Preparing for installation in a private network

To prepare to install the solution in a private corporate network:

Connect the vendor's Helm repository containing the Helm Chart package.
export CHART_URL="xxxxxx"

export CHART_USERNAME="xxxxxx"export CHART_PASSWORD="xxxxxx"

export VERSION="xxxxxx"

The CHART_URL, CHART_USERNAME, CHART_PASSWORD, and VERSION values are provided by the vendor.

Example connection of a repository with Helm Chart:

helm registry login \

--username $CHART_USERNAME \

--password $CHART_PASSWORD

$CHART_URL

helm pull oci://$CHART_URL/charts/kcs --version $VERSION

tar xvf kcs-$VERSION.tgz
Fill in the file with the installation settings (values.yaml) included in the solution distribution kit according to the comments in the file.
We do not recommend specifying account data in the values.yaml file to be used when launching the Helm Chart package.

You can use one of the following secure methods to manage secrets:
- Using CI/CD systems. Secrets are specified using protected environment variables or built-in secret management mechanisms. During deployment, the data is dynamically inserted into the Helm Chart; it does not need to be specified openly in the values.yaml configuration file.
- Integrating with HashiCorp Vault. Helm Chart supports integration with HashiCorp Vault, where you can store secrets, and you must specify only the paths to such secrets in values.yaml.
  The pull-secret values for Docker Registry cannot be fully stored in HashiCorp Vault. We recommend that you specify the pull-secret values manually in the section with the Kubernetes cluster parameters and reference them from the Helm Chart.
The following main installation settings must be specified in the values.yaml file:
- Namespace name.
  helm upgrade --install kcs . \
  
  --create-namespace \
  
  --namespace kcs \
  
  --values values.yaml \
- The domain name of Kaspersky Container Security for Inbound connections.
  --set default.domain="kcs.example.domain.ru" \
  
  When network policies are enabled, you must specify at least one namespace for the cluster ingress controller.
  
  --set default.networkPolicies.ingressControllerNamespaces="{ingress-nginx}" \
  
  By default, network policies are enabled.
- Secrets of the solution components.
  --set secret.infracreds.envs.POSTGRES_USER="user" \
  
  --set-string secret.infracreds.envs.POSTGRES_PASSWORD="pass" \
  
  --set secret.infracreds.envs.MINIO_ROOT_USER="user" \
  
  --set-string secret.infracreds.envs.MINIO_ROOT_PASSWORD="password" \
  
  --set-string secret.infracreds.envs.CLICKHOUSE_ADMIN_PASSWORD="pass" \
  
  --set secret.infracreds.envs.MCHD_USER="user" \
  
  --set-string secret.infracreds.envs.MCHD_PASS="pass" \
  
  To ensure security, the solution components must use credentials generated by the system administrator independently in accordance with corporate security policies. When deploying the target component within a solution, the specified user and password are automatically created. When using a third-party service, you must provide the username and password created by the administrator in the said service.
- Secrets related to access to the solution installation repository.
  --set pullSecret.kcs-pullsecret.username="user" \
  
  --set pullSecret.kcs-pullsecret.password="pass"
  
  If you plan to deploy the system using a Kaspersky registry, you must specify the credentials provided to you when you purchased Kaspersky Container Security. If you plan to use a private registry or a proxy registry, you must specify your registry credentials.
- HashiCorp Vault secrets storage settings:
  - The 'enabled' flag enables the integration with the storage. The 'vault.enabled = true' value indicates that the integration with HashiCorp Vault is established; the values of environment variables are obtained from the storage.
  - 'mountPath' is the path to the directory with the secrets in the storage.
  - 'role' is the role to be used for authentication in the storage.
We recommend not to change the composition of the basic installation settings.
If you are using an external PostgresSQL DBMS, please specify the following:
--set default.postgresql.external="true"

--set configmap.infraconfig.envs.postgres_host="<IP address or FQDN of PostgresSQL DBMS>"

--set configmap.infraconfig.envs.postgres_port="<port for connection to PostgresSQL DBMS; by default, port 5432 is used>"

--set configmap.infraconfig.envs.postgres_db_name="name of the database created by the PostgresSQL DBMS administrator, api is used by default>"

You should also ask the PostgreSQL DBMS administrator to clarify the requirements for the DBMS server certificates verification. Kaspersky Container Security supports the following verification modes:
- --set configmap.infraconfig.envs.postgres_verify_level= "disable” – the server certificate is not verified.
- --set configmap.infraconfig.envs.postgres_verify_level= "require” – the certificate is required, the solution trusts any certificate without any further verification.
- --set configmap.infraconfig.envs.postgres_verify_level= "verify-ca” – the certificate is required, the solution checks that the certificate is issued by a trusted CA (Certificate Authority).
- --set configmap.infraconfig.envs.postgres_verify_level= "verify-full” – the certificate is required, the solution verifies that the certificate is issued by a trusted CA and contains the correct IP address or FQDN.
If you need to verify the certificate of an external PostgresSQL DBMS, do the following:
1. Upload the public part of the CA certificate to the directory with the Helm Chart package using the certs/pgsql-ca.crt mask.
2. Specify the following verification parameter: --set configmap.infraconfig.envs.postgres_root_ca_path="/etc/ssl/certs/pgsql-ca.crt".
3. Uncomment the secret.cert-pgsql-ca section in the values.yaml configuration file to create the secret.
Save the file with the installation settings and proceed to install the solution.

Page top