Deploying Fortify Software Security Center in Kubernetes

This document describes how to configure and use the helm-ssc 24.4 Helm chart for complete Software Security Center container orchestration in Kubernetes. You can find the Software Security Center Helm chart at https://hub.docker.com/r/fortifydocker/helm-ssc.

Table of contents

Kubernetes versions

These charts have been tested using the following Kubernetes versions:

Tool prerequisites

OpenText recommends that you use the same tool versions to avoid unpredictable results.

Installation

The following instructions are for example purposes and are based on a default Kubernetes environment running under Linux, using the default namespace. Windows systems might require different syntax for some commands and other Kubernetes Cluster providers might require additional/different configurations. Your Kubernetes administrator might require the use of specific namespaces and/or other configuration adjustments.

Installation prerequisites

Installation steps

  1. Preparing the Fortify license file
  2. Prepare the HTTP Certificate Password
  3. Preparing an httpKeystore file
  4. Preparing an autoconfig file for Software Security Center
  5. Preparing a Kubernetes secret for Software Security Center
  6. Creating an image pull secret
  7. Installing the Software Security Center release
  8. Setting up port forwarding
  9. Verify Software Security Center is available
  10. Testing the admin login
  11. Special considerations for testing environments

Preparing the Fortify license file

Preparing an HTTP certificate password

Preparing the HTTP keystore file

Preparing the Software Security Center autoconfig file

  1. Create a file /tmp/ssc.autoconfig.tpl and copy the following content to it.

    appProperties:
      host.validation: false
      authentication.max.concurrent.logins: -1
      token.management.user.sessionless.tokens.max: 500
      token.management.user.session.tokens.max: 500     
    
    datasourceProperties:
      db.username: '<DB-USERNAME>'
      db.password: '<DB-PASSWORD>'
    
      jdbc.url: 'jdbc:sqlserver://<DB-HOST>;database=<DB-NAME>;sendStringParametersAsUnicode=false;trustServerCertificate=true'
    
    dbMigrationProperties:
      migration.enabled: true
      migration.username: '<DB-USERNAME>'
      migration.password: '<DB-PASSWORD>'

Preparing the Software Security Center Kubernetes secret

  1. Use the kubectl create secret command, as shown in the following example code, to create the ssc-secret secret in Kubernetes.

    kubectl create secret generic ssc-secret \
     --from-file=/tmp/httpKeystore.jks \
     --from-file=/tmp/fortify-license.txt \
     --from-file=/tmp/ssc.autoconfig.tpl \
     --from-literal=httpCertificateKeyPassword=$HTTP_CERT_PWD \
     --from-literal=httpCertificateKeystorePassword=$HTTP_CERT_PWD
  2. Run the following command to delete the temporary files.

    rm /tmp/httpKeystore.jks /tmp/ssc.autoconfig.tpl /tmp/fortify-license.txt
  3. Run the following command to unset the HTTP certificate password from the terminal.

    unset HTTP_CERT_PWD

Creating an image pull secret

By default, the Software Security Center Helm chart references its images directly from DockerHub. For Kubernetes to properly install your images using the default configuration, you must create an image pull secret and store it in your installation namespace in Kubernetes. If you are replicating these images to a local repository, you can skip this task and update the relevant image values in the Helm chart to reference your local repository. To create an image pull secret:

Installing the Software Security Center release

The following command installs the Software Security Center using the recommended defaults. In some cases, you might need to customize these values using the Helm --set parameter or by creating a values.yaml override file and passing it to the command line with the Helm -f flag. For more information about the values you can override, see the Helm Chart Values table.

Tip: To find the available Software Security Center 24.4 Helm chart version, go to https://hub.docker.com/r/fortifydocker/helm-ssc/tags.

Setting up port forwarding through kubectl

  1. Verify that your Software Security Center pod (ssc-webapp-0) is running successfully. It might take a few minutes before your pod gets to a proper 1/1 Running configuration. You can run the command above multiple times or use the flag -w to watch for any changes.

    kubectl get pods
  2. Open a new terminal shell.

  3. Set up port forwarding through kubectl to access your Software Security Center endpoint.

    For example, to forward the localhost port 8081:

    kubectl port-forward  svc/<ssc-service-name> 8081:443

    ssc-service-name can be determined by listing the Kubernetes services using the following command:

    kubectl get services

Verifying that Software Security Center is available

  1. Follow the steps in Setting up port forwarding through kubectl.

  2. You should now be able to access the Software Security Center web endpoint from your browser.

    https://localhost:8081
    

Testing the admin login

  1. Follow the steps in Setting up port forwarding through kubectl.

  2. Access the login endpoint from your browser:

    https://localhost:8081
    
  3. Log in to Software Security Center with the default admin credentials. The default username is admin and the password is admin. You must change the admin password the first time you login.

Special considerations for testing environments

By default, the Helm chart defines the container resource/requests based on recommended best-practice values intended to prevent performance issues and unexpected Kubernetes evictions of containers and pods. These values are often too large for a small test environment that does not require the same level of resources. You can override the resource requests by passing additional value --set resources=null in the helm install command above.

WARNING: Using the above option in production is not supported and will lead to unstable behavior.

Upgrade

This section explains how to upgrade Software Security Center from previous releases to version 24.4.

Upgrade prerequisites

Upgrading from version 23.2.x

Upgrade steps
  1. Preparing the values file
  2. Upgrading the Software Security Center release
  3. Verifying Software Security Center after an upgrade

Preparing the values file

Starting from Software Security Center Helm version 24.4, a few values in the Helm charts have been modified and a few new values have been added. Compare the values used in deploying Helm chart version 23.2 with the current release values and update the values.yaml by merging the values.

Upgrading the Software Security Center release

Use the 'helm upgrade' command as shown in the below example to upgrade the Software Security Center release.

helm upgrade <Existing Installed SSC Release Name> oci://registry-1.docker.io/fortifydocker/helm-ssc --version <ssc-helm-chart-version>  -f values.yaml --reuse-values

Verifying Software Security Center after the upgrade

After the Software Security Center upgrade, verify if Software Security Center is available and test the admin login.

Values

The following values are exposed by the Helm Chart. Unless specified as Required, only override values as required for your specific environment.

Required

Key Type Default Description
persistentVolumeClaim.size string "4Gi" Specifies the size of the persistent volume created for Software Security Center pod.
secretRef.keys.httpCertificateKeyPasswordEntry string "" Specifies the key name for a password of the HTTPS private key.
secretRef.keys.httpCertificateKeystoreFileEntry string "" Specifies the key name for a keystore with certificate and private key for HTTPS.
secretRef.keys.httpCertificateKeystorePasswordEntry string "" Specifies the key name for a password of the HTTPS keystore.
secretRef.keys.sscAutoconfigEntry string "" Specifies the key name for a Software Security Center autoconfig file.
secretRef.keys.sscLicenseEntry string "" Specifies the key name for a Fortify license.
secretRef.name string "ssc-secret" Specifies the name of an externally managed Kubernetes secret to be used for configuration.
urlHost string "" Specifies the fully qualified DNS name to access the application externally.

Other Values

Key Type Default Description
affinity pod.affinity {} Defines Node Affinity configurations to add to pods.
environment list [] Specifies any additional environment variables to add to the pods.
fullnameOverride string {deployment_name}-{service_name} Overrides the fully qualified app name of the release.
httpClientCertificateVerification string "none" Specifies the configuring HTTPS client certificate verification, supported values: "none", "optional", "required".
image.pullPolicy string "IfNotPresent" Specifies the image pull behavior.
image.repository string "fortifydocker/ssc-webapp" Specifies the Docker repository from which to pull the Software Security Center Docker image.
image.tag string "24.4.1.0005" Specifies the version of the Software Security Center Docker image to pull.
imagePullSecrets list [] Specifies a list of references to secrets in the same namespace to use for pulling any of the images used by the current release.
ingress.annotations object {} Specifies annotations to add to the resource.
ingress.className string "" Identifies the Ingress resource class name.
ingress.enabled bool false Indicates whether to enable Ingress.
ingress.hosts[0] object {"host":"ssc.local","paths":[{"path":"/","pathType":"Prefix"}]} Specifies the hostname through which to accept requests.
ingress.hosts[0].paths[0] object {"path":"/","pathType":"Prefix"} Specifies the path through which to accept requests.
ingress.hosts[0].paths[0].pathType string "Prefix" Specifies the path type.
ingress.tls list [] Defines TLS configurations. The setting is expressed in the following format: [{"hosts":["some-host"], "secretName":"some-name"}]
ingressScim.annotations object {} Specifies annotations to add to the resource.
ingressScim.className string "" Identifies the ingress resource class name.
ingressScim.enabled bool false Indicates whether to enable IngressScim.
ingressScim.hosts[0] object {"host":"ssc-scim.local","paths":[{"path":"/api/scim/v2","pathType":"Exact"}]} Specifies the hostname through which to accept requests.
ingressScim.hosts[0].paths[0] object {"path":"/api/scim/v2","pathType":"Exact"} Specifies the path through which to accept requests.
ingressScim.hosts[0].paths[0].pathType string "Exact" Specifies the path type.
ingressScim.tls list [] Defines TLS configurations. The setting is expressed in the following format: [{"hosts":["some-host"], "secretName":"some-name"}]
jvmExtraOptions string "" Specifies a set of additional options passed to the Java process.
jvmMaxRAMPercentage int 86 Specifies percentage of memory limit to be used for JVM heap.
ldaps.enable bool false Indicates whether to enable external LDAP.
nameOverride string ssc Overrides the name of this chart.
nodeSelector pod.nodeSelector {"kubernetes.io/arch":"amd64","kubernetes.io/os":"linux"} Defines Node selection constraint configurations to add to the pods.
persistentVolumeClaim.selector object {} Specifies the Kubernetes PersistentVolumeClaim selector.
persistentVolumeClaim.storageClassName string "" Specifies the storage class name used for the persistent volume.
podAnnotations pod.annotations {} Defines annotations to add to the pods.
resources.limits.cpu int 8 Defines the limits of CPU resources granted to the pod.
resources.limits.memory string "28Gi" Defines the limits of memory resources granted to the pod.
resources.requests.cpu int 1 Defines the initial request of cpu resources granted to the pod.
resources.requests.memory string "7Gi" Defines the initial request of memory resources granted to the pod.
saml.enable bool false Indicates whether to enable external SAML.
secretRef.keys.httpTruststoreFileEntry string "" Specifies the key name for a truststore used by client certificate verification.
secretRef.keys.httpTruststorePasswordEntry string "" Specifies the key name for a password of the client certificate verification truststore.
secretRef.keys.idpCertificateEntry string "" Specifies the key name for the iDP certificate. Required if SAML enabled.
secretRef.keys.jvmTruststoreFileEntry string "" Specifies the key name for a JVM truststore.
secretRef.keys.jvmTruststorePasswordEntry string "" Specifies the key name for a password of the JVM truststore.
secretRef.keys.sscSecretKeyEntry string "" Specifies the key name for an SSC secret.key file.
service.annotations object {} Specifies the map of annotations applied to the service.
service.clusterIP string "" Specifies the fixed service cluster IP address, if empty, Kubernetes assigns a value.
service.httpPort int 80 Specifies the port to expose for HTTP calls.
service.httpsPort int 443 Specifies the port to expose for HTTPS calls.
service.loadBalancerIP string "" Specifies the fixed load balancer IP address. If empty, the Kubernetes cloud provider assigns a value.
service.type string "ClusterIP" Specifies the type of Service to use.
sscPathPrefix string "/" Specifies the URL path prefix where the Software Security Center application is accessed.
tolerations pod.tolerations [] Defines Toleration configurations to add to the pod(s).
urlPort int 0 Specifies the HTTPS port for externally accessing the application. If zero, a value of service.httpsPort is used instead.
user pod.securityContext {"gid":0,"uid":1111} Defines security context configurations to add to the pods.