Encrypted Configuration using Helm

Getting Started

If this is the very first time you run the Helm chart please take a look at Install the Curity Identity Server with Helm to get started.

This tutorial assumes you have the Curity repository installed and are familiar with the basic concepts of the Curity Identity Server, Helm and Kubernetes.

Using an Existing Configuration

When you deploy the Curity Identity Server in production you most likely have a configuration that is tested and confirmed that you just want to apply. You may also consider specifying an encryption key because your configuration is encrypted.

Assume you have an existing configuration stored in a file called default-conf.xml. Create a Kubernetes Secret from the file. Call the Secret idsvr-config and store your configuration under the name default-conf in the Secret.

$ kubectl create secret generic idsvr-config \
    --from-file=default-conf=default-conf.xml

Now use the Secret and install the release, specify the item and Secret that contain the configuration that should be loaded. Make Helm create two runtime nodes.

$ helm install idsvr-tutorial curity/idsvr \
    --set curity.config.configurationSecret=idsvr-config \
    --set curity.config.configurationSecretItemName=default-conf \
    --set replicaCount=2

Give it some time for setting up the release. You can check the status of the pods using Kubernetes command kubectl. Note the list of pods that are not ready yet and study their status.

$ kubectl get pods --namespace default --selector="app.kubernetes.io/instance=idsvr-tutorial"
NAME                                     READY   STATUS    RESTARTS   AGE
idsvr-tutorial-admin-8489d6d9fc-cc8zr    0/1     Running   0          5s
idsvr-tutorial-runtime-d66549c4c-9fhz6   0/1     Running   0          5s
idsvr-tutorial-runtime-d66549c4c-wphln   0/1     Running   0          5s

The Helm chart makes sure that the configuration is distributed to all the nodes. In addition, the chart will create a new cluster encryption key. In this way you can have several releases of the same chart and different revisions without having them interfering with each other.

We did not enable the Admin UI this time. It is good practice for production environments since it reduces the attack vector.

Specifying a Config Encryption Key

The Helm chart takes care of the cluster encryption key, making sure that the nodes can communicate in a secure way. However, to protect sensitive information in the configuration at rest make use of the configuration encryption. When using encrypted configuration you must specify a configuration encryption key otherwise the Curity Identity Server will fail to start. The Helm chart supports a parameter for the configuration encryption key.

Assume your default configuration created above was protected with the key 02b891b3ec501cece86de216a6f6a15f585dddcbd56fe21b410233d78dfaa79e and you forgot to specify the encryption key. Upgrade the release with the configuration encryption key.

$ helm upgrade idsvr-tutorial curity/idsvr \
    --reuse-values
    --set curity.config.encryptionKey=02b891b3ec501cece86de216a6f6a15f585dddcbd56fe21b410233d78dfaa79e

Wait for the new revision to be deployed and verify that all nodes are up again.

Uninstalling the Chart

To clean up uninstall and delete the resources created by this tutorial with the following command:

$ helm delete idsvr-tutorial

Summary

You learned how to install a cluster with three nodes, one admin node and two runtime nodes, using the Helm chart and an existing configuration. The Helm chart took care of the cluster configuration and cluster encryption key. You got familiar with the following parameters:

• replicaCount
• curity.config.configurationSecret
• curity.config.configurationSecretItemName
• curity.config.encryptionKey

You also explored helm upgrade command to make changes on an existing release.

Resources

The Helm chart and its related documentation as well as the source code can be found on GitHub.

More information about encrypting configuration can be found in the Configuration Guide.