Installation of Baffle Manager and Baffle Shield using Helm


  1. Self-registration for the Baffle docs portal must be finished. 
  2. A running Kubernetes cluster is required. 
  3. Repository access using Baffle JFrog credentials 
  4. Please verify the most recent stable release number with the Baffle support team. For this doc, an example release number of 1.7.0.xx is used.


  1. Using the provided credentials, download the artifacts from JFROG. 
  • Baffle-Manager: 
curl -u:<CREDENTIAL> -L -O
  • Baffle-Shield: 
curl -u:<CREDENTIAL> -L -O
  1. To load the docker images, extract the file and run the script. 
tar -zxvf BM-Docker-Deploy-Release-Baffle. 
cd BM-Docker-Deploy
tar -zxvf Baffle-Shield-Postgresql-Docker-Deploy-Release Baffle.
cd Baffle-Shield-Postgresql-Docker-Deploy
  1. Update the image tags and submit the files to your container registry. 
docker images 
docker tag <imageID> <containerRegistry:Tag>
docker push <containerRegistry:Tag> 

Baffle Manager Helm Chart Deployment 

curl -u<username>:<password> -L –O manager-chart.tar.gz

Kubernetes download:

  • Baffle-manager-k8s-charts.tar.gz
  • baffle-shield-k8s-charts.tar.gz

Openshift download:

  • Baffle-manager-oc-charts.tar.gz
  • baffle-shield-oc-charts.tar.gz
  • Extract the contents of the tar gz file 
    • cd baffle-manager-chart  
    • edit values.yaml file 
  • Perform the following:
    • Edit Namespace 
    • Edit Image URL for baffle-mongodb, baffle-manager, baffle-web, baffle-nginx.
    • Edit the 'roleARN' in the serviceAccount section to point to the ARN of the IAM role created in previous step
    • Create and Verify Role ARN of the service account based on IAM and S3  permissions in Baffle docs
    • Change image.pullSecret to point to the correct container registry credential 
    • Verify that the StorageClasscatering to block storage is available. Update the StorageClass appropriately in the values.yaml file
  • Install Manager chart 
helm install baffle-manager baffle-manager-chart
  • Verify that the pods are up.
    • kubectl get pods
    • kubectl get svc

Get the external IP address of the baffle-nginx service to access Baffle Manager for initial configuration.

Baffle Shield Helm Chart Deployment 

curl -u<username>:<password> -L –O chart.tar.gz

Once the Configure Baffle Manager steps are finished and the Application SYNC ID is available, download the Baffle Shield Helm charts and prepare for installation. 

Configure Baffle Manager

Follow these instructions in the Baffle docs to configure Baffle Manager.

Configure a KeyStore:

The steps are listed in Baffle docs for enrolling a Keystore

Connect to a Data Store:

Follow these instructions in the Baffle docs to enroll a Data Store.

Enroll a Program in Baffle Manager 

An application is the framework that connects databases, Baffle Manager, and Baffle Shield and gives the Baffle Shield instructions on how to encrypt and decrypt data. This task walks you through adding an application to Baffle Manager, which you will later use to encrypt data.

NOTE: Only one application may be used to enroll a Baffle Shield. 

To enroll an Application in Baffle Manager, do the following:

  1. Click the Application icon on the navigation panel's left side.
  2. Click +APPLICATION In the window's upper right corner. The dialog box for the Enroll Application opens.
  3. Fill out the appropriate fields with an Application Name and an Application Description.
  4. Take the following actions:
    • Select a Data Store for encryption.
    • Choose the Keystore to be the source for the encryption keys for the data.
    • Enter a Column Level or Row Level for the Encryption Method.
  5. Click Enroll Application.

BaffleShield Installation: 

After completing the enrollment, select the application from the list to display application details in a sidebar. Copy the Shield Sync ID (near the top of the dialog) to a temporary text file for later use.

The helm charts are now installed and ready for the deployment of the BaffleShield. 

  1. Depending on the environment, select one of the following and extract the contents:
    • Openshift:
      • baffle-shield-oc-chart.tar.gz
    • Kubernetes:
        • baffle-shield-k8s-chart.tar.gz
  2. Edit values.yaml file 
  3. Install helm charts for shield
    •  helm install baffle-shield-postgres baffle-shield-chart 
    • Set the BS_SSL parameter to false if the DB does not have SSL enabled.
    • If SSL is enabled for the DB, proceed to the next step as directed.
  4. Create Persistent Volume Claims (Optional):
    • Creating and uploading the baffleshield-keystore.jks file for the SSL cert is required if the Datastore is enrolled with SSL in Baffle Manager.
    • Appendix-1 contains the instructions for creating the JKS file.
    • Baffle advises mounting the jks file using persistent storage on the baffle-shield pod. 
  5. Check to see if the pods are launched and in the Running state. 
  6. At this point, the application can connect to the LB service created as part of the Helm chart deployment. 

Appendix-1 – SSL configuration in baffleshield pods 

The baffle-shield-app1.yaml file has the following SSL-specific parameters: 

Note: BS_SSL can  be set to false if SSL is not used. 

BS_SSL: "true" 
BS_SSL_KEYSTORE_FILE: "/opt/sslconfig/baffleshield-keystore.jks"
BS_SSL_TRUSTSTORE_FILE: "/opt/sslconfig/baffleshield-keystore.jks" BS_SSL_TRUSTSTORE_PASSWORD: "keystore"

Please take note that there is only one JKS file in the list of parameters above, which is used to store the baffle shield keys and certs for SSL termination from the client as well as the certs/keys required for SSL origination to the database. The yaml files must be modified in order to allow for the optional use of different JKS files during installation on the truststore and keystore sides.

Commands for importing Certificates/keys into Java Key Store file 

When SSL is enabled, Baffle Shield automatically uses Server Validation Enabled when connecting to a database (baffle shield --> DB).

  • If you already have the root and intermediate certificates, those can be added to the keystore and are sufficient for DB server validation.
  • If the certificates are formatted in P12:
keytool -importkeystore -srckeystore .p12 -srcstoretype 
PKCS12 -destkeystore baffleshield-keystore.jks -deststoretype JKS

If a public key (dbserver.pem) is available for accessing the database:

keytool -import -keystore baffleshield-keystore.jks -file dbserver.pem -alias db -noprompt - storepass “keystore”  

Please check the password as necessary for your installation; if it needs to be changed, you must modify the YAML file.

The private key/cert for Baffle Shield must be set up on the keystore side (application --> BaffleShield) to break TLS connections from Application/Clients. For the keystore for Baffle, we have several choices.

  1. Import a certificate or private key that you might have made for your system and add it to the keystone.
    • If the cert information is in the p12 format (for e.g., baffleshield-keystore.p12), run:
      • keytool -importkeystore -srckeystore baffleshield-keystore.p12 -srcstoretype PKCS12 - destkeystore baffleshield-keystore.jks -deststoretype JKS 
    • If the cert information is present as crt/key files (baffleshield.crt and baffleshield private.key), then p12 format file must be generated as initial step, before import:
      • openssl pkcs12 -export -in baffleshield.crt -inkey baffleshield-private.key -out
      • keytool -importkeystore -srckeystore <baffleshield-keystore.p12 -srcstoretype PKCS12
        -destkeystore baffleshield-keystore.jks -deststoretype JK
  2. (Optional) Create a self-signed certificate and export the public key as a pem file for client connections.
    • Baffle can share a setup script that can generate a keystore with a self-signed certificate. Please contact Baffle for the script.

Prerequisites on the Linux workstation, where you are creating the jks files. 

Keytool - Keytool is a tool that comes with Java; as a result, if you install JDK 1.8, it will also be installed.

0penssl -The Linux workstation may already have OpenSSL installed. Otherwise, it must be downloaded and installed.

Kubernetes PVC/Mount point modifications: 

  • Since the SSL configuration will be shared by numerous pods, it is suggested that you add a Persistent volume and mount it so that it can be found in the /opt/sslconfig directory on the shield pods.



Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.