Skip to content
This repository has been archived by the owner on Sep 3, 2021. It is now read-only.

Latest commit

 

History

History
160 lines (127 loc) · 10.2 KB

README.md

File metadata and controls

160 lines (127 loc) · 10.2 KB
Raw

Curity Helm Chart

Introduction

This chart creates Curity on a Kubernetes cluster using the Helm package manager. For more information on Curity and its capabilities, click here.

The release creates the following resources:

  • A runtime deployment
  • A runtime service

Installing the Chart

This chart depends on openssl to update the cluster from within a pod. Therefore the chart will only work with images that have openssl installed.

$ helm repo add curity https://curityio.github.io/idsvr-helm/
$ helm repo update
$ helm install <release-name> curity/idsvr --set <option>=<value>

To install the chart, you must provide a password for the admin user or load an existing configuration. Therefore one of the following must be specified:

  • a Secret to load environment variables from
  • a Secret containing the configuration that can be mounted
  • a password

Take into account that in the latter case your password will be in clear text and may end up in logs. Do use Secrets in production environment. Check out the Configuration chapter below to find the corresponding options.

Uninstalling the Chart

$ helm delete <release-name>

Tutorial

Tutorials on using the chart and more are available in the Curity Resource library

Configuration

In the table below you can find information about the parameters that are configurable in this chart.

Parameter Description Default
replicaCount The number of runtime nodes to be deployed 1
image.repository Image repository curity.azurecr.io/curity/idsvr
image.tag Image tag 6.2.2
image.pullPolicy The policy to be applied in the deployment IfNotPresent
image.pullSecret The secret that is used to fetch images from the docker registry null
nameOverride Override the name release name used in labels and selectors. If left blank it will be idsvr ""
fullnameOverride Override the full name used to name resources. If left blank it will be generated by helm with the suffix -curity ""
networkpolicy.enabled Enable or disable the network policy which isolates port curity.admin.service.port to be accessed only by runtime nodes 1 true
curity.healthCheckPort The port to use for the status server 4465
curity.adminUiPort The admin UI and API port. Ignored if curity.config.uiEnabled=false 6749
curity.adminUiHttp Controls if admin UI will be on http or https mode after installation if enabled. Ignored if curity.config.uiEnabled=false false
curity.admin.role The role of the admin server admin
curity.admin.service.type The admin service type ClusterIP
curity.admin.service.port The admin configuration port 6789
curity.admin.livenessProbe.timeoutSeconds LivenessProbe timeoutSeconds for the admin deployment 1
curity.admin.livenessProbe.failureThreshold LivenessProbe failureThreshold for the admin deployment 3
curity.admin.livenessProbe.periodSeconds LivenessProbe periodSeconds for the admin deployment 10
curity.admin.livenessProbe.initialDelaySeconds The admin initialDelaySeconds port 30
curity.admin.readinessProbe.timeoutSeconds ReadinessProbe timeoutSeconds for the admin deployment 1
curity.admin.readinessProbe.failureThreshold ReadinessProbe failureThreshold for the admin deployment 3
curity.admin.readinessProbe.successThreshold ReadinessProbe successThreshold for the admin deployment 3
curity.admin.readinessProbe.periodSeconds ReadinessProbe periodSeconds for the admin deployment 10
curity.admin.readinessProbe.initialDelaySeconds ReadinessProbe initialDelaySeconds for the admin deployment 30
curity.admin.logging.level The logging level of the admin pod INFO
curity.admin.logging.stdout Flag to enable/disable extra containers that tail the logs in var/log folder. false
curity.admin.logging.logs Array of the extra containers that will be included in the admin pod []
curity.admin.logging.image The image that will be used to create the logging containers busybox:latest
curity.runtime.role The role of the runtime servers default
curity.runtime.service.type The runtime service type ClusterIP
curity.runtime.service.port The runtime service port 8443
curity.runtime.deployment.port The runtime deployment port 8443
curity.runtime.livenessProbe.timeoutSeconds LivenessProbe timeoutSeconds for the runtime deployment 1
curity.runtime.livenessProbe.failureThreshold LivenessProbe failureThreshold for the runtime deployment 3
curity.runtime.livenessProbe.periodSeconds LivenessProbe periodSeconds for the runtime deployment 10
curity.runtime.livenessProbe.initialDelaySeconds The admin initialDelaySeconds port 30
curity.runtime.readinessProbe.timeoutSeconds ReadinessProbe timeoutSeconds for the runtime deployment 1
curity.runtime.readinessProbe.failureThreshold ReadinessProbe failureThreshold for the runtime deployment 3
curity.runtime.readinessProbe.successThreshold ReadinessProbe successThreshold for the runtime deployment 3
curity.runtime.readinessProbe.periodSeconds ReadinessProbe periodSeconds for the runtime deployment 10
curity.runtime.readinessProbe.initialDelaySeconds ReadinessProbe initialDelaySeconds for the runtime deployment 30
curity.runtime.logging.level The logging level of the runtime pod INFO
curity.runtime.logging.stdout Flag to enable/disable extra containers that tail the logs in var/log folder. false
curity.runtime.logging.logs Array of the extra containers that will be included in the runtime pods []
curity.runtime.logging.image The image that will be used to create the logging containers busybox:latest
curity.config.uiEnabled Flag to enable/disable the service for Admin UI and Admin REST API false
curity.config.password The administrator password. Required if curity.config.environmentVariableSecret and curity.config.configurationSecret is not set null
curity.config.encryptionKey The configuration encryption key null
curity.config.environmentVariableSecret The data from this Secret will be mounted as environment variables null
curity.config.configurationSecret The Secret containing configuration which is mounted as a volume null
curity.config.configurationSecretItemName The curity.config.configurationSecret's item name, required if the Secret is set. null
curity.config.configurationConfigMap The ConfigMap containing configuration which is mounted as a volume null
curity.config.configurationConfigMapItemName The curity.config.configurationConfigMap's item name, required if the ConfigMap is set. null
curity.config.backup If true, the configuration will be backed up in a secret in each commit false
ingress.enabled Flag to enable/disable an Ingress resource false
ingress.annotations Extra annotations for the Ingress resource {}
ingress.runtime.host Hostname of the runtime servers (used by the Ingress resource) curity.local
ingress.runtime.paths Paths of the runtime servers that can be accessed externally {/}2
ingress.runtime.secretName Secret which contains the tls cert and key for the runtime TLS connection. If not set, the Ingress will be configured for HTTP null
ingress.admin.host Hostname for the admin server (used by the Ingress resource) curity-admin.local
ingress.admin.secretName Secret which contains the tls cert and key for the runtime TLS connection. If not set, the Ingress resource will be configured for HTTP null
resources Resource limits applied in admin and runtime deployments {}
nodeSelector Node selector applied in admin and runtime deployments {}
tolerations Tolerations applied in admin and runtime deployments {}
affinity Affinity applied in admin and runtime deployments {}
txf.enableLinkerd If true, adds linkerd.io/inject: enabled annotation to run-time and admin deployment spec false

1 The network policy within the cluster will not have any affect unless there is a network policy provider that can enforce network policies. Check out kubernetes official documentation for more guidance on how to install network providers: Install Network Policy Provider - Kubernetes

2 When using Helm's --set option, lists can be expressed by enclosing values in { and }. For example, --set ingress.runtime.paths="{/foo, /bar}" translates to:

paths:
  - /foo
  - /bar

Examples

Quickstart

To get started and test this helm chart run the following commands:

$ helm repo add curity https://curityio.github.io/idsvr-helm/
$ helm repo update
$ helm install <release-name> curity/idsvr --set curity.config.password=<admin_user_password>

Using configuration Backup

In order for the configuration to be backed up in each commit, the flag curity.config.backup must be set to true.

When this is the case, a script is mounted into the admin node which runs in each commit and dumps the full configuration (minus the clustering configuration which is handled by this chart) and adds it to a secret which by default has the name {{ include "curity.fullname" . }}-config-backup. The key for the configuration is <DATE>-<TRANSACTION_ID>.xml.

So, in order to update your deployment and use a previous backup of the configuration, you need to run:

helm upgrade <release-name> curity/idsvr \
  ...
  --set curity.config.configurationSecret=SECRET_NAME \
  --set curity.config.configurationSecretItemName=<DATE>-<TRANSACTION_ID>.xml

Sending all logs to stdout

If curity.admin.logging.stdout is true, the Chart will add extra containers in the pods, that will tail any additional log files defined in curity.admin.logging.logs and pipe them to stdout. The same applies for curity.runtime.logging.stdout.

More Information

Please visit curity.io for more information about the Curity Identity Server.

Copyright (C) 2020 Curity AB.