Preparing for installation in a private network

To prepare to install the solution in a private corporate network:

  1. Connect the vendor's Helm repository containing the Helm Chart package.

    export CHART_URL="xxxxxx"

    export CHART_USERNAME="xxxxxx"export CHART_PASSWORD="xxxxxx"

    export VERSION="xxxxxx"

    The CHART_URL, CHART_USERNAME, CHART_PASSWORD, and VERSION values are provided by the vendor.

    Example connection of a repository with Helm Chart:

    helm registry login \

    --username $CHART_USERNAME \

    --password $CHART_PASSWORD

    $CHART_URL

    helm pull oci://$CHART_URL/charts/kcs --version $VERSION

    tar xvf kcs-$VERSION.tgz

  2. Fill in the file with the installation settings (values.yaml) included in the solution distribution kit according to the comments in the file.

    We do not recommend specifying account data in the values.yaml file to be used when launching the Helm Chart package.

    You can use one of the following secure methods to manage secrets:

    • Using CI/CD systems. Secrets are specified using protected environment variables or built-in secret management mechanisms. During deployment, the data is dynamically inserted into the Helm Chart; it does not need to be specified openly in the values.yaml configuration file.
    • Integrating with HashiCorp Vault. Helm Chart supports integration with HashiCorp Vault, where you can store secrets, and you must specify only the paths to such secrets in values.yaml.

      The pull-secret values for Docker Registry cannot be fully stored in HashiCorp Vault. We recommend that you specify the pull-secret values manually in the section with the Kubernetes cluster parameters and reference them from the Helm Chart.

    The following main installation settings must be specified in the values.yaml file:

    • Namespace name.

      helm upgrade --install kcs . \

      --create-namespace \

      --namespace kcs \

      --values values.yaml \

    • The domain name of Kaspersky Container Security for Inbound connections.

      --set default.domain="kcs.example.domain.ru" \

      When network policies are enabled, you must specify at least one namespace for the cluster ingress controller.

      --set default.networkPolicies.ingressControllerNamespaces="{ingress-nginx}" \

      By default, network policies are enabled.

    • Secrets of the solution components.

      --set secret.infracreds.envs.POSTGRES_USER="user" \

      --set-string secret.infracreds.envs.POSTGRES_PASSWORD="pass" \

      --set secret.infracreds.envs.MINIO_ROOT_USER="user" \

      --set-string secret.infracreds.envs.MINIO_ROOT_PASSWORD="password" \

      --set-string secret.infracreds.envs.CLICKHOUSE_ADMIN_PASSWORD="pass" \

      --set secret.infracreds.envs.MCHD_USER="user" \

      --set-string secret.infracreds.envs.MCHD_PASS="pass" \

      To ensure security, the solution components must use credentials generated by the system administrator independently in accordance with corporate security policies. When deploying the target component within a solution, the specified user and password are automatically created. When using a third-party service, you must provide the username and password created by the administrator in the said service.

    • Secrets related to access to the solution installation repository.

      --set pullSecret.kcs-pullsecret.username="user" \

      --set pullSecret.kcs-pullsecret.password="pass"

      If you plan to deploy the system using a Kaspersky registry, you must specify the credentials provided to you when you purchased Kaspersky Container Security. If you plan to use a private registry or a proxy registry, you must specify your registry credentials.

    • HashiCorp Vault secrets storage settings:
      • enabled is the flag to enable the integration with the storage. The vault.enabled = true value indicates that the integration with HashiCorp Vault is established; the values of environment variables are obtained from the storage.
      • mountPath is the path to the directory with the secrets in the storage.
      • role is the role to be used for authentication in the storage.

    We recommend not to change the composition of the basic installation settings.

  3. Save the file with the installation settings and proceed to install the solution.
Page top