Disabling UAP certificate validation
To disable certificate validation for transmissions between the Cequence Bridge and the Cequence UAP platform, set the following values in the Docker compose file or Helm chart, as appropriate.
- Docker: Set DISABLE_SSL_VERIFY in the environment section to true.
- Helm: set disableSslVerify in the reader section to false.
Verification
A successful installation of Cequence Bridge produces the following output.
url = "https://cequence-bridge-app-<NAME>.azurecontainerapps.io/api-transactions"
Note that the "NAME" attribute in the URL above is auto-assigned by Terraform, not configured by any configuration listed on this page.
Traffic sent to the above URL with the appropriate JSON body is visible in the Cequence UAP. Browse to the Sitemap Discovery page under "Threat Detection" to confirm that the requests you are sending using the Cequence Bridge are arriving at the UAP Platform.