About deploying Application Security in Kubernetes

You can configure and use the helm-ssc Helm chart for complete Application Security container orchestration in Kubernetes: You can find this Helm chart at https://hub.docker.com/r/fortifydocker/helm-ssc.

For steps to prepare for and perform a Application Security Kubernetes deployment, refer to Deploying_SSC_in_Kubernetes_25.4.0.html.

For information about supported versions of the required software, see the Application Security Software System Requirements (optional) document.

Deploying Application Security to a Kubernetes cluster

You can deploy Application Security in an environment with internet access, or in an air-gapped environment. To deploy the application in an environment with internet access, you can pull the Application Security Docker image (fortifydocker/ssc-webapp) from the Docker Hub registry. If you must deploy the application in an air-gapped environment, you must use a private registry for the deployment and transfer the Application Security container image to it.

For an air-gapped deployment, you must push the Application Security container image to a private registry that is accessible from your Kubernetes cluster.

To deploy Application Security to a Kubernetes cluster:

1. Create a Docker Hub account, and then supply your account name to Customer Support.

   Customer Support can give you access to the Fortify Docker repository.

   To request access to the Application Security Docker image published in the Fortify Docker repository, send an email with the following information to mfi-fortifydocker@opentext.com:

   • First Name

   • Last Name

   • Company Name

   • Docker ID

   • Customer ID

2. (For an air-gapped installation, or a private registry. A running Docker server and Docker client are assumed to be in place.) Transfer the Application Security container image to your private registry, as follows:

   1. Log in to the Docker Hub using docker login.

   2. Log in to your private registry using docker login <priv_reg_host_and_port>, where <priv_reg_host_and_port> represents the host and port of your private registry.

   3. Transfer the Application Security container image, as follows:

      1. docker pull "fortifydocker/ssc-webapp:<tag>"

      2. docker tag "fortifydocker/ssc-webapp:<tag>" "<priv_reg_host_and_port>/<priv_reg_path>/ssc-webapp:<tag>"

      3. docker push "<priv_reg_host_and_port>/<priv_reg_path>/ssc-webapp:<tag>"

         To determine the value to use for <tag>, go to the <ssc_helm_dir> directory and open the ssc-<chart_version>+<ssc_version>.tgz file. Use the <ssc_version> value (tag for the latest published image build) from the TGZ file name.

         There are also tags for exact image builds in the format <ssc_version>.<imageBuildNumber>

         You can list available image tags in the docker hub. If you use <imageBuildNumber>, you must specify it in the image.buildNumber Helm chart value.

         The image name (ssc-webapp) and the tag (<tag>) value must stay the same.

   4. Enter the <priv_reg_host_and_port>/<priv_reg_path>/ as the value for image.repositoryPrefix parameter in the <ssc_helm_dir>/ssc-values.yaml file.

      The value you specify for the image.repositoryPrefix parameter must include a trailing forward slash (/).

3. If you want to use the exact image build tag, enter the <imageBuildNumber> value as the value for the image.buildNumber. Otherwise, leave it empty.

4. Provision a Kubernetes secret for pulling images from the registry (Docker Hub or private registry). For instructions, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry and enter the secret name as the value for the imagePullSecrets parameter in the <ssc_helm_dir>/ssc-values.yaml file. If the secret is regcred, then the format is:

   imagePullSecrets:
- name: regcred

   The imagePullSecrets value is required for access to the Docker Hub registry. If you have a private registry that can be accessed without credentials, then there is no need to specify imagePullSecrets.

5. (Optional) Prepare a secret.key file to encrypt sensitive data.

   1. If you are deploying Application Security for the first time, you must locate the password tool in the bin directory of the standard distribution and run the following command to generate a new keystore:

      <ssc_distribution_dir>/bin pwtool secret.key

      A new secret.key file is generated.

      Press Enter and type a string for encryption.

   2. If you are migrating a non-containerized Application Security to a Kubernetes cluster, locate your existing secret.key in the following directory:

      <fortify.home>/<app_context>/conf

      For more information on the secret.key location, see About the <fortify.home> Directory.

6. Enter any other required parameters to the values.yaml file.

   • The urlHost must contain the fully-qualified DNS name intended for accessing Application Security. The address for accessing the Application Security installation is <https://<hostname>:<service.httpsPort>/<sscPathPrefix>. For example, https://ssc.example.com:443/ssc. If the port is 443, you can omit it from the URL (https://ssc.example.com/ssc).

   • For ease of use, OpenText recommends that you set the service.type parameter to LoadBalancer.

   • To apply changes to the Application Security secret referenced by secretRef.name, you must manually remove the ssc-webapp pod (it is later automatically re-created).

     If necessary, you can change most values you specify for parameters in the values.yaml file later, and then redeploy Application Security to implement the changes. Depending on the Kubernetes cluster, the exception might be parameters for a persistentVolumeClaim.

Customizing the Tomcat access logs

To change the default format for Tomcat access logs on the ssc-webapp container image, set the HTTP_SERVER_ACCESS_LOG_PATTERN environment variable to the Tomcat Access Log Valve pattern. For information about the patterns supported, see the Apache Tomcat Configuration Reference website.

You can use the environment Helm chart value, as shown in the following example:

environment:
-    name: HTTP_SERVER_ACCESS_LOG_PATTERN
     value: '%h %l %u %t "%r" %s %b'

Troubleshooting deployment to a Kubernetes cluster

This section provides troubleshooting tips if you encounter errors during an attempted deployment.

If you crash during the installation phase, run:

kubectl describe pod <pod_name>

To display logs after installation, run:

kubectl logs <pod_name> -f

To view the status of pods running on your cluster (Pending, Running, Succeeded, Failed, or Unknown), run:

kubectl get pods

If no pods are running, the interactive environment is still reloading its previous state. Wait for several seconds, and then run kubectl get pods again. After you see the pod running, continue.

To see a list of all services, the assigned IPs (cluster and external) and ports, run:

kubectl get services

To list those names, run:

helm list

To get values/configuration for a specific deployment installed by helm, run:

helm get values <installation_name>

To see information about the volume being mounted or to see whether the image was pulled successfully or not (if, for example, the wrong credentials were provided), run:

kubectl describe --help

If everything looks fine, but Application Security does not run as expected, and logs alone do not provide enough information, run the following to inspect the container file system, check the state of the environment, and perform advanced debugging tasks:

kubectl exec -it <pod_name> bash

This enables you to interactively browse the container, print other internal logs (Tomcat or the Application Security itself, and run other commands.

For a visual guide to troubleshooting your deployment, see A visual guide on troubleshooting Kubernetes deployments. For guidance on debugging common containerized application issues, see Troubleshooting Applications.