Using your existing Kubernetes (K8S) cluster

This guide explains how to use the provisioning script to generate all the K8S components needed to run MetaDefender ICAP Server in your-already-created K8S cluster.

That requires some configuration options to be chosen, and the helm chart values to be configured properly.

Customized Installation

As for the demand of customizing the installation of our MetaDefender ICAP Server product in a K8S cluster, we have published the helm chart on GitHub: https://github.com/OPSWAT/metadefender-k8s/tree/main/helm_charts/icap

How to Install MetaDefender ICAP Server using Helm

This chart can deploy the following depending on your chosen configuration options:

  • One or more MD ICAP Server instances
git
Copy

Remarkable Configuration Options

The following table explains the different values that are remarkable to be set when customizing the installation. All these values will be set for you if you decide to use the MetaDefender K8S script explained in the above sections.

ParameterDescriptionDefault
ACCEPT_EULASet the ACCEPT_EULA variable to any value to confirm your acceptance of the End-User Licensing Agreement. The application will be start if the value is true.false
mdicapsrv_userInitial admin user for the MD ICAP Server web interface.admin
mdicapsrv_passwordInitial admin password for the MD ICAP Server web interface, if not set it will be randomly generated.null
mdicapsrv_api_ key36 character API key used for the MD ICAP Server REST API, if not set it will be randomly generated.null
mdicapsrv_license_ keyA valid license key, this value is mandatory.null
persistance_enabledSet to false to not create any volumes or host paths in the deployment, all storage will be ephemeral.true
storage_provisionerAvailable storage providershostPath
storage_nameAvailable storage name providershostPath
storage_nodeAvailable storage node providersminikube
hostPathPrefixThis is the absolute path on the node where to keep the data filesystem for persistancemdicapsrv-storage
icap_ingress.hostHostname for the publicly accessible ingressmdicapsrv-ingress.k8s
icap_ingress.serviceService name where the ingress should route to, this should be left unchangedmd-icapsrv
icap_ingress.rest_portPort where the ingress should route to8048
icap_ingress.enabledEnable or disable the ingress creationfalse
icap_ingress.classSet the ingress classnginx
icap_docker_repoDocker repo to use, this should be changed when using private images (this string will be prepended to the image name).opswat
icap_components.md_icapsrv.imageOverrides the default docker image for the MD ICAP Server service, this value can be changed if you want to set a different version of MD ICAP Server<SET_DOCKER_IMAGE_HERE>
icap_components.md_icapsrv.replicasSets the number of replicas if you want to have multiple MD ICAP Server instances1
icap_components.md_icapsrv.data_retention.config_historySet time of the data retention config history168 (unit: hour)
icap_components.md_icapsrv.data_retention.processing_historySet time of the data retention processing history168 (unit: hour)
icap_components.md_icapsrv.import_configuration.enabledEnable import configuration filefalse
icap_components.md_icapsrv.import_configuration.targets
  • List of import target for IMPORT_CONF_FILE.
    • all : Import all target
    • schema : Configuration for Security rules
    • servers : Configuration for Server profiles
    • global : Configuration for Global setting
    • history : Configuration for ICAP history
    • auditlog : Configuration for Config history
    • session : Configuration for Security -> Session
    • password-policy : Configuration for Password policy
    • certs : Configuration for Certificates. Notes: Make sure the path in the config file is valid in the container
    • ssl : Configuration for Security. It is used to enable/disable HTTPS/ICAPS
    • user-management : Configuration for User management
    • email: Configuration for Email Server
    • nginxsupport: Configuration for NGINX Communication

The all, certs, ssl, user-management target will override HTTPS_CERT_PATH, ICAPS_CERT_PATH, MD_USER, MD_PWD, MD_EMAIL only use it if you know what are you doing. e.g:

IMPORT_CONF_FILE_TARGET='["servers", "schema"]'

icap_components.md_icapsrv.import_configuration.importConfigMapThe name of the configmap for import config filemdicapsrv-import-configuration
icap_components.md_icapsrv.import_configuration.importConfigPathThe path mount the file configuration to container/opt/opswat
icap_components.md_icapsrv.import_configuration.importConfigMapSubPathThe name of the file in the configmapsettings_export_package.zip
icap_components.md_icapsrv.import_configuration.importConfigFilePassThe password of the config file if you use file .zip, else you use the .json file so the field can set is emptynull
icap_components.md_icapsrv.nginx_support.enabledEnable NGINX communicationfalse
icap_components.md_icapsrv.tls.https.enabledEnable HTTPS for MD ICAP Serverfalse
icap_components.md_icapsrv.tls.https.certSecretThe name of the secret name for file certificatemdicapsrv-https-tls-cert
icap_components.md_icapsrv.tls.https.certSecretSubPathThe key of the secret will be mount to containermdicapsrv-https.crt
icap_components.md_icapsrv.tls.https.certKeySecretThe name of the secret name for the file keymdicapsrv-https-tls-cert-key
icap_components.md_icapsrv.tls.https.certKeySecretSubPathThe name of the secret key will be mount to containermdicapsrv-https.key
icap_components.md_icapsrv.tls.https.mountPathThe path of the container will be mount files certificate and key/https-cert
icap_components.md_icapsrv.tls.https.tlsversionsThe version of the TLS. The application support for: "TLSv1.3","TLSv1.2","TLSv1.1","TLSv1", "SSLv3"
  • "TLSv1.2"
icap_components.md_icapsrv.tls.icaps.enabledEnable ICAPS for MD ICAP Serverfalse
icap_components.md_icapsrv.tls.icaps.certSecretThe name of the secret name for file certificatemdicapsrv-icaps-tls-cert
icap_components.md_icapsrv.tls.icaps.certSecretSubPathThe key of the secret will be mount to containermdicapsrv-icaps.crt
icap_components.md_icapsrv.tls.icaps.certKeySecretThe name of the secret name for the file keymdicapsrv-icaps-tls-cert-key
icap_components.md_icapsrv.tls.icaps.certKeySecretSubPathThe name of the secret key will be mount to containermdicapsrv-icaps.key
icap_components.md_icapsrv.tls.icaps.mountPathThe path of the container will be mount files certificate and key/icaps-cert
icap_components.md_icapsrv.tls.icaps.tlsversionsThe version of the TLS. The application support for: "TLSv1.3","TLSv1.2","TLSv1.1","TLSv1", "SSLv3"
  • "TLSv1.2"
icap_components.md_icapsrv.tls.nginxs.enabledEnable NGINX for MD ICAP Serverfalse
icap_components.md_icapsrv.tls.nginxs.certSecretThe name of the secret name for file certificatemdicapsrv-nginxs-tls-cert
icap_components.md_icapsrv.tls.nginxs.certSecretSubPathThe key of the secret will be mount to containermdicapsrv-nginxs.crt
icap_components.md_icapsrv.tls.nginxs.certKeySecretThe name of the secret name for the file keymdicapsrv-nginxs-tls-cert-key
icap_components.md_icapsrv.tls.nginxs.certKeySecretSubPathThe name of the secret key will be mount to containermdicapsrv-nginxs.key
icap_components.md_icapsrv.tls.nginxs.mountPathThe path of the container will be mount files certificate and key/nginxs-cert
icap_components.md_icapsrv.tls.nginxs.tlsversionsThe version of the TLS. The application support for: "TLSv1.3","TLSv1.2","TLSv1.1","TLSv1", "SSLv3"
  • "TLSv1.2"
icap_components.md_icapsrv.ports.restREST port to expose for the MD ICAP Server pod8048
icap_components.md_icapsrv.ports.icapICAP port to expose for the MD ICAP Server pod1344
icap_components.md_icapsrv.ports.icapsICAPS port to expose for the MD ICAP Server pod11344
icap_components.md_icapsrv.ports.nginxNGINX port to expose for the MD ICAP Server pod8043
icap_components.md_icapsrv.ports.nginxsNGINXS port to expose for the MD ICAP Server pod8443

Troubleshooting

How to check the logs with Kubectl

  • In case the md-icapsrv pod does not initialize we need to check the init container logs to see why is failing
    1. The worker node running the md-icapsrv pod doesn’t have enough resources allocated for the pod.
    2. Provide the License Key in file values.yml for activation-manager container can run.
    3. Need to set value ACCEPT_EULA is true if the application can not start with reason accept EULA.
    4. If you have enabled TLS to need to uncomment scheme: HTTPS in health check. The key of the secret need to mapping with the field .certSecretSubPath and .certKeySecretSubPath
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard