Using the images with Helm

General usage

You can use the example contained in the package (see Package overview) to set up a deployment using Helm.

The example files are for evaluation purposes only. They are a good starting point for your own deployment, but should not be used in productive environments "as is" without proper configuration.

The example files do not support minikube.

In particular, you need to do the following:

• Update the pre-installed certificates.
• Change the pre-defined credentials.

To run the images with Helm

1. Import the image bundle archive into the local Docker registry:

   docker load ‑i images.tar

2. Tag and push the images to a remote registry that can be accessed by your Kubernetes cluster:

   docker tag onespan_ias_maria:<release_version> <registry_url>/onespan_ias_maria:<release_version>
   docker tag onespan_mdc:<release_version> <registry_url>/onespan_mdc:<release_version>
   docker tag onespan_was:<release_version> <registry_url>/onespan_was:<release_version>
   docker push <registry_url>/onespan_ias_maria:<release_version>
   docker push <registry_url>/onespan_mdc:<release_version>
   docker push <registry_url>/onespan_was:<release_version>

   Replace the following:

   • release_version. The specific version of the images distributed in the package, e.g. 3.27.0.1234.
   • registry_url. The URL of the container image registry or repository that is intended to host/distribute the provided images, e.g. repo.myserver.com:5000.

3. Change to the example deployment folder:

   cd package_folder/examples/helm

   Replace the following:

   • package_folder. The absolute path to the folder that contains the extracted package content.

4. Set the values of the image fields in the following files in the templates folder accordingly:

   • was-deployment.yaml
   • ias-deployment.yaml
   • mdc-deployment.yaml

5. Review and adapt the configuration for OneSpan Authentication Server and Message Delivery Component (MDC) using the GUI configuration image (see Using the GUI configuration image):

   sudo xhost +local:docker
   
   docker run --rm --user $(id -u) \
     -v $(pwd)/config:/mnt \
     -e DISPLAY=$DISPLAY \
     -v /tmp/.X11-unix/:/tmp/.X11-unix/ \
     onespan_config:<release_version>

   Replace the following:

   • release_version. The specific version of the images distributed in the package, e.g. 3.27.0.1234.

6. Review and adapt the Helm chart configuration. In particular, note the following:

   • OneSpan Authentication Server and MDC log files are written to /dev/stdout of the respective pod. You need to configure the Kubernetes cluster to handle the log storage accordingly so you can retrieve the logs if required.

7. Deploy the images:

   helm install . --name OAS

To stop running containers

• Run the following command:

  helm del ‑‑purge OAS

OneSpan Authentication Server autoscaling

When using OneSpan Authentication Server workloads with autoscaling mechanisms, such as HorizontalPodAutoscaler, additional configuration of the StatefulSet object of OneSpan Authentication Server is required to enable automatic license selection and mounting. For more information, see Hostname-based licenses.

For more information about horizontal pod scaling in Kubernetes, refer to:

• HorizontalPodAutoscaler Walkthrough, available at https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/ (last accessed on January 9, 2025).
• kubectl autoscale command reference, available at https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#autoscale (last accessed on January 9, 2025).

Autoscaling and container metrics

When you set up horizontal pod autoscaling based on container metrics reported from the cluster metrics server, it is important that you set the container resource limits for the target metrics. For example, the CPU usage limits for the ias container are set in the Helm chart configuration file (ias-deployment.yaml):

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: ias
spec:
  ...
  template:
    ...
    spec:
      ...
      containers:
      - name: ias
        image: "{{ .Values.ias.image.repository }}:{{ .Values.ias.image.tag }}"
        resources:
          limits:
            cpu: 500m
          requests:
            cpu: 200m
      ...
...

Otherwise, the reported load metric may appear as <unknown> when you run the following commands, based on the CPU load metric example:

kubectl autoscale statefulset/ias --cpu-percent=10 --min=1 --max=5
kubectl get hpa