Setting up NFS storage for IBM Verify Identity Governance (IVIG) container in Kubernetes

Introduction

When working with IBM Verify Identity Governance (IVIG) container in Kubernetes environments, you'll often encounter a common challenge: deploying complex attribute handler jars or subforms that need to be accessible across the container ecosystem. While cloud storage solutions are ideal for many scenarios, they aren't always available or practical in every environment.

This blog post demonstrates how to set up and configure a Network File System (NFS) as a shared storage solution for your IVIG container deployments. This approach provides a reliable alternative when cloud storage isn't an option, ensuring your custom jars and subforms are properly deployed and accessible throughout your Kubernetes cluster.

Setting up the NFS server

The first step is to set up an NFS server that will host our shared files. We'll be using a Red Hat Enterprise Linux (RHEL) server for this purpose.

Run the following commands as root on your RHEL server:

# Install required packages
dnf install -y nfs-utils

# Enable nfs-server and rpcbind
systemctl enable --now nfs-server
systemctl enable --now rpcbind

# Create a directory that needs to be exposed as shared directory
mkdir -p /mnt/ivigcontainer

# Assign proper permissions to be exposed as shared directory
chmod 777 /mnt/ivigcontainer

⚠️ CAUTION: The permission 777 used above is intentionally permissive for demonstration purpose only.

Next, we need to update the /etc/exports file to expose the shared directory to our OpenShift Container Platform (OCP) master and worker nodes. Replace the IP addresses below with those of your own cluster nodes:

# Update /etc/exports file to expose the shared directory with OCP master and worker nodes

# For all hosts, you could use: 
# echo "/mnt/ivigcontainer *(rw,sync,no_subtree_check,insecure,no_root_squash)" > /etc/exports

# For specific hosts (Replace xxx.xxx.xxx.xxx with appropriate IP address):
echo "/mnt/ivigcontainer xxx.xxx.xxx.xxx(rw,sync,no_subtree_check,insecure,no_root_squash)" >> /etc/exports

Finally, export the filesystem and ensure the NFS service is running:

# Export the filesystem
exportfs -arv

# Restart nfs-server service
systemctl restart nfs-server.service

# Update firewall to ensure services are open
# If execution of below command gives "FirewallD is not running" error then ignore it
firewall-cmd --add-service nfs --permanent

Creating a StorageClass in Kubernetes using NFS

With our NFS server ready, we now need to create a StorageClass in Kubernetes that can utilize this NFS share. This will allow our IBM Verify Identity Governance container to dynamically provision storage from our NFS server.

# Clone the repository for nfs provisioner
git clone https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner.git /root/nfs-subdir

# Update configuration yaml files before deploying storage class
# Switch to the new directory:
cd /root/nfs-subdir

# Create a new project
oc project ivig

# Run below commands to update the configuration files
NAMESPACE=`oc project -q`
sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/rbac.yaml ./deploy/deployment.yaml

# Create Role based access control
oc create -f deploy/rbac.yaml
oc adm policy add-scc-to-user hostmount-anyuid system:serviceaccount:$NAMESPACE:nfs-client-provisioner

Next, we need to update the deployment configuration to point to our NFS server:

# Update the NFS Server IP and path in deployment yaml file
sed -i'' "s/10.3.243.101/<Provide IP address of your NFS server>/g" ./deploy/deployment.yaml
sed -i'' "s|/ifs/kubernetes|/mnt/ivigcontainer|g" ./deploy/deployment.yaml

# Update StorageClass (class.yaml) file
sed -i'' '$d' ./deploy/class.yaml
echo "  pathPattern: \"\${.PVC.namespace}/\${.PVC.name}\"" >> ./deploy/class.yaml
echo "  onDelete: delete" >> ./deploy/class.yaml
echo "mountOptions:" >> ./deploy/class.yaml
echo "- nfsvers=4.2" >> ./deploy/class.yaml
sed -i'' "s/nfs-client/ivig-nfs-storage/g" ./deploy/class.yaml

# Create the deployment and storage class
oc create -f deploy/deployment.yaml -f deploy/class.yaml

Using the StorageClass with IBM Verify Identity Governance container

The final step is to use our newly created storage class during the IBM Verify Identity Governance container installation. When using the starter kit for installation, you'll be prompted to select a storage class for volumes. Choose the NFS storage class we just created:

Which storageclass will be used for volumes?
Rules: It must support dynamic provisioning and mode ReadWriteMany.
Currently installed options:

ivig-nfs-storage

Storageclass []: ivig-nfs-storage

Conclusion

By following this guide, you've successfully set up an NFS server and configured it as a shared storage solution for your IBM Verify Identity Governance containers running in Kubernetes. This approach provides several benefits:

1. Shared access: All containers in your cluster can access the same files, ensuring consistency across your deployment.
2. Persistence: Your custom jars and subforms remain available even if containers are restarted or rescheduled.
3. Simplicity: NFS is a well-established protocol that's relatively easy to set up and maintain.
4. Cost-effective: When cloud storage isn't an option, NFS provides a cost-effective alternative using on-premises infrastructure.

This solution is particularly valuable for organizations that need to deploy complex attribute handler jars or subforms in their IBM Verify Identity Governance container environment but don't have access to cloud storage solutions.

⚠️ CAUTION: Remember to secure your NFS server appropriately for production environments, as the permissions and access controls shown in this example are intentionally permissive for demonstration purposes.