Encrypted Configuration using Helm
If this is the very first time you run the Helm chart please take a look at Install the Curity Identity Server with Helm to get started.
This tutorial assumes you have the Curity repository installed and are familiar with the basic concepts of the Curity Identity Server, Helm and Kubernetes.
When you deploy the Curity Identity Server in production you most likely have a configuration that is tested and confirmed that you just want to apply. You may also consider specifying an encryption key because your configuration is encrypted.
Cluster configurationRemove any cluster configuration from configuration file as it may conflict with the configuration provided by the Helm chart.
Assume you have an existing configuration stored in a file called
default-conf.xml. Create a Kubernetes Secret from the file. Call the Secret
idsvr-config and store your configuration under the name
default-conf in the Secret.
$ kubectl create secret generic idsvr-config \ --from-file=default-conf=default-conf.xml
Now use the Secret and install the release, specify the item and Secret that contain the configuration that should be loaded. Make Helm create two runtime nodes.
$ helm install idsvr-tutorial curity/idsvr \ --set curity.config.configurationSecret=idsvr-config \ --set curity.config.configurationSecretItemName=default-conf \ --set replicaCount=2
Give it some time for setting up the release.
You can check the status of the pods using Kubernetes command
kubectl. Note the list of pods that are not ready yet and study their status.
$ kubectl get pods --namespace default --selector="app.kubernetes.io/instance=idsvr-tutorial" NAME READY STATUS RESTARTS AGE idsvr-tutorial-admin-8489d6d9fc-cc8zr 0/1 Running 0 5s idsvr-tutorial-runtime-d66549c4c-9fhz6 0/1 Running 0 5s idsvr-tutorial-runtime-d66549c4c-wphln 0/1 Running 0 5s
The Helm chart makes sure that the configuration is distributed to all the nodes. In addition, the chart will create a new cluster encryption key. In this way you can have several releases of the same chart and different revisions without having them interfering with each other.
We did not enable the Admin UI this time. It is good practice for production environments since it reduces the attack vector.
The Helm chart takes care of the cluster encryption key, making sure that the nodes can communicate in a secure way. However, to protect sensitive information in the configuration at rest make use of the configuration encryption. When using encrypted configuration you must specify a configuration encryption key otherwise the Curity Identity Server will fail to start. The Helm chart supports a parameter for the configuration encryption key.
Assume your default configuration created above was protected with the key
02b891b3ec501cece86de216a6f6a15f585dddcbd56fe21b410233d78dfaa79e and you forgot to specify the encryption key. Upgrade the release with the configuration encryption key.
$ helm upgrade idsvr-tutorial curity/idsvr \ --reuse-values --set curity.config.encryptionKey=02b891b3ec501cece86de216a6f6a15f585dddcbd56fe21b410233d78dfaa79e
Wait for the new revision to be deployed and verify that all nodes are up again.
To clean up uninstall and delete the resources created by this tutorial with the following command:
$ helm delete idsvr-tutorial
You learned how to install a cluster with three nodes, one admin node and two runtime nodes, using the Helm chart and an existing configuration. The Helm chart took care of the cluster configuration and cluster encryption key. You got familiar with the following parameters:
You also explored
helm upgrade command to make changes on an existing release.
The Helm chart and its related documentation as well as the source code can be found on GitHub.
More information about encrypting configuration can be found in the Configuration Guide.