This chart creates Curity on a Kubernetes cluster using the Helm package manager. For more information on Curity and its capabilities, click here.
The release creates the following resources:
- A runtime deployment
- A runtime service
This chart depends on openssl to update the cluster from within a pod. Therefore the chart will only work with images that have openssl installed.
$ helm repo add curity https://curityio.github.io/idsvr-helm/
$ helm repo update
$ helm install <release-name> curity/idsvr --set <option>=<value>
To install the chart, you must provide a password for the admin user or load an existing configuration. Therefore one of the following must be specified:
- a Secret to load environment variables from
- a Secret containing the configuration that can be mounted
- a password
Take into account that in the latter case your password will be in clear text and may end up in logs. Do use Secrets in production environment. Check out the Configuration chapter below to find the corresponding options.
$ helm delete <release-name>
Tutorials on using the chart and more are available in the Curity Resource library
In the table below you can find information about the parameters that are configurable in this chart.
Parameter | Description | Default |
---|---|---|
replicaCount |
The number of runtime nodes to be deployed | 1 |
image.repository |
Image repository | curity/idsvr |
image.tag |
Image tag | 6.0.0 |
image.pullPolicy |
The policy to be applied in the deployment | IfNotPresent |
image.pullSecret |
The secret that is used to fetch images from the docker registry | null |
nameOverride |
Override the name release name used in labels and selectors. If left blank it will be idsvr |
"" |
fullnameOverride |
Override the full name used to name resources. If left blank it will be generated by helm with the suffix -curity |
"" |
networkpolicy.enabled |
Enable or disable the network policy which isolates port curity.admin.service.port to be accessed only by runtime nodes 1 |
true |
curity.healthCheckPort |
The port to use for the status server | 4465 |
curity.adminUiPort |
The admin UI and API port. Ignored if curity.config.uiEnabled=false |
6749 |
curity.adminUiHttp |
Controls if admin UI will be on http or https mode after installation if enabled. Ignored if curity.config.uiEnabled=false |
false |
curity.admin.role |
The role of the admin server | admin |
curity.admin.service.type |
The admin service type | ClusterIP |
curity.admin.service.port |
The admin configuration port | 6789 |
curity.admin.livenessProbe.timeoutSeconds |
LivenessProbe timeoutSeconds for the admin deployment |
1 |
curity.admin.livenessProbe.failureThreshold |
LivenessProbe failureThreshold for the admin deployment |
3 |
curity.admin.livenessProbe.periodSeconds |
LivenessProbe periodSeconds for the admin deployment |
10 |
curity.admin.livenessProbe.initialDelaySeconds |
The admin initialDelaySeconds port |
30 |
curity.admin.readinessProbe.timeoutSeconds |
ReadinessProbe timeoutSeconds for the admin deployment |
1 |
curity.admin.readinessProbe.failureThreshold |
ReadinessProbe failureThreshold for the admin deployment |
3 |
curity.admin.readinessProbe.successThreshold |
ReadinessProbe successThreshold for the admin deployment |
3 |
curity.admin.readinessProbe.periodSeconds |
ReadinessProbe periodSeconds for the admin deployment |
10 |
curity.admin.readinessProbe.initialDelaySeconds |
ReadinessProbe initialDelaySeconds for the admin deployment |
30 |
curity.admin.logging.level |
The logging level of the admin pod | INFO |
curity.admin.logging.stdout |
Flag to enable/disable extra containers that tail the logs in var/log folder. |
false |
curity.admin.logging.logs |
Array of the extra containers that will be included in the admin pod | [] |
curity.admin.logging.image |
The image that will be used to create the logging containers | busybox:latest |
curity.runtime.role |
The role of the runtime servers | default |
curity.runtime.service.type |
The runtime service type | ClusterIP |
curity.runtime.service.port |
The runtime service port | 8443 |
curity.runtime.livenessProbe.timeoutSeconds |
LivenessProbe timeoutSeconds for the runtime deployment |
1 |
curity.runtime.livenessProbe.failureThreshold |
LivenessProbe failureThreshold for the runtime deployment |
3 |
curity.runtime.livenessProbe.periodSeconds |
LivenessProbe periodSeconds for the runtime deployment |
10 |
curity.runtime.livenessProbe.initialDelaySeconds |
The admin initialDelaySeconds port |
30 |
curity.runtime.readinessProbe.timeoutSeconds |
ReadinessProbe timeoutSeconds for the runtime deployment |
1 |
curity.runtime.readinessProbe.failureThreshold |
ReadinessProbe failureThreshold for the runtime deployment |
3 |
curity.runtime.readinessProbe.successThreshold |
ReadinessProbe successThreshold for the runtime deployment |
3 |
curity.runtime.readinessProbe.periodSeconds |
ReadinessProbe periodSeconds for the runtime deployment |
10 |
curity.runtime.readinessProbe.initialDelaySeconds |
ReadinessProbe initialDelaySeconds for the runtime deployment |
30 |
curity.runtime.logging.level |
The logging level of the runtime pod | INFO |
curity.runtime.logging.stdout |
Flag to enable/disable extra containers that tail the logs in var/log folder. |
false |
curity.runtime.logging.logs |
Array of the extra containers that will be included in the runtime pods | [] |
curity.runtime.logging.image |
The image that will be used to create the logging containers | busybox:latest |
curity.config.uiEnabled |
Flag to enable/disable the service for Admin UI and Admin REST API | false |
curity.config.password |
The administrator password. Required if curity.config.environmentVariableSecret and curity.config.configurationSecret is not set |
null |
curity.config.encryptionKey |
The configuration encryption key | null |
curity.config.environmentVariableSecret |
The data from this Secret will be mounted as environment variables | null |
curity.config.configurationSecret |
The Secret containing configuration which is mounted as a volume | null |
curity.config.configurationSecretItemName |
The curity.config.configurationSecret 's item name, required if the Secret is set. |
null |
curity.config.configurationConfigMap |
The ConfigMap containing configuration which is mounted as a volume | null |
curity.config.configurationConfigMapItemName |
The curity.config.configurationConfigMap 's item name, required if the ConfigMap is set. |
null |
curity.config.backup |
If true , the configuration will be backed up in a secret in each commit |
false |
ingress.enabled |
Flag to enable/disable an Ingress resource | false |
ingress.annotations |
Extra annotations for the Ingress resource | {} |
ingress.runtime.host |
Hostname of the runtime servers (used by the Ingress resource) | curity.local |
ingress.runtime.secretName |
Secret which contains the tls cert and key for the runtime TLS connection. If not set, the Ingress will be configured for HTTP | null |
ingress.admin.host |
Hostname for the admin server (used by the Ingress resource) | curity-admin.local |
ingress.admin.secretName |
Secret which contains the tls cert and key for the runtime TLS connection. If not set, the Ingress resource will be configured for HTTP | null |
resources |
Resource limits applied in admin and runtime deployments | {} |
nodeSelector |
Node selector applied in admin and runtime deployments | {} |
tolerations |
Tolerations applied in admin and runtime deployments | {} |
affinity |
Affinity applied in admin and runtime deployments | {} |
1 The network policy within the cluster will not have any affect unless there is a network policy provider that can enforce network policies. Check out kubernetes official documentation for more guidance on how to install network providers: Install Network Policy Provider - Kubernetes
To get started and test this helm chart run the following commands:
$ helm repo add curity https://curityio.github.io/idsvr-helm/
$ helm repo update
$ helm install <release-name> curity/idsvr --set curity.config.password=<admin_user_password>
In order for the configuration to be backed up in each commit, the flag curity.config.backup
must be set to true
.
When this is the case, a script is mounted into the admin node which runs in each commit and dumps the full configuration
(minus the clustering configuration which is handled by this chart) and adds it to a secret which by default has the name {{ include "curity.fullname" . }}-config-backup
. The key for the configuration is <DATE>-<TRANSACTION_ID>.xml
.
So, in order to update your deployment and use a previous backup of the configuration, you need to run:
helm upgrade <release-name> curity/idsvr \
...
--set curity.config.configurationSecret=SECRET_NAME \
--set curity.config.configurationSecretItemName=<DATE>-<TRANSACTION_ID>.xml
If curity.admin.logging.stdout
is true
, the Chart will add extra containers in the pods, that will tail any additional log files defined in curity.admin.logging.logs
and pipe them to stdout.
The same applies for curity.runtime.logging.stdout
.
Please visit curity.io for more information about the Curity Identity Server.
Copyright (C) 2020 Curity AB.