This page provides instructions for deploying Baffle Manager on IBM Cloud in a Kubernetes cluster.
Before you begin, review the following topics:
- Baffle Terraform Template Deployment
- IBM Container Registry with Baffle Docker Images
- Deployment Prerequisites
Baffle Terraform Template Deployment
Baffle Advanced Data Protection utilizes the Terraform Template to deploy multiple resources in a cloud infrastructure. IBM Cloud deploys Baffle Manager in a Kubernetes cluster and Baffle Shield in a container.
IBM Container Registry with Baffle Docker Images
The following image lists the Baffle images uploaded to a container registry.
Before you begin configuring Baffle Advanced Data Protection Services, you must do following:
- Create IBM Keys Auth – For more information, see the IBM documentation.
- Deploy a Kubernetes cluster – For more information, see the IBM documentation.
- Create a Key Protect instance – For more information, see the IBM documentation.
- Create a Cloud Object Store (COS) – For more information, see the IBM documentation.
- Create HMAC keys on the COS – For more information, see the IBM documentation.
Step 1: Download Baffle images and configure the deployment
IMPORTANT! NOTE: You must have completed the Deployment Prerequisites to successfully configure the deployment.
To download the instance and configure Baffle Manager, do the following:
- Download the Baffle images from the COS, then upload the images to your container registry.
- Go to the IBM Console, navigate to Catalog management > Catalogs > baffle and select baffle-manager from the catalog list.
- n the Version List table, select the baffle-manager version.
- Select Validate product, scroll down to the Deployment values, and specify the following Parameters:
baffle_version – Release number (build) for Baffle Manager
cluster_name – Name of your Kubernetes cluster
iaas_classic_api_key – IBM Key generated in Prerequisites.
iaas_classic_username – Username for the IBM Key generated in Prerequisites.
ibmcloud_api_key – IBM Key generated in Prerequisites.
image_location – Container registry where Baffle Manager is uploaded.
- Click Revalidate to apply the parameter values. The Terraform Templates launch and apply the specified values to create the workspace.
- Make a note of the load_balancer_url in the Terraform output, as you will need this in the next section to
- Open a browser window and enter the load_balancer_url from the Terraform output. You will receive a Your connection is not private warning.
- Click Advanced, then click the Proceed to link at the bottom of the page.
The Getting Started dialog to Unlock Baffle Manager appears.
- Continue with configuring Baffle Manager.
Step 2: Configure Baffle Manager
This step walks you through the process of configuring Baffle Manager for your environment.
To configure Baffle Manager, do the following:
- Configure Basic System Settings by entering the hostname and domain settings, then click Continue. All system users must have this domain name as part of this email going forward.
- Configure Email Settings to allow Baffle Manager to send emails to provide notifications and for password resets. Enter the SMTP server to use as well as the credential to use to authenticate to the SMTP server, then click Continue.
- Create an Admin Account for the initial Baffle Manager administrator. This account is used to configure the subsequent components such as the key management store, data store connections, and Baffle Shields. Enter the Admin user information and click Continue.
- Configure Credential Keystore to establish an encrypted credential store for any system access credential or access key that the Baffle Manager or Baffle Shield utilize. The default name is “baffle_credential_store” and cannot be changed.
Select LOCAL for Keystore type. Enter the Baffle Secret Key in the text field. NOTE: The Baffle Secret Key must contain at least 10 characters, a mixture of upper and lower case, including at least 1 number. The Secret Key is used to generate a random key to encrypt the Keystore Config Password. For Config Password, enter a secure password or passphrase to secure the actual keystore.
- Install SSL Certificate for secure access to the Baffle Manager web interface. Upload the certificate and key file for your organization or respective CA to enable SSL for the Baffle Manager console.
- Enter the login credentials for the Baffle Admin account you created and click SIGN IN.
- Continue with Configure IBM Key Protect and add it as a keystore.