Using your existing Kubernetes (K8S) cluster
This guide explains how to use the provisioning script to generate all the K8S components needed to run MetaDefender ICAP Server in your-already-created K8S cluster.
That requires some configuration options to be chosen, and the helm chart values to be configured properly.
Customized Installation
As for the demand of customizing the installation of our MetaDefender ICAP Server product in a K8S cluster, we have published the helm chart on GitHub: https://github.com/OPSWAT/metadefender-k8s/tree/main/helm_charts/icap
How to Install MetaDefender ICAP Server using Helm
This chart can deploy the following depending on your chosen configuration options:
- One or more MD ICAP Server instances
git clone https://github.com/OPSWAT/metadefender-k8s.git
cd metadefender/helm_carts/icap
helm install md-icapsrv ./icap . #You can replace the file for specific scenario
Remarkable Configuration Options
The following table explains the different values that are remarkable to be set when customizing the installation. All these values will be set for you if you decide to use the MetaDefender K8S script explained in the above sections.
Parameter | Description | Default |
---|---|---|
ACCEPT_EULA | Set the ACCEPT_EULA variable to any value to confirm your acceptance of the End-User Licensing Agreement. The application will be start if the value is true. | false |
mdicapsrv_user | Initial admin user for the MD ICAP Server web interface. | admin |
mdicapsrv_password | Initial admin password for the MD ICAP Server web interface, if not set it will be randomly generated. | null |
mdicapsrv_api_ key | 36 character API key used for the MD ICAP Server REST API, if not set it will be randomly generated. | null |
mdicapsrv_license_ key | A valid license key, this value is mandatory. | null |
persistance_enabled | Set to false to not create any volumes or host paths in the deployment, all storage will be ephemeral. | true |
storage_provisioner | Available storage providers | hostPath |
storage_name | Available storage name providers | hostPath |
storage_node | Available storage node providers | minikube |
hostPathPrefix | This is the absolute path on the node where to keep the data filesystem for persistance | mdicapsrv-storage |
icap_ingress.host | Hostname for the publicly accessible ingress | mdicapsrv-ingress.k8s |
icap_ingress.service | Service name where the ingress should route to, this should be left unchanged | md-icapsrv |
icap_ingress.rest_port | Port where the ingress should route to | 8048 |
icap_ingress.enabled | Enable or disable the ingress creation | false |
icap_ingress.class | Set the ingress class | nginx |
icap_docker_repo | Docker repo to use, this should be changed when using private images (this string will be prepended to the image name). | opswat |
icap_components.md_icapsrv.image | Overrides the default docker image for the MD ICAP Server service, this value can be changed if you want to set a different version of MD ICAP Server | <SET_DOCKER_IMAGE_HERE> |
icap_components.md_icapsrv.replicas | Sets the number of replicas if you want to have multiple MD ICAP Server instances | 1 |
icap_components.md_icapsrv.data_retention.config_history | Set time of the data retention config history | 168 (unit: hour) |
icap_components.md_icapsrv.data_retention.processing_history | Set time of the data retention processing history | 168 (unit: hour) |
icap_components.md_icapsrv.import_configuration.enabled | Enable import configuration file | false |
icap_components.md_icapsrv.import_configuration.targets |
| The
|
icap_components.md_icapsrv.import_configuration.importConfigMap | The name of the configmap for import config file | mdicapsrv-import-configuration |
icap_components.md_icapsrv.import_configuration.importConfigPath | The path mount the file configuration to container | /opt/opswat |
icap_components.md_icapsrv.import_configuration.importConfigMapSubPath | The name of the file in the configmap | settings_export_package.zip |
icap_components.md_icapsrv.import_configuration.importConfigFilePass | The password of the config file if you use file .zip, else you use the .json file so the field can set is empty | null |
icap_components.md_icapsrv.nginx_support.enabled | Enable NGINX communication | false |
icap_components.md_icapsrv.tls.https.enabled | Enable HTTPS for MD ICAP Server | false |
icap_components.md_icapsrv.tls.https.certSecret | The name of the secret name for file certificate | mdicapsrv-https-tls-cert |
icap_components.md_icapsrv.tls.https.certSecretSubPath | The key of the secret will be mount to container | mdicapsrv-https.crt |
icap_components.md_icapsrv.tls.https.certKeySecret | The name of the secret name for the file key | mdicapsrv-https-tls-cert-key |
icap_components.md_icapsrv.tls.https.certKeySecretSubPath | The name of the secret key will be mount to container | mdicapsrv-https.key |
icap_components.md_icapsrv.tls.https.mountPath | The path of the container will be mount files certificate and key | /https-cert |
icap_components.md_icapsrv.tls.https.tlsversions | The version of the TLS. The application support for: "TLSv1.3","TLSv1.2","TLSv1.1","TLSv1", "SSLv3" |
|
icap_components.md_icapsrv.tls.icaps.enabled | Enable ICAPS for MD ICAP Server | false |
icap_components.md_icapsrv.tls.icaps.certSecret | The name of the secret name for file certificate | mdicapsrv-icaps-tls-cert |
icap_components.md_icapsrv.tls.icaps.certSecretSubPath | The key of the secret will be mount to container | mdicapsrv-icaps.crt |
icap_components.md_icapsrv.tls.icaps.certKeySecret | The name of the secret name for the file key | mdicapsrv-icaps-tls-cert-key |
icap_components.md_icapsrv.tls.icaps.certKeySecretSubPath | The name of the secret key will be mount to container | mdicapsrv-icaps.key |
icap_components.md_icapsrv.tls.icaps.mountPath | The path of the container will be mount files certificate and key | /icaps-cert |
icap_components.md_icapsrv.tls.icaps.tlsversions | The version of the TLS. The application support for: "TLSv1.3","TLSv1.2","TLSv1.1","TLSv1", "SSLv3" |
|
icap_components.md_icapsrv.tls.nginxs.enabled | Enable NGINX for MD ICAP Server | false |
icap_components.md_icapsrv.tls.nginxs.certSecret | The name of the secret name for file certificate | mdicapsrv-nginxs-tls-cert |
icap_components.md_icapsrv.tls.nginxs.certSecretSubPath | The key of the secret will be mount to container | mdicapsrv-nginxs.crt |
icap_components.md_icapsrv.tls.nginxs.certKeySecret | The name of the secret name for the file key | mdicapsrv-nginxs-tls-cert-key |
icap_components.md_icapsrv.tls.nginxs.certKeySecretSubPath | The name of the secret key will be mount to container | mdicapsrv-nginxs.key |
icap_components.md_icapsrv.tls.nginxs.mountPath | The path of the container will be mount files certificate and key | /nginxs-cert |
icap_components.md_icapsrv.tls.nginxs.tlsversions | The version of the TLS. The application support for: "TLSv1.3","TLSv1.2","TLSv1.1","TLSv1", "SSLv3" |
|
icap_components.md_icapsrv.ports.rest | REST port to expose for the MD ICAP Server pod | 8048 |
icap_components.md_icapsrv.ports.icap | ICAP port to expose for the MD ICAP Server pod | 1344 |
icap_components.md_icapsrv.ports.icaps | ICAPS port to expose for the MD ICAP Server pod | 11344 |
icap_components.md_icapsrv.ports.nginx | NGINX port to expose for the MD ICAP Server pod | 8043 |
icap_components.md_icapsrv.ports.nginxs | NGINXS port to expose for the MD ICAP Server pod | 8443 |
Troubleshooting
How to check the logs with Kubectl
- In case the md-icapsrv pod does not initialize we need to check the init container logs to see why is failing
- The worker node running the md-icapsrv pod doesn’t have enough resources allocated for the pod.
- Provide the License Key in file values.yml for
activation-manager
container can run. - Need to set value ACCEPT_EULA is true if the application can not start with reason accept EULA.
- If you have enabled TLS to need to uncomment
scheme: HTTPS
in health check. The key of the secret need to mapping with the field .certSecretSubPath and .certKeySecretSubPath