Installing Spectra Detect in K8s

This document provides instructions for deploying the Spectra Detect platform using Helm charts.

There are a total of 5 Helm charts:

1. c1000
2. tiscale-worker
3. tiscale-hub
4. tiscale-external-appliances
5. detect

The Detect service consists of multiple Helm charts that form a single platform, but there is also an umbrella Detect Helm chart that has the c1000, tiscale-worker, tiscale-hub, and tiscale-external-appliances charts set as subcharts, providing the ability to more easily deploy and manage the Detect platform from a single Helm release, instead of 3 or 4 (depending on whether large file Worker mode is being used).

ReversingLabs recommends using the detect umbrella chart approach, as it makes it easier to install and manage the Spectra platform going forward.

ReversingLabs Helm and Container Image Registry

ReversingLabs Detect Helm charts and container images are available at registry.reversinglabs.com. In order to connect to the registry, you need to use ReversingLabs Spectra Intelligence account.

helm registry login registry.reversinglabs.com -u "${RL_SPECTRA_INTELLIGENCE_USERNAME}"

If you want to see which versions of the charts are available in the registry, you can use a tool like Skopeo to login to the registry and list the versions:

skopeo login registry.reversinglabs.com "${RL_SPECTRA_INTELLIGENCE_USERNAME}"

skopeo list-tags docker://registry.reversinglabs.com/detect/charts/"${HELM_CHART_NAME}"

Running the above command would return output similar to this.

{
    "Repository": "registry.reversinglabs.com/detect/charts/detect",
    "Tags": [
        "5.5.0-3",
        "5.5.0-2",
        "5.5.0-1"
    ]
}

ReversingLabs container images used by the Helm charts are also available at registry.reversinglabs.com. Detect images are named:

• detect-worker-mono
• detect-hub-mono
• detect-manager-mono

You can see available container image versions, the same as available Helm chart versions, but at a different path.

skopeo list-tags docker://registry.reversinglabs.com/detect/images/"${CONTAINER_IMAGE_NAME}"

Running the above command would ruturn an output similar to this.

{
    "Repository": "registry.reversinglabs.com/detect/images/detect-manager-mono",
    "Tags": [
        "5.5.0",
        "latest"
    ]
}

Deploying Detect Helm Charts

You can first create a new namespace where you will install Detect, but you can use an existing one if preferred.

kubectl create namespace detect # Namespace name is arbitrary

Registry Secret Setup

In order for Kubernetes to be able to pull container images, a Kubernetes secret needs to be created with a user's Spectra Intelligence credentials in the namespace where Detect will be installed. The secret can either be managed via Detect Helm chart, or you can create it manually and manage it outside the Helm release. If you want to handle the secret via Helm chart, registry.createRegistrySecret needs to be set to true, alongside values registry.authSecretName and registry.authSecretPassword values corresponding to the Spectra Intelligence account. If the secret will be managed outside the Helm release, registry.createRegistrySecret value should be set to false.

You can create the secret manually using the following command:

kubectl apply -n "detect" -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: "rl-registry-key"
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: $(echo -n '{"auths": {"registry.reversinglabs.com": {"auth": "'$(echo -n "${SPECTRA_INTELLIGENCE_USERNAME}:${SPECTRA_INTELLIGENCE_PASSWORD}" | base64)'"}}}' | base64 | tr -d '\n')
EOF

Helm Values

To deploy a Spectra Detect Helm release, construct a values file or use --set to define Helm chart values that suit your needs and environment.

By default, tiscale-worker Helm chart has persistence.accessMode set to ["ReadWriteMany"] as it is expected that the number of Workers will scale up or down based on the usage. That requires a remote storage class set up as per Remote Storage Requirement.

For a PVC to be deployed, you need to set persistence.storageClassName value to your remote storage class name.

It is possible to run a single Worker without a storage class that supports ReadWriteMany by setting persistence.accessMode to ["ReadWriteOnce"], but this is not recommended in production.

Check Detect Helm Configuration Values for reference about all Helm chart values.

Ingress values configuration example for C1000 and Worker using AWS ALB Controller

This example shows how to configure C1000 and Worker Ingress using AWS ALB Controller. This also shows how to use External DNS to automatically create DNS records in AWS Route53.

C1000 and Worker Ingress Values Example

c1000:
  ingress:
    annotations:
      alb.ingress.kubernetes.io/backend-protocol: HTTP
      alb.ingress.kubernetes.io/certificate-arn: <<AWS CERTIFICATE ARN>>
      alb.ingress.kubernetes.io/group.name: detect
      alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15"
      alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
      alb.ingress.kubernetes.io/healthcheck-port: traffic-port
      alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
      alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
      alb.ingress.kubernetes.io/healthy-threshold-count: "2"
      alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=600
      alb.ingress.kubernetes.io/manage-backend-security-group-rules: "true"
      alb.ingress.kubernetes.io/scheme: internal
      alb.ingress.kubernetes.io/security-groups: <<AWS_SECURITY_GROUPS>>
      alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-FS-1-2-Res-2020-10
      alb.ingress.kubernetes.io/success-codes: 200,301,302,404
      alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=1200
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/unhealthy-threshold-count: "2"
      external-dns.alpha.kubernetes.io/hostname: detect.example.com
      external-dns.alpha.kubernetes.io/ingress-hostname-source: annotation-only
    className: alb
    enabled: true
    host: detect.example.com

tiscale-worker:
  ingress:
    annotations:
      alb.ingress.kubernetes.io/backend-protocol: HTTP
      alb.ingress.kubernetes.io/certificate-arn: <<AWS CERTIFICATE ARN>>
      alb.ingress.kubernetes.io/group.name: detect
      alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15"
      alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
      alb.ingress.kubernetes.io/healthcheck-port: traffic-port
      alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
      alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
      alb.ingress.kubernetes.io/healthy-threshold-count: "2"
      alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=600
      alb.ingress.kubernetes.io/manage-backend-security-group-rules: "true"
      alb.ingress.kubernetes.io/scheme: internal
      alb.ingress.kubernetes.io/security-groups: <<AWS_SECURITY_GROUPS>>
      alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-FS-1-2-Res-2020-10
      alb.ingress.kubernetes.io/success-codes: 200,301,302,404
      alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=1200
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/unhealthy-threshold-count: "2"
      external-dns.alpha.kubernetes.io/hostname: detect-worker.example.com
      external-dns.alpha.kubernetes.io/ingress-hostname-source: annotation-only
    className: alb
    enabled: true
    host: detect-worker.example.com

Installing a Detect Chart

You can then install the Helm release using the following command:

helm install detect oci://registry.reversinglabs.com/detect/charts/detect \
  --version "${DETECT_HELM_CHART_VERSION}" --namespace detect -f values.yaml

Or you can set Helm values from the command line using the --set flag, for example:

helm install detect oci://registry.reversinglabs.com/detect/charts/detect \
  --version "${DETECT_HELM_CHART_VERSION}" --namespace detect \
  --set "c1000.ingress.enabled=true" \
  --set "tiscale-worker.ingress.enabled=true" \
  --set "tiscale-worker.persistence.storageClassName=efs-sc" \
  --set ...

Installing Detect Components as Separate Helm Releases

Each Detect component has its own Helm chart you can use to deploy that component.

Deploying Spectra Detect Manager

helm install detect-c1000 oci://registry.reversinglabs.com/detect/charts/c1000 \
  --version "${C1000_CHART_VERSION}" --namespace detect \
  --set "ingress.enabled=true"

Deploying Spectra Detect Worker

When deploying a Spectra Detect Worker component, you need to specify c1000.releaseName value for the Worker to be able to connect to the Spectra Detect Manager.

helm install detect-worker oci://registry.reversinglabs.com/detect/charts/c1000 \
  --version "${C1000_CHART_VERSION}" --namespace detect \
  --set "ingress.enabled=true" \
  --set "c1000.releaseName=detect-c1000"

Deploying Spectra Detect Hub

When deploying a Spectra Detect Hub component, you need to specify c1000.releaseName value in order for Worker to be able to connect to the Spectra Detect Manager, as well as setting the worker.releaseName value to the Worker release name, so the Hub knows how to connect to the Worker.

helm install detect oci://registry.reversinglabs.com/detect/charts/c1000 \
  --version "${C1000_CHART_VERSION}" --namespace detect \
  --set "ingress.enabled=true" \
  --set "c1000.releaseName=detect-c1000" \
  --set "worker.releaseName=detect-worker" \