This page provides instructions for deploying Baffle Manager on IBM Cloud in a Kubernetes cluster.
Before you begin, review the following topics:
- Baffle Terraform Template Deployment
- IBM Container Registry with Baffle Docker Images
- Deployment Prerequisites
Baffle Terraform Template Deployment
Baffle Advanced Data Protection utilizes the Terraform Template to deploy multiple resources in a cloud infrastructure. IBM Cloud deploys Baffle Manager in a Kubernetes cluster and Baffle Shield in a container.
IBM Container Registry with Baffle Docker Images
The following image lists the Baffle images uploaded to a container registry.
Before you begin configuring Baffle Advanced Data Protection Services, you must do following:
- Create IBM Keys Auth – For more information, see the IBM documentation.
- Deploy a Kubernetes cluster – For more information, see the IBM documentation.
- Create a Key Protect instance – For more information, see the IBM documentation.
- Create a Cloud Object Store (COS) – For more information, see the IBM documentation.
- Create HMAC keys on the COS – For more information, see the IBM documentation.
Step 1: Download Baffle images and configure the deployment
IMPORTANT! NOTE: You must have completed the Deployment Prerequisites to successfully configure the deployment.
To download the instance and configure Baffle Manager, do the following:
- Download the Baffle images from the COS, then upload the images to your container registry.
- Go to the IBM Console, navigate to Catalog management > Catalogs > baffle and select baffle-manager from the catalog list.
- n the Version List table, select the baffle-manager version.
- Select Validate product, scroll down to the Deployment values, and specify the following Parameters:
baffle_version – Release number (build) for Baffle Manager
cluster_name – Name of your Kubernetes cluster
iaas_classic_api_key – IBM Key generated in Prerequisites.
iaas_classic_username – Username for the IBM Key generated in Prerequisites.
ibmcloud_api_key – IBM Key generated in Prerequisites.
image_location – Container registry where Baffle Manager is uploaded.
- Click Revalidate to apply the parameter values. The Terraform Templates launch and apply the specified values to create the workspace.
- Make a note of the load_balancer_url in the Terraform output, as you will need this in the next section to
Step 2: Configure Baffle Manager
To install Baffle Manager, do the following:
- Open a browser window and enter the load_balancer_url.from the Terraform output. You will receive a Your connection is not private warning.
- Click Advanced, then click the Proceed to link at the bottom of the page.
The Getting Started dialog to Unlock Baffle Manager appears.
- To unlock Baffle Manager, navigate to the baffle-manager pod of your Kubernetes cluster, copy the baffle-manager/initpass and paste it into the Getting Started text field, and click Continue.
- Configure Basic System Settings by entering the hostname and domain settings, then clicking Continue. All system users must have this domain name as part of this email going forward.
- Configure Email Settings to allow Baffle Manager to send emails to provide notifications and for password resets. Enter the SMTP server to use as well as the credential to use to authenticate to the SMTP server, then click Continue.
- Create an Admin Account for the initial Baffle Manager administrator. This account is used to configure the subsequent components such as the key management store, data store connections, and Baffle Shields. Enter the Admin user information and click Continue.
- Configure Credential Keystore to establish an encrypted credential store for any system access credential or access key utilized by Baffle Manager or Baffle Shield.
Select LOCAL for Keystore type. For Secret Key, enter any random string which will be used to generate a random key to encrypt the Keystore Config Password. For Config Password, enter a secure password or passphrase to secure the actual keystore. Click Continue.
- Install SSL Certificate for secure access to the Baffle Manager web interface. Upload the certificate and key file for your organization or respective CA to enable SSL for the Baffle Manager console.
- Log in to the Baffle Admin account.