visionone-file-security-helm

Expose Scanner Service Locally with Nginx Ingress

1. Prerequisites

Local Kubernetes cluster (e.g., Minikube, Kind, Colima, Docker Desktop)
kubectl and helm are installed and configured
Helm chart for the scanner service is available
Administrator privileges to edit /etc/hosts

2. Install Nginx Ingress Controller (NodePort)

a. Add the Nginx Ingress Helm Repository

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

b. Create Namespace for Ingress Controller

kubectl create namespace ingress-nginx --dry-run=client -o yaml | kubectl apply -f -

c. Install the Ingress Controller

helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
  --namespace ingress-nginx \
  --set controller.service.type=NodePort

3. Verify Ingress Controller Deployment

kubectl get pods -n ingress-nginx
kubectl get service -n ingress-nginx ingress-nginx-controller

Confirm the controller pod is running.
Note the NodePort assigned to port 80 (e.g., 80:31502/TCP).

4. Configure Ingress in values.yaml

Option 1: Scanner Service Only

Edit your values.yaml for scanner service only:

scanner:
  ingress:
    enabled: true
    className: "nginx"
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
    hosts:
      - host: scanner.local.k8s
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls: [] # Leave empty for local PoC

Option 2: Shared Host with Management Service

Edit your values.yaml to enable both scanner and management services on the same local host:

scanner:
  ingress:
    enabled: true
    className: "nginx"
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
    hosts:
      - host: scanner.local.k8s
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls: [] # Leave empty for local PoC

managementService:
  ingress:
    enabled: true
    className: "nginx"
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    hosts:
      - host: scanner.local.k8s  # Same host as scanner
        paths:
          - path: /ontap
            pathType: Prefix
    tls: [] # Leave empty for local PoC

With the shared host configuration:

Scanner service handles gRPC requests to http://scanner.local.k8s/
Management service handles WebSocket requests to http://scanner.local.k8s/ontap
Nginx routes requests based on path matching, with /ontap taking priority over /

Configuration Notes

Ensure enabled: true and className: "nginx" are set.
The annotation nginx.ingress.kubernetes.io/backend-protocol: "GRPC" is required for gRPC on the scanner service.
The annotation nginx.ingress.kubernetes.io/backend-protocol: "HTTP" is required for WebSocket on the management service.
Replace scanner.local.k8s with your desired local hostname if needed.

5. Deploy or Upgrade the Helm Release

helm upgrade --install my-release visionone-filesecurity/visionone-filesecurity -f values.yaml

Replace my-release and path as appropriate.

6. Verify Ingress Resource

kubectl get ingress -n visionone-filesecurity

Confirm the ingress resource is created and lists scanner.local.k8s under HOSTS.

7. Configure Local DNS Resolution

Determine the IP to use:
- For Docker Desktop, Kind, Colima: use 127.0.0.1
- For Minikube: run minikube ip and use the returned IP
Edit /etc/hosts (requires sudo):

sudo nano /etc/hosts

Add:

127.0.0.1  scanner.local.k8s

Save and close the file.

8. Test the Connection

Use your client tool to connect to scanner.local.k8s:<NodePort>.
For example, with tmfs CLI:

./tmfs scan file:example.txt --tls=false --endpoint scanner.local.k8s:31502

Note

For production or TLS testing, configure the tls section in values.yaml and set up certificates as needed.