Using your existing Kubernetes (K8S) cluster

This guide explains how to use the provisioning script to generate all the K8S components needed to run MetaDefender ICAP Server in your-already-created K8S cluster.

That requires some configuration options to be chosen, and the helm chart values to be configured properly.

Customized Installation

As for the demand of customizing the installation of our MetaDefender ICAP Server product in a K8S cluster, we have published the helm chart on GitHub: https://github.com/OPSWAT/metadefender-k8s/tree/main/helm_charts/icap

How to Install MetaDefender ICAP Server using Helm

This chart can deploy the following depending on your chosen configuration options:

  • One or more MD ICAP Server instances

git clone https://github.com/OPSWAT/metadefender-k8s.git cd metadefender/helm_carts/icap helm install md-icapsrv ./icap . #You can replace the file for specific scenario

Remarkable Configuration Options

The following table explains the different values that are remarkable to be set when customizing the installation. All these values will be set for you if you decide to use the MetaDefender K8S script explained in the above sections.

Parameter

Description

Default

ACCEPT_EULA

Set the ACCEPT_EULA variable to any value to confirm your acceptance of the End-User Licensing Agreement. The application will be start if the value is true.

false

mdicapsrv_user

Initial admin user for the MD ICAP Server web interface.

admin

mdicapsrv_password

Initial admin password for the MD ICAP Server web interface, if not set it will be randomly generated.

null

mdicapsrv_api_ key

36 character API key used for the MD ICAP Server REST API, if not set it will be randomly generated.

null

mdicapsrv_license_ key

A valid license key, this value is mandatory.

null

persistance_enabled

Set to false to not create any volumes or host paths in the deployment, all storage will be ephemeral.

true

storage_provisioner

Available storage providers

hostPath

storage_name

Available storage name providers

hostPath

storage_node

Available storage node providers

minikube

hostPathPrefix

This is the absolute path on the node where to keep the data filesystem for persistance

mdicapsrv-storage

icap_ingress.host

Hostname for the publicly accessible ingress

mdicapsrv-ingress.k8s

icap_ingress.service

Service name where the ingress should route to, this should be left unchanged

md-icapsrv

icap_ingress.rest_port

Port where the ingress should route to

8048

icap_ingress.enabled

Enable or disable the ingress creation

false

icap_ingress.class

Set the ingress class

nginx

icap_docker_repo

Docker repo to use, this should be changed when using private images (this string will be prepended to the image name).

opswat

icap_components.md_icapsrv.image

Overrides the default docker image for the MD ICAP Server service, this value can be changed if you want to set a different version of MD ICAP Server

<SET_DOCKER_IMAGE_HERE>

icap_components.md_icapsrv.replicas

Sets the number of replicas if you want to have multiple MD ICAP Server instances

1

icap_components.md_icapsrv.data_retention.config_history

Set time of the data retention config history

168 (unit: hour)

icap_components.md_icapsrv.data_retention.processing_history

Set time of the data retention processing history

168 (unit: hour)

icap_components.md_icapsrv.import_configuration.enabled

Enable import configuration file

false

icap_components.md_icapsrv.import_configuration.targets

  • List of import target for IMPORT_CONF_FILE.

    • all : Import all target

    • schema : Configuration for Security rules

    • servers : Configuration for Server profiles

    • global : Configuration for Global setting

    • history : Configuration for ICAP history

    • auditlog : Configuration for Config history

    • session : Configuration for Security -> Session

    • password-policy : Configuration for Password policy

    • certs : Configuration for Certificates. Notes: Make sure the path in the config file is valid in the container

    • ssl : Configuration for Security. It is used to enable/disable HTTPS/ICAPS

    • user-management : Configuration for User management

    • email: Configuration for Email Server

    • nginxsupport: Configuration for NGINX Communication

The all, certs, ssl, user-management target will override HTTPS_CERT_PATH, ICAPS_CERT_PATH, MD_USER, MD_PWD, MD_EMAIL only use it if you know what are you doing. e.g:

IMPORT_CONF_FILE_TARGET='["servers", "schema"]'

icap_components.md_icapsrv.import_configuration.importConfigMap

The name of the configmap for import config file

mdicapsrv-import-configuration

icap_components.md_icapsrv.import_configuration.importConfigPath

The path mount the file configuration to container

/opt/opswat

icap_components.md_icapsrv.import_configuration.importConfigMapSubPath

The name of the file in the configmap

settings_export_package.zip

icap_components.md_icapsrv.import_configuration.importConfigFilePass

The password of the config file if you use file .zip, else you use the .json file so the field can set is empty

null

icap_components.md_icapsrv.nginx_support.enabled

Enable NGINX communication

false

icap_components.md_icapsrv.tls.https.enabled

Enable HTTPS for MD ICAP Server

false

icap_components.md_icapsrv.tls.https.certSecret

The name of the secret name for file certificate

mdicapsrv-https-tls-cert

icap_components.md_icapsrv.tls.https.certSecretSubPath

The key of the secret will be mount to container

mdicapsrv-https.crt

icap_components.md_icapsrv.tls.https.certKeySecret

The name of the secret name for the file key

mdicapsrv-https-tls-cert-key

icap_components.md_icapsrv.tls.https.certKeySecretSubPath

The name of the secret key will be mount to container

mdicapsrv-https.key

icap_components.md_icapsrv.tls.https.mountPath

The path of the container will be mount files certificate and key

/https-cert

icap_components.md_icapsrv.tls.https.tlsversions

The version of the TLS. The application support for: "TLSv1.3","TLSv1.2","TLSv1.1","TLSv1", "SSLv3"

  • "TLSv1.2"

icap_components.md_icapsrv.tls.icaps.enabled

Enable ICAPS for MD ICAP Server

false

icap_components.md_icapsrv.tls.icaps.certSecret

The name of the secret name for file certificate

mdicapsrv-icaps-tls-cert

icap_components.md_icapsrv.tls.icaps.certSecretSubPath

The key of the secret will be mount to container

mdicapsrv-icaps.crt

icap_components.md_icapsrv.tls.icaps.certKeySecret

The name of the secret name for the file key

mdicapsrv-icaps-tls-cert-key

icap_components.md_icapsrv.tls.icaps.certKeySecretSubPath

The name of the secret key will be mount to container

mdicapsrv-icaps.key

icap_components.md_icapsrv.tls.icaps.mountPath

The path of the container will be mount files certificate and key

/icaps-cert

icap_components.md_icapsrv.tls.icaps.tlsversions

The version of the TLS. The application support for: "TLSv1.3","TLSv1.2","TLSv1.1","TLSv1", "SSLv3"

  • "TLSv1.2"

icap_components.md_icapsrv.tls.nginxs.enabled

Enable NGINX for MD ICAP Server

false

icap_components.md_icapsrv.tls.nginxs.certSecret

The name of the secret name for file certificate

mdicapsrv-nginxs-tls-cert

icap_components.md_icapsrv.tls.nginxs.certSecretSubPath

The key of the secret will be mount to container

mdicapsrv-nginxs.crt

icap_components.md_icapsrv.tls.nginxs.certKeySecret

The name of the secret name for the file key

mdicapsrv-nginxs-tls-cert-key

icap_components.md_icapsrv.tls.nginxs.certKeySecretSubPath

The name of the secret key will be mount to container

mdicapsrv-nginxs.key

icap_components.md_icapsrv.tls.nginxs.mountPath

The path of the container will be mount files certificate and key

/nginxs-cert

icap_components.md_icapsrv.tls.nginxs.tlsversions

The version of the TLS. The application support for: "TLSv1.3","TLSv1.2","TLSv1.1","TLSv1", "SSLv3"

  • "TLSv1.2"

icap_components.md_icapsrv.ports.rest

REST port to expose for the MD ICAP Server pod

8048

icap_components.md_icapsrv.ports.icap

ICAP port to expose for the MD ICAP Server pod

1344

icap_components.md_icapsrv.ports.icaps

ICAPS port to expose for the MD ICAP Server pod

11344

icap_components.md_icapsrv.ports.nginx

NGINX port to expose for the MD ICAP Server pod

8043

icap_components.md_icapsrv.ports.nginxs

NGINXS port to expose for the MD ICAP Server pod

8443

Trouble shooting

How to check the logs with Kubectl

  • In case the md-icapsrv pod does not initialize we need to check the init container logs to see why is failing

    1. The worker node running the md-icapsrv pod doesn’t have enough resources allocated for the pod.

    2. Provide the License Key in file values.yml for activation-manager container can run.

    3. Need to set value ACCEPT_EULA is true if the application can not start with reason accept EULA.

    4. If you have enabled TLS to need to uncomment scheme: HTTPS in health check. The key of the secret need to mapping with the field .certSecretSubPath and .certKeySecretSubPath

Kubernetes Management Platform Recommended

To administrate the Kubernetes cluster and see all the components installed from the same point we recommend using Lens Desktop