This document describes how to configure and use the helm-ssc 24.4 Helm chart for complete Software Security Center container orchestration in Kubernetes. You can find the Software Security Center Helm chart at https://hub.docker.com/r/fortifydocker/helm-ssc.
These charts have been tested using the following Kubernetes versions:
OpenText recommends that you use the same tool versions to avoid unpredictable results.
The following instructions are for example purposes and are based on a default Kubernetes environment running under Linux, using the default namespace. Windows systems might require different syntax for some commands and other Kubernetes Cluster providers might require additional/different configurations. Your Kubernetes administrator might require the use of specific namespaces and/or other configuration adjustments.
fortify-license.txt
so that it can be accessed as /tmp/fortify-license.txt.Run the following command to create an HTTP certificate password:
HTTP_CERT_PWD="$(openssl rand -base64 32)"
keytool -genkeypair -keyalg RSA -keysize 2048 -keystore /tmp/httpKeystore.jks -alias ssc-server -storepass $HTTP_CERT_PWD -keypass $HTTP_CERT_PWD -dname "CN=CA, OU=IT, O=OpenText, L=Waterloo, ST=Ontario, C=CN"
Create a file /tmp/ssc.autoconfig.tpl and copy the following content to it.
appProperties:
host.validation: false
authentication.max.concurrent.logins: -1
token.management.user.sessionless.tokens.max: 500
token.management.user.session.tokens.max: 500
datasourceProperties:
db.username: '<DB-USERNAME>'
db.password: '<DB-PASSWORD>'
jdbc.url: 'jdbc:sqlserver://<DB-HOST>;database=<DB-NAME>;sendStringParametersAsUnicode=false;trustServerCertificate=true'
dbMigrationProperties:
migration.enabled: true
migration.username: '<DB-USERNAME>'
migration.password: '<DB-PASSWORD>'
Use the kubectl create secret command, as shown in the following example code, to create the ssc-secret secret in Kubernetes.
kubectl create secret generic ssc-secret \
--from-file=/tmp/httpKeystore.jks \
--from-file=/tmp/fortify-license.txt \
--from-file=/tmp/ssc.autoconfig.tpl \
--from-literal=httpCertificateKeyPassword=$HTTP_CERT_PWD \
--from-literal=httpCertificateKeystorePassword=$HTTP_CERT_PWD
Run the following command to delete the temporary files.
rm /tmp/httpKeystore.jks /tmp/ssc.autoconfig.tpl /tmp/fortify-license.txt
Run the following command to unset the HTTP certificate password from the terminal.
unset HTTP_CERT_PWD
By default, the Software Security Center Helm chart references its images directly from DockerHub. For Kubernetes to properly install your images using the default configuration, you must create an image pull secret and store it in your installation namespace in Kubernetes. If you are replicating these images to a local repository, you can skip this task and update the relevant image values in the Helm chart to reference your local repository. To create an image pull secret:
Use the kubectl create secret command as shown in the following example code:
kubectl create secret docker-registry docker.io \
--docker-server=registry-1.docker.io \
--docker-username='<docker username>' \
--docker-password='<docker password>' \
--docker-email='<docker user email>'
The following command installs the Software Security Center using the recommended defaults. In some cases, you might need to customize these values using the Helm --set parameter or by creating a values.yaml override file and passing it to the command line with the Helm -f flag. For more information about the values you can override, see the Helm Chart Values table.
Tip: To find the available Software Security Center 24.4 Helm chart version, go to https://hub.docker.com/r/fortifydocker/helm-ssc/tags.
Use the following command to install Software Security Center.
helm install <release-name> oci://registry-1.docker.io/fortifydocker/helm-ssc --version <ssc-helm-chart-version> \
--set imagePullSecrets[0].name=docker-registry \
--set secretRef.name=ssc-secret \
--set secretRef.keys.sscLicenseEntry=fortify-license.txt \
--set secretRef.keys.sscAutoconfigEntry=ssc.autoconfig.tpl \
--set secretRef.keys.httpCertificateKeystoreFileEntry=httpKeystore.jks \
--set secretRef.keys.httpCertificateKeyPasswordEntry=httpCertificateKeyPassword \
--set secretRef.keys.httpCertificateKeystorePasswordEntry=httpCertificateKeystorePassword \
--set urlHost=<preferred-ssc-url-hostname>
Verify that your Software Security Center pod (ssc-webapp-0) is running successfully. It might take a few minutes before your pod gets to a proper 1/1 Running
configuration. You can run the command above multiple times or use the flag -w
to watch for any changes.
kubectl get pods
Open a new terminal shell.
Set up port forwarding through kubectl to access your Software Security Center endpoint.
For example, to forward the localhost
port 8081
:
kubectl port-forward svc/<ssc-service-name> 8081:443
ssc-service-name
can be determined by listing the Kubernetes services using the following command:
kubectl get services
Follow the steps in Setting up port forwarding through kubectl.
You should now be able to access the Software Security Center web endpoint from your browser.
https://localhost:8081
Follow the steps in Setting up port forwarding through kubectl.
Access the login endpoint from your browser:
https://localhost:8081
Log in to Software Security Center with the default admin credentials. The default username is admin and the password is admin. You must change the admin password the first time you login.
By default, the Helm chart defines the container resource/requests based on recommended best-practice values intended to prevent performance issues and unexpected Kubernetes evictions of containers and pods. These values are often too large for a small test environment that does not require the same level of resources. You can override the resource requests by passing additional value --set resources=null
in the helm install command above.
WARNING: Using the above option in production is not supported and will lead to unstable behavior.
This section explains how to upgrade Software Security Center from previous releases to version 24.4.
Starting from Software Security Center Helm version 24.4, a few values in the Helm charts have been modified and a few new values have been added. Compare the values used in deploying Helm chart version 23.2 with the current release values and update the values.yaml by merging the values.
Use the 'helm upgrade' command as shown in the below example to upgrade the Software Security Center release.
helm upgrade <Existing Installed SSC Release Name> oci://registry-1.docker.io/fortifydocker/helm-ssc --version <ssc-helm-chart-version> -f values.yaml --reuse-values
After the Software Security Center upgrade, verify if Software Security Center is available and test the admin login.
The following values are exposed by the Helm Chart. Unless specified as Required
, only override values as required for your specific environment.
Key | Type | Default | Description |
---|---|---|---|
persistentVolumeClaim.size | string | "4Gi" |
Specifies the size of the persistent volume created for Software Security Center pod. |
secretRef.keys.httpCertificateKeyPasswordEntry | string | "" |
Specifies the key name for a password of the HTTPS private key. |
secretRef.keys.httpCertificateKeystoreFileEntry | string | "" |
Specifies the key name for a keystore with certificate and private key for HTTPS. |
secretRef.keys.httpCertificateKeystorePasswordEntry | string | "" |
Specifies the key name for a password of the HTTPS keystore. |
secretRef.keys.sscAutoconfigEntry | string | "" |
Specifies the key name for a Software Security Center autoconfig file. |
secretRef.keys.sscLicenseEntry | string | "" |
Specifies the key name for a Fortify license. |
secretRef.name | string | "ssc-secret" |
Specifies the name of an externally managed Kubernetes secret to be used for configuration. |
urlHost | string | "" |
Specifies the fully qualified DNS name to access the application externally. |
Key | Type | Default | Description |
---|---|---|---|
affinity | pod.affinity | {} |
Defines Node Affinity configurations to add to pods. |
environment | list | [] |
Specifies any additional environment variables to add to the pods. |
fullnameOverride | string | {deployment_name}-{service_name} |
Overrides the fully qualified app name of the release. |
httpClientCertificateVerification | string | "none" |
Specifies the configuring HTTPS client certificate verification, supported values: "none", "optional", "required". |
image.pullPolicy | string | "IfNotPresent" |
Specifies the image pull behavior. |
image.repository | string | "fortifydocker/ssc-webapp" |
Specifies the Docker repository from which to pull the Software Security Center Docker image. |
image.tag | string | "24.4.1.0005" |
Specifies the version of the Software Security Center Docker image to pull. |
imagePullSecrets | list | [] |
Specifies a list of references to secrets in the same namespace to use for pulling any of the images used by the current release. |
ingress.annotations | object | {} |
Specifies annotations to add to the resource. |
ingress.className | string | "" |
Identifies the Ingress resource class name. |
ingress.enabled | bool | false |
Indicates whether to enable Ingress. |
ingress.hosts[0] | object | {"host":"ssc.local","paths":[{"path":"/","pathType":"Prefix"}]} |
Specifies the hostname through which to accept requests. |
ingress.hosts[0].paths[0] | object | {"path":"/","pathType":"Prefix"} |
Specifies the path through which to accept requests. |
ingress.hosts[0].paths[0].pathType | string | "Prefix" |
Specifies the path type. |
ingress.tls | list | [] |
Defines TLS configurations. The setting is expressed in the following format: [{"hosts":["some-host"], "secretName":"some-name"}] |
ingressScim.annotations | object | {} |
Specifies annotations to add to the resource. |
ingressScim.className | string | "" |
Identifies the ingress resource class name. |
ingressScim.enabled | bool | false |
Indicates whether to enable IngressScim. |
ingressScim.hosts[0] | object | {"host":"ssc-scim.local","paths":[{"path":"/api/scim/v2","pathType":"Exact"}]} |
Specifies the hostname through which to accept requests. |
ingressScim.hosts[0].paths[0] | object | {"path":"/api/scim/v2","pathType":"Exact"} |
Specifies the path through which to accept requests. |
ingressScim.hosts[0].paths[0].pathType | string | "Exact" |
Specifies the path type. |
ingressScim.tls | list | [] |
Defines TLS configurations. The setting is expressed in the following format: [{"hosts":["some-host"], "secretName":"some-name"}] |
jvmExtraOptions | string | "" |
Specifies a set of additional options passed to the Java process. |
jvmMaxRAMPercentage | int | 86 |
Specifies percentage of memory limit to be used for JVM heap. |
ldaps.enable | bool | false |
Indicates whether to enable external LDAP. |
nameOverride | string | ssc |
Overrides the name of this chart. |
nodeSelector | pod.nodeSelector | {"kubernetes.io/arch":"amd64","kubernetes.io/os":"linux"} |
Defines Node selection constraint configurations to add to the pods. |
persistentVolumeClaim.selector | object | {} |
Specifies the Kubernetes PersistentVolumeClaim selector. |
persistentVolumeClaim.storageClassName | string | "" |
Specifies the storage class name used for the persistent volume. |
podAnnotations | pod.annotations | {} |
Defines annotations to add to the pods. |
resources.limits.cpu | int | 8 |
Defines the limits of CPU resources granted to the pod. |
resources.limits.memory | string | "28Gi" |
Defines the limits of memory resources granted to the pod. |
resources.requests.cpu | int | 1 |
Defines the initial request of cpu resources granted to the pod. |
resources.requests.memory | string | "7Gi" |
Defines the initial request of memory resources granted to the pod. |
saml.enable | bool | false |
Indicates whether to enable external SAML. |
secretRef.keys.httpTruststoreFileEntry | string | "" |
Specifies the key name for a truststore used by client certificate verification. |
secretRef.keys.httpTruststorePasswordEntry | string | "" |
Specifies the key name for a password of the client certificate verification truststore. |
secretRef.keys.idpCertificateEntry | string | "" |
Specifies the key name for the iDP certificate. Required if SAML enabled. |
secretRef.keys.jvmTruststoreFileEntry | string | "" |
Specifies the key name for a JVM truststore. |
secretRef.keys.jvmTruststorePasswordEntry | string | "" |
Specifies the key name for a password of the JVM truststore. |
secretRef.keys.sscSecretKeyEntry | string | "" |
Specifies the key name for an SSC secret.key file. |
service.annotations | object | {} |
Specifies the map of annotations applied to the service. |
service.clusterIP | string | "" |
Specifies the fixed service cluster IP address, if empty, Kubernetes assigns a value. |
service.httpPort | int | 80 |
Specifies the port to expose for HTTP calls. |
service.httpsPort | int | 443 |
Specifies the port to expose for HTTPS calls. |
service.loadBalancerIP | string | "" |
Specifies the fixed load balancer IP address. If empty, the Kubernetes cloud provider assigns a value. |
service.type | string | "ClusterIP" |
Specifies the type of Service to use. |
sscPathPrefix | string | "/" |
Specifies the URL path prefix where the Software Security Center application is accessed. |
tolerations | pod.tolerations | [] |
Defines Toleration configurations to add to the pod(s). |
urlPort | int | 0 |
Specifies the HTTPS port for externally accessing the application. If zero, a value of service.httpsPort is used instead. |
user | pod.securityContext | {"gid":0,"uid":1111} |
Defines security context configurations to add to the pods. |