The default value for curity.config.uiEnabled is false and thus AdminUI and RESTConf interface should be disabled by default. However, the parameter only prevents the admin-port to be added to list of ports in the deployment template. Ports listed there are just informative. See https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#ports for reference. Port-forwarding will work nevertheless. I expect this parameter to disable the installation of the adminUI, i.e. run unattendinstall --without-admin-ui

The master should be protected so that force pushes are disallowed. It will also help users mirroring the repo to be able to limit the mirroring to only protected branches (at the moment this results in no branches being mirrored or all branches being mirrored).

Add an option in the values file to manipulate the logging level. Default should remain INFO as it it now

I am using the following command:

helm install curity-idsvr curity/idsvr \
  --namespace curity-idsvr \
  --set image.tag=latest \
  --set curity.config.password=Pass1 \
  --set curity.config.uiEnabled=true \
  --set curity.admin.livenessProbe.initialDelaySeconds=240 \
  --set curity.runtime.livenessProbe.initialDelaySeconds=240

And when I do check for the deployment, both admin and runtime pods gets this error:

Warning FailedMount 23s (x7 over 54s) kubelet MountVolume.SetUp failed for volume "cluster-xml" : references non-existent secret key: cluster-1.xml

As per reading the excellent docs, I think it has something wrong when building the proper secret, investigating the secret it creates a placeholder for it, but doesn't really creates the cluster-1.xml secret key and it is required so that the containers comes up.

kubectl describe secret -n curity-idsvr curity-idsvr-cluster-config-xml
Name:         curity-idsvr-cluster-config-xml
Namespace:    curity-idsvr
Labels:       <none>
Annotations:  helm.sh/hook: pre-install,pre-upgrade
              helm.sh/hook-weight: -5

Type:  Opaque

Data
====
placeholder:  6 bytes

We need the ability to modify the backup process and additionally copy the configuration after each change to AWS S3 Bucket. What if I prepare a pull request and move the backup script(data) to a values file, so we can take the value from the values file? This way, everyone can customize backup process it as needed.

i install curity with helm

after that, when i use kubectl portward then try http://localhost:6749/admin

it works

so i change to service type to load balancer then try http://curity.aaa.com/admin

it is not working

i think you guys block other then localhost isnt it?

can i see source code? or can you check how i can do that.

As the product supports multiple domain names/hosts to be used, the following values should be possible to submit as arrays in some way or form

• ingress.runtime.host
• ingress.runtime.tlshost
• ingress.runtime.secretName

We need option add custom annotation to ServiceAccount
for example:
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: "-5"
eks.amazonaws.com/role-arn: ARN_IAM_Role

I don't fully understand how the interaction with the configuration file works. What will happen if I make several changes and commit them one by one (a timestamp is created secretly)? What will happen if the Admin POD restarts or if I need to move it to another NODE? How will it load the latest configuration file from secrets or otherwise load the latest configuration file? Can you clarify?

I would like to change the log format to json as suggested by following articles:

https://curity.io/resources/learn/log-to-elasticsearch/#deploy-the-curity-identity-server
https://curity.io/resources/learn/logging-best-practices/#log-formats

is there a way to do that using this helm chart?

In the README.md, deprecated values should include what they have been replaced with, one example is #
curity.config.configurationSecret

Hi, I'm trying to add the curity helm repo so that I can use the charts. When doing so, I get this error:

Error: looks like "https://curityio.github.io/idsvr-helm" is not a valid chart repository or cannot be reached: error converting YAML to JSON: yaml: unmarshal errors:
  line 23: key "apiVersion" already set in map
  line 25: key "entries" already set in map

When I search for the repo using

helm search hub curity

the chart version is still listed as 0.12.2 and the app version as 8.1.1

It can be helpful to be able to port-forward to the runtime service. Currently, the runtime service selectors match both runtime and admin pods. Since admin pods don't have a http port, attempting to port-forward results in an error:

> kubectl port-forward service/curity-idsvr-runtime-svc 9000:80
error: Pod 'curity-idsvr-admin-pod' does not have a named port 'http-port'

One solution is to add a selector and matching label to the service and deployment respectively like in this commit.

The TLS section of the ingress is not configured unless a secretName is provided, however this is not always necessary. An NGINX ingress controller can have a default certificate configured using the default-ssl-certificate. In these cases the NGINX will always use the certificate configured here for TLS where this is not configured in the ingress.

The issue is here. The conditional setting should not use secretName only as a condition for enabling TLS in the ingress. It should also enable e.g. if tlsHost are set or maybe a new enableTLS flag.

In some cases another service will be terminating TLS. It would be nice if during the initial install we could have an option to allow HTTP connections.

A mistake was made in 76bb9f9#diff-56e91e1fb5d502503c0dad9b7b9faa1c0cdb157c7a7835cfadc2a8005b6917eb so the resources config is now accidentally ignored for the idsvr runtime pods. As a workaround, users have to set curity.runtime.logging.resources.

Hi
I am trying to get the ingress for the admin portal to work without much success. Always get a 504. (timeout). Port forwarding works. Any suggestions ?