Deploying WISE in Kubernetes
The WebInspect script engine (WISE) is a Docker container that provides a remote script server client for the Fortify WebInspect sensor.
Important! We recommend that the WISE cluster be deployed only by users who have experience configuring and managing Kubernetes clusters.
Before You Begin
Ensure that you have downloaded and configured the prerequisite software. For more information, see Downloading kubectl and Helm.
The wise-cluster-24.2.tgz file that you use to install WISE is included in the Fortify Software Security Center download package. It is packaged in a ZIP file named Dynamic_Addons.zip. You can find this ZIP file in the directory where you downloaded the Fortify Software Security Center installation package.
Additionally, ensure that you have deployed the Kubernetes Metrics Server to handle horizontal auto scaling for the Kubernetes WISE pods. For more information, see Deploying the Kubernetes Metrics Server.
Using the Default Parameters
To deploy the WISE cluster in Kubernetes using the default parameters:
-
On the machine where the kubectl client and Helm are installed, enter the following in PowerShell:
helm install wi-script-engine wise-cluster-24.2.tgz
Viewing the Default Parameters
To view the default parameters in the TGZ file:
-
Enter the following in PowerShell:
helm show values wise-cluster-24.2.tgzYou should see a response similar to the following:
# Default values for wise-cluster. # This is a YAML-formatted file. # Declare variables to be passed into wise-cluster templates. wise: authtoken: "" nodeSelector: "" replicas: min: 2 max: 10 autoscale: true cpu: cores: "4" ingress: host: "wise-cluster" image: repository: "fortifydocker/wise" tag: "24.2.ubuntu.2204" pull: policy: IfNotPresent secret: wise-regcred registry: "https://index.docker.io/v1/" username: "" password: ""
Overriding the Default Parameters
To override any of the default values, use the --set command with the parameter name and desired value for each parameter to override as shown in the following example:
helm install wi-script-engine wise-cluster-24.2.tgz `
--set wise.image.pull.registry=<container_registry> `
--set wise.image.repository=fortifydocker/wise `
--set wise.image.pull.username=<username> `
--set wise.image.pull.password=<password> `
--set wise.image.tag=<tagname> `
--set wise.replicas.min=2 `
--set wise.ingress.host=<hostname> `
--set wise.authtoken=<token>
Tip: For Helm in PowerShell, the backtick character (`) at the end of each line is the new line character. For Helm in Linux, the backslash character (\) is the new line character.
Installing WISE Into a Kubernetes Namespace
By default, the helm install wi-script-engine... command installs WISE into the Kubernetes default namespace. If your organization uses Kubernetes namespaces, you can create a new namespace and install WISE into it, or install WISE into an existing namespace.
Important! If you install WISE into a specific namespace, then all kubectl and Helm commands for managing the WISE installation must contain --namespace=<wise_namespace>. For example:
helm ls --namespace=<wise_namespace> kubectl get po --namespace=<wise_namespace>
To create a namespace and install WISE:
-
Add the following command to the
helm install...command, either before or after the--setcommands:--create-namespace --namespace=<wise_namespace> `
The namespace is created and WISE is installed into it.
You can also view a list of your existing namespaces and choose a namespace for your WISE installation.
To view existing namespaces:
-
Enter the following in PowerShell:
kubectl get ns
You should see a response similar to the following:
NAME STATUS AGE default Active 54d ingress-controller Active 54d kube-node-lease Active 54d kube-public Active 54d kube-system Active 54d
To install WISE into an existing namespace:
-
Add the following command to the
helm install...command, either before or after the--setcommands:--namespace=<wise_namespace> `
Understanding the Parameters for WISE Deployment
The following table describes the parameters that are used to deploy the WISE cluster.
| Parameter | Description |
|---|---|
wise.image.pull.registry
|
Optionally, specifies the Docker registry for a private repository. For example, if you use Azure and have created an Azure container registry to keep images that will be used in your Azure Kubernetes installation, you might specify something similar to myreg.azurecr.io. |
wise.image.pull.username
|
Identifies the Docker repository username used to pull the WISE image. |
wise.image.pull.password
|
Identifies the Docker repository password used to pull the WISE image. |
wise.image.repository
|
Specifies the Fortify Docker repository from which to pull the WISE image. This is Note: If you use a private repository, you might specify something similar to |
wise.image.tag
|
Specifies the WISE Docker image build and the operating system on which it was built. |
wise.replicas.min
|
Indicates the minimal number of WISE Kubernetes pods that will be started. Consider the following facts when configuring this parameter:
|
wise.ingress.host
|
Specifies the ingress virtual wise cluster hostname. Important! You can use any hostname value, but you must configure your DNS server or the hostfile on your Fortify WebInspect sensor client box to associate it with the IP address of the Kubernetes node that runs the HAProxy ingress. |
wise.authtoken
|
Optionally, specifies authentication for the WISE cluster. If the authtoken is configured, then Fortify WebInspect sensor clients will be required to provide an authtoken. Tip: Make note of this token. You must enter it when configuring your sensor pools for scan scaling. |
Uninstalling WISE
To uninstall WISE:
-
Enter the following in PowerShell:
helm uninstall wi-script-engine