visionone-file-security-helm

Expose Scanner Service on AWS EKS

1. Prerequisites

• EKS cluster is running.
• kubectl and helm are configured.
• Your Helm chart for the scanner service is ready.
• You have a wildcard ACM certificate (e.g., *.example.com) in AWS Certificate Manager, in the same region as your EKS cluster.

---

2. Deploy the AWS Load Balancer Controller

a. Create the IAM Policy

curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json

aws iam create-policy \
  --policy-name AWSLoadBalancerControllerIAMPolicy \
  --policy-document file://iam-policy.json

b. Create the IAM Role and Service Account

eksctl create iamserviceaccount \
  --cluster <your-cluster-name> \
  --namespace kube-system \
  --name aws-load-balancer-controller \
  --attach-policy-arn arn:aws:iam::<your-account-id>:policy/AWSLoadBalancerControllerIAMPolicy \
  --approve

c. Install the Controller with Helm

helm repo add eks https://aws.github.io/eks-charts
helm repo update

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=<your-cluster-name> \
  --set region=<your-aws-region> \
  --set vpcId=<your-vpc-id> \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller

Important: The region and vpcId parameters are required for the controller to auto-discover subnets. Without these, the controller cannot find eligible subnets and Ingress resources will fail with “subnets count less than minimal required count” error.

---

3. Tag Your Subnets for ALB

• Go to AWS VPC Console → Subnets.
• For each subnet you want ALB to use, add these tags:
  • kubernetes.io/cluster/<your-cluster-name> = shared
  • kubernetes.io/role/elb = 1 (for public) or kubernetes.io/role/internal-elb = 1 (for private)
• Ensure subnets have enough available IPs.

---

4. Configure Ingress in values.yaml (with ACM Certificate)

Option 1: Scanner Service Only

Edit your values.yaml for scanner service only:

scanner:
  ingress:
    enabled: true
    className: "alb"
    annotations:
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/backend-protocol-version: GRPC
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:123456789012:certificate/your-certificate-id
    hosts:
      - host: scanner.example.com
        paths:
          - path: /
            pathType: Prefix

Option 2: Shared Host with Management Service

Edit your values.yaml to enable both scanner and management services on the same host:

scanner:
  ingress:
    enabled: true
    className: "alb"
    annotations:
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/backend-protocol-version: GRPC
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:123456789012:certificate/your-certificate-id
      alb.ingress.kubernetes.io/group.name: v1fs-ctr-group
    hosts:
      - host: scanner.example.com
        paths:
          - path: /
            pathType: Prefix

managementService:
  ingress:
    enabled: true
    className: "alb"
    annotations:
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/backend-protocol: HTTPS
      alb.ingress.kubernetes.io/backend-protocol-version: HTTP1
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:123456789012:certificate/your-certificate-id
      alb.ingress.kubernetes.io/group.name: v1fs-ctr-group
      alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=300
      alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=86400
    hosts:
      - host: scanner.example.com
        paths:
          - path: /ontap
            pathType: Prefix

With the shared host configuration:

• Scanner service handles gRPC requests to https://scanner.example.com/
• Management service handles WebSocket requests to https://scanner.example.com/ontap

• ALB routes requests based on path matching, with /ontap taking priority over /

• Replace arn:aws:acm:us-west-2:123456789012:certificate/your-certificate-id with your ACM certificate ARN.
• Replace scanner.example.com with your desired subdomain.
• Add alb.ingress.kubernetes.io/group.name to both scanner and management-service for grouping alb.
• Add load-balancer-attributes and target-group-attributes for more robust websocket connection.
• Make sure backend-protocol-version is set to HTTP1 but not HTTP2 for upgrading from http 1.1 to websocket.

---

5. Deploy or Upgrade the Helm Release

helm upgrade --install my-release visionone-filesecurity/visionone-filesecurity -n visionone-filesecurity -f values.yaml

---

6. Get the Ingress Hostname

kubectl get ingress -n visionone-filesecurity

Copy the ALB DNS name (e.g., a1b2c3d4e5f6g7h8.us-west-2.elb.amazonaws.com).

---

7. Configure Route 53 DNS

• Go to Route 53 Console → Hosted Zones.
• Create a new record:
  • Name: scanner.example.com
  • Type: A (Alias) for ALB
  • Value/Target: The ALB DNS name from above

---

8. Test the Connection

• Use your client tool to connect your domain name.
• For example, with tmfs CLI:

./tmfs scan file:example.txt --endpoint scanner.example.com:443

---

Note

• If you prefer to use cert-manager instead of ACM, follow the official cert-manager documentation for Kubernetes Ingress TLS.