visionone-file-security-helm

Exposing ICAP Service with MetalLB in On-Premises/MicroK8s Deployment

If you are using a bare-metal Kubernetes cluster, you can use MetalLB to expose your ICAP service.

Prerequisites

• MicroK8s 1.24+ installed and configured
• Network configuration that allows:
  • Reserved IP addresses for MetalLB to use (outside DHCP range)
  • Inbound connections to the ICAP port (1344)
  • Outbound connections to Vision One cloud

1. Install MetalLB in MicroK8s

Enable MetalLB with an appropriate IP range for your network

# Replace the IP range with one suitable for your network
microk8s enable metallb:192.168.1.200-192.168.1.220

• When choosing the IP range:
  • Ensure it’s within your local subnet
  • Avoid conflicts with your DHCP server’s range
  • Choose IPs that are not already assigned to other devices

2. Update values.yaml for External Access

Update values.yaml with the following content:

scanner:
  # Other scanner settings remain unchanged
  
  # Enable external LoadBalancer service for ICAP
  externalService:
    enabled: true
    annotations: {}
    icapPort: 1344

3. Update the deployment with MetalLB configuration

Run the following:

helm upgrade my-release visionone-filesecurity/visionone-filesecurity \
  -n visionone-filesecurity \
  -f values.yaml

4. Verify MetalLB Deployment

Run the following:

# Check the service status
kubectl get service -n visionone-filesecurity | grep scanner-lb

# Get the external IP assigned by MetalLB
EXTERNAL_IP=$(kubectl get service -n visionone-filesecurity my-release-visionone-filesecurity-scanner-lb -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo "Your MetalLB external IP is: $EXTERNAL_IP"

5. Test ICAP Connection

Install and use the c-icap-client to test your connection:

# Install c-icap-client
sudo apt-get install c-icap

# Test with file scanning
c-icap-client -i $EXTERNAL_IP -s scan -p 1344 -f sample.txt -x "X-scan-file-name: sample.txt"