visionone-file-security-helm

Deploying ICAP Server with AWS NLB on EKS

This guide explains how to deploy an ICAP server on Amazon EKS using the AWS Network Load Balancer (NLB).

Overview

The ICAP (Internet Content Adaptation Protocol) server requires a Network Load Balancer because:

Prerequisites

1. Install AWS Load Balancer Controller (if not already installed)

Run the following:

# Create IAM policy
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json

aws iam create-policy \
  --policy-name AWSLoadBalancerControllerIAMPolicy \
  --policy-document file://iam-policy.json

# Create IAM role and service account
eksctl create iamserviceaccount \
  --cluster <your-cluster-name> \
  --namespace kube-system \
  --name aws-load-balancer-controller \
  --attach-policy-arn arn:aws:iam::<your-account-id>:policy/AWSLoadBalancerControllerIAMPolicy \
  --approve

# Install controller
helm repo add eks https://aws.github.io/eks-charts
helm repo update

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=<your-cluster-name> \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller

2. Tag Subnets for NLB

3. Update values.yaml for External Access

Update values.yaml with the following content:

scanner:
  # Other scanner settings remain unchanged

  # Enable external NLB service for ICAP
  externalService:
    enabled: true
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "external"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
      service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    icapPort: 1344

4. Update the deployment with NLB configuration

Run the following:

helm upgrade my-release visionone-filesecurity/visionone-filesecurity \
  -n visionone-filesecurity \
  -f values.yaml

5. Verify NLB Deployment

Run the following:

# Check the service status
kubectl get service -n visionone-filesecurity | grep scanner-lb

# Get the NLB DNS name
NLB_DNS=$(kubectl get service -n visionone-filesecurity my-release-visionone-filesecurity-scanner-lb -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
echo "Your NLB DNS name is: $NLB_DNS"

6. Configure DNS (Route53)

  1. Go to Route53 Console → Hosted Zones
  2. Create an A record:
    • Name: icap.example.com
    • Type: A (Alias)
    • Route traffic to: Network Load Balancer
    • Select your NLB

7. Test ICAP Connection

Install and use the c-icap-client to test your connection:

# Install c-icap-client
sudo apt-get install c-icap

# Test with file scanning
c-icap-client -i icap.example.com -s scan -p 1344 -f sample.txt -x "X-scan-file-name: sample.txt"

7. Enable TLS for your ICAP service

This step is optional. If you want to enable TLS for your ICAP service, update your NLB configuration in values.yaml:

scanner:
  # Other scanner settings remain unchanged

  # Enable external LoadBalancer service for ICAP
  externalService:
    enabled: true
    type: LoadBalancer
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "external"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
      service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
      # TLS configuration
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:region:account-id:certificate/certificate-id"
    icapPort: 1344

Apply this configuration:

helm upgrade my-release visionone-filesecurity/visionone-filesecurity \
  -n visionone-filesecurity \
  -f values.yaml