Deploying ScanCentral DAST in Kubernetes

This document describes how to configure and use the scancentral-dast-core 24.4 Helm charts for complete ScanCentral DAST core container orchestration in Kubernetes. You can find the ScanCentral DAST Helm charts at https://hub.docker.com/r/fortifydocker/helm-scancentral-dast-core

Table of Contents

Kubernetes Versions

These charts have been tested using the following Kubernetes versions:

Tool Prerequisites

These instructions were written and tested using the following tool versions. It is recommended that the same tool versions be used in order to avoid unpredictable results.

Installation

The following instructions are for example purposes and are based on a default Kubernetes environment running under Linux, using the default namespace. Windows systems may require different syntax for certain commands and other Kubernetes Cluster providers may require additional/different configurations. Your Kubernetes administrator may require the use of specific namespaces and/or other configuration adjustments.

Installation Prerequisites

Installation Steps

  1. Creating a LIM secret in Kubernetes
  2. Storing database credentials in Kubernetes
  3. Generating a service account token
  4. Configuring Fortify Software Security Center credentials
  5. Prepare service SSL certificates
  6. Creating an image pull secret
  7. Installing the Fortify ScanCentral DAST core components
  8. Special considerations for testing environments

Creating a LIM secret in Kubernetes

The LIM secret is required for retrieving a license seat for the scanner. To create a LIM secret:

  1. Ensure that the LIM is running within the cluster, the LIM is activated, and a Fortify WebInspect license is added to a license pool in the LIM.

  2. Use the kubectl create secret command, as shown in the following code sample, with the license pool information you defined in the LIM to create a secret in the namespace where you intend to install Fortify ScanCentral DAST:

    kubectl create secret generic lim-pool \
 --type='basic-auth' \
 --from-literal=username=<lim license pool name> \
 --from-literal=password=<lim license pool password>

  3. Ensure that you have the name of the administrative secret used for LIM. You must provide this to the Helm chart. Note: By default, the LIM names this secret lim-admin-credentials.

Storing database credentials in Kubernetes

Database credentials are required to access the Fortify ScanCentral DAST database. To store the database credentials in Kubernetes:

  1. Create or obtain the credentials for a DBO-level account as described in Database settings within the Fortify ScanCentral DAST documentation.

  2. Use the kubectl create secret command, as shown in the following code sample, with the credentials from the previous step to create a secret for the DBO-level account in the namespace where you intend to install Fortify ScanCentral DAST:

    kubectl  create secret generic scdast-db-owner \
 --type='basic-auth' \
 --from-literal=username=<DBO username> \
 --from-literal=password=<DBO password>

  3. Create or obtain the credentials to a standard account as described in Database settings within the Fortify ScanCentral DAST documentation.

  4. Use the kubectl create secret command, as shown in the following code sample, with the credentials from the previous step to create a secret for the standard account in the namespace where you intend to install Fortify ScanCentral DAST:

    kubectl create secret generic scdast-db-standard \
 --type='basic-auth' \
 --from-literal=username=<DBO username> \
 --from-literal=password=<DBO password>

Generating a service account token

You must generate a service account token (or shared secret) as described in Miscellaneous DAST settings within the Fortify ScanCentral DAST documentation.

Configuring Fortify Software Security Center credentials

You must configure Fortify Software Security Center credentials for the connection between Fortify ScanCentral DAST and Fortify Software Security Center. To configure Fortify Software Security Center credentials:

  1. Create or obtain the service account credentials for Fortify Software Security Center as described in SSC settings within the Fortify ScanCentral DAST documentation.

  2. Use the kubectl create secret command, as shown in the following code sample, with the credentials from the previous step to create a secret in the namespace where you intend to install Fortify ScanCentral DAST:

    kubectl  create secret generic scdast-ssc-serviceaccount \
 --type='basic-auth' \
 --from-literal=username=<SSC username> \
 --from-literal=password=<SSC password>

Prepare service SSL certificates

Optionally, you can generate SSL certificates for the DAST API service and DAST Utility Service to ensure that components communicate with one another using SSL. These certificates do not affect ingress resources. Certificates must be in PFX format. You can use the kubectl create secret command to generate these certificates using your internal trusted PKI services with your PKI-generated PFX files and passwords. For more information, see DAST API SSL settings and Utility Service SSL settings within the Fortify ScanCentral DAST documentation.

To prepare the DAST API service certificate:

  1. Generate a random password using openssl.

    API_SERVER_CERT_PWD="$(openssl rand -base64 32)"

  2. Create a certificate using openssl.

    openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /tmp/api-server-key.pem -out /tmp/api-server-cert.pem -subj "/C=CA/ST=Ontario/L=Waterloo/O=YourCompany/OU=IT"

  3. Create a PKCS12 certificate.

    openssl pkcs12 -export -out /tmp/api-server-cert.pfx -inkey /tmp/api-server-key.pem -in /tmp/api-server-cert.pem  -passout "pass:${API_SERVER_CERT_PWD}"

  4. Create a Kubernetes secret for the api-server-certificate.

    kubectl create secret generic api-server-certificate --type=Opaque --from-file=tls.pfx=/tmp/api-server-cert.pfx

  5. Create a Kubernetes secret for the api-server-certificate-password.

    kubectl create secret generic api-server-certificate-password --type=Opaque --from-literal=password=$API_SERVER_CERT_PWD

  6. Remove the temporary files.

    rm /tmp/api-server-key.pem /tmp/api-server-cert.pem /tmp/api-server-cert.pfx

  7. Unset the environment variables.

    unset API_SERVER_CERT_PWD

To prepare the DAST Utility Service certificate:

  1. Generate a random password using openssl.

    UTILITYSERVICE_SERVER_CERT_PWD="$(openssl rand -base64 32)"

  2. Create a certificate using openssl.

    openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /tmp/utilityservice-server-key.pem -out /tmp/utilityservice-server-cert.pem -subj "/C=CA/ST=Ontario/L=Waterloo/O=YourCompany/OU=IT"

  3. Create a PKCS12 certificate.

    openssl pkcs12 -export -out /tmp/utilityservice-server-cert.pfx -inkey /tmp/utilityservice-server-key.pem -in /tmp/utilityservice-server-cert.pem  -passout "pass:${UTILITYSERVICE_SERVER_CERT_PWD}"

  4. Create a Kubernetes secret for the utilityservice-server-certificate.

    kubectl create secret generic utilityservice-server-certificate --type=Opaque --from-file=tls.pfx=/tmp/utilityservice-server-cert.pfx

  5. Create a Kubernetes secret for the utilityservice-server-certificate-password.

    kubectl create secret generic utilityservice-server-certificate-password --type=Opaque --from-literal=password=$UTILITYSERVICE_SERVER_CERT_PWD

  6. Remove the temporary files.

    rm /tmp/utilityservice-server-key.pem /tmp/utilityservice-server-cert.pem /tmp/utilityservice-server-cert.pfx

  7. Unset the environment variables.

    unset UTILITYSERVICE_SERVER_CERT_PWD

Creating an image pull secret

By default, the Fortify ScanCentral DAST core helm chart references its images directly from DockerHub. For Kubernetes to properly install your images using the default configuration, you must create an image pull secret and store it in your installation namespace in Kubernetes. If you are replicating these images to a local repository, you can skip this task and update the relevant image values in the Helm chart to reference your local repository. To create an image pull secret:

Installing the Fortify ScanCentral DAST core components

The following command installs the Fortify ScanCentral DAST core components using the recommended defaults for all services. In some cases, you might need to customize these values using the Helm --set parameter or by creating a values.yaml override file and passing it to the command line with the Helm -f flag. For more information about the values you can override, see the core components Helm chart values.

Tip: To find the available SC DAST 24.4 helm chart version, go to https://hub.docker.com/r/fortifydocker/helm-scancentral-dast-core/tags.

Note: These example values assume a database type of 'MS-SQL', with secrets named the same as the previous examples. If these values are different, then you must update the following command line accordingly.

helm upgrade -i scdast-core oci://registry-1.docker.io/fortifydocker/helm-scancentral-dast-core --version <chart version> --timeout 60m \
 --set imagePullSecrets[0].name=docker-registry \
 --set appsettings.lIMSettings.limUrl="<https url to LIM service>" \ # Update with your LIM Host/Port
 --set appsettings.sSCSettings.sSCRootUrl="<ssc root URL>" \ # Update with your SSC host path
 --set appsettings.databaseSettings.server="<Name of the database server>" \ # Update with the name of the Database
 --set database.dboLevelAccountCredentialsSecret=scdast-db-owner \
 --set database.standardAccountCredentialsSecret=scdast-db-standard \
 --set sscServiceAccountSecretName=scdast-ssc-serviceaccount \
 --set serviceTokenSecretName=scdast-service-token \
 --set limServiceAccountSecretName=lim-admin-credentials \
 --set limDefaultPoolSecretName=lim-pool \
 --set api.certificate.certificateSecretName=api-server-certificate \
 --set api.certificate.certificatePasswordSecretName=api-server-certificate-password \
 --set utilityService.certificate.certificateSecretName=api-server-certificate \
 --set utilityService.certificate.certificatePasswordSecretName=utilityservice-server-certificate-password

In the previous code sample, the is in the format https://<lim-server-url>:<port>. The is in the format https://<ssc-server-url>:<port>/ssc.

Special considerations for testing environments (core components)

By default, the Helm chart defines the container resource/requests based on recommended best-practice values intended to prevent performance issues and unexpected Kubernetes evictions of containers and pods. These values are often too large for a small test environment that does not require the same level of resources.

To disable these settings, paste the below values into a file called "resource_override.yaml" and add it to the install commandline with the -f flag. (e.g. -f resource_override.yaml")

WARNING: Using the following settings in production is not supported and will lead to unstable behavior.

# Set all Kubernetes resources except for the datastores to best-effort mode (no resource requirements)
# DO NOT null out the resource configuration for the 'datastore' containers, this will result in unexpected evictions due to how that service allocates memory.
api:
  resources: null

globalService:
  resources: null
 
utilityService:
  resources: 
    requests:
      cpu: null
      memory: null
    limits:
      cpu: null
      memory: null

twofactorauth:
  resources: null

fortifyConnectServer:
  resources: null

upgradejob:
  resources: null
  prepJob:
    resources: null

Upgrade

Upgrade helm-scancentral-dast-core chart from previous releases to version 24.4.

Preparing for Upgrade

This release of the ScanCentral DAST helm chart has many changes that are not compatible with the previous chart. However, because all of the state for Scancentral DAST is installed in the database, no data will be lost.

Perform the upgrade

  1. Remove the previous Fortify ScanCentral DAST helm deployment. If you do not remember the release name, you can find it using the following example command:

    helm -n <scancentral namespace> list

  2. After you have identified the previous Fortify ScanCentral DAST installation, use the following command to uninstall the helm chart:

    helm -n <scancentral namespace> uninstall <release name>

  3. Now perform the steps listed in Installation.

Values

The following values are exposed by the Helm Chart. Unless specified as Required, values should only be overridden as made necessary by your specific environment.

Required

Key Type Default Description
api.certificate.certificatePasswordSecretName Opaque 
""
Specifies the name of the Secret hosting the server certificate password.
api.certificate.certificateSecretName Opaque 
""
Specifies the name of the Secret hosting the server certificate value.
appsettings.databaseSettings.server string 
""
Specifies the name of the database server.
appsettings.lIMSettings.limUrl string 
""
Specifies the URL to reach LIM.
appsettings.sSCSettings.sSCRootUrl string 
"http://ssc"
Specifies the Root URL for connecting to SSC
database.dboLevelAccountCredentialsSecret kubernetes.io/basic-auth 
""
Specifies the name of the secret hosting Database Owner Level Account credentials.
limDefaultPoolSecretName kubernetes.io/basic-auth 
""
Specifies the name of the secret hosting the LIM Service Account credentials.
limServiceAccountSecretName kubernetes.io/basic-auth 
""
Specifies the name of the secret hosting the LIM Service Account credentials.
serviceTokenSecretName Opaque 
""
Specifies the name of the secret hosting the Service Token.
sscServiceAccountSecretName kubernetes.io/basic-auth 
""
Specifies the name of the secret hosting the Fortify Software Security Center Service Account credentials.
utilityService.certificate.certificatePasswordSecretName Opaque 
""
Specifies the name of the Secret hosting the server certificate password.
utilityService.certificate.certificateSecretName Opaque 
""
Specifies the name of the Secret hosting the server certificate value.

Other Values

Key Type Default Description
allowScanScaling bool 
false
Enables API and GlobalService Kubernetes roles for Sensor Auto Scaling/Scan Scaling. Caution! Setting to 'true' allows arbitrary Kubernetes YAML to be installed from the UI. Ensure that this function in the UI is appropriately restricted to authorized personnel before enabling.
api.additionalEnvironmentVariables list 
[]
Defines any additional environment variables to add to the Pod.
api.affinity pod.affinity 
{}
Defines Node Affinity configurations to add to the Pods.
api.certificate.certificatePasswordSecretKey string 
"password"
Specifies the name of the key that holds the password for unlocking the certificate file.
api.certificate.enabled bool 
true
Indicates whether to enable TLS server certificate. If set to false, HTTP (plain-text) communication is used.
api.certificate.pfxCertSecretKey string 
"tls.pfx"
Specifies the name of the key that holds the PFX file with both public and private keys.
api.containerSecurityContext pod.containers[*].securityContext 
{}
Defines the security context configurations to add to the resulting API container.
api.image.digest string 
null
Specifies the version of the Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
api.image.pullPolicy string 
"IfNotPresent"
Specifies the image pull behavior.
api.image.repository string 
"fortifydocker/scancentral-dast-api"
Specifies the Docker repository from which to pull the DAST API image.
api.image.tag string 
"24.4.ubi.9"
Specifies the version of the DAST API Docker image to pull.
api.ingress.annotations ingress.annotations 
{}
Specifies annotations to add to the resource.
api.ingress.className string 
""
Identifies the ingress resource class name.
api.ingress.enabled bool 
false
Indicates whether to enable ingress.
api.ingress.hosts[0] object 
{
  "host": "dast-api.local",
  "paths": [
    {
      "path": "/",
      "pathType": "Prefix"
    }
  ]
}
Identifies the host running the ingress server for the API.
api.ingress.hosts[0].paths[0] object 
{
  "path": "/",
  "pathType": "Prefix"
}
Specifies the path through which to accept requests.
api.ingress.hosts[0].paths[0].pathType string 
"Prefix"
Specifies the path type..
api.ingress.tls list 
[]
Defines TLS configurations. The following example shows the configuration values syntax: [{"hosts":["some-host"],"secretName":"some-name"}]
api.logLevel Debug | Information | Warning | Error 
 See defaultLogLevel
Specifies the Log level for DAST API service.
api.nameOverride string 
null
Specifies a custom name for the Pod. NOTE: `-api` will be appended by the release.
api.nodeSelector pod.nodeSelector 
null
Defines Node selection constraint configurations to add to the Pods.
api.podAnnotations pod.annotations 
{}
Defines annotations to add to the Pods.
api.podLabels pod.labels 
{}
Defines labels to add to the Pods.
api.podSecurityContext pod.securityContext 
{}
Defines security context configurations to add to the Pods.
api.replicas int 
1
Number of Pod(s) to deploy.
api.resources.limits.cpu string 
"4"
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request.
api.resources.limits.memory string 
"10Gi"
Specifies the maximum memory that can be consumed prior to pod eviction.
api.resources.requests.cpu string 
"4"
Specifies the minimum amount of compute that the pod is guaranteed to receive
api.resources.requests.memory string 
"5Gi"
Specifies the minimum amount of memory that the pod is guaranteed to receive
api.service.port int 
34785
Indicates the service type to use.
api.service.type string 
"ClusterIP"
Indicates the service type to use.
api.tolerations pod.tolerations 
[]
Defines Toleration configurations to add to the Pods.
appsettings.applySecureBase bool 
true
Indicates whether to update SecureBase
appsettings.dASTApiSettings.containerListenIPAddress int 
"0.0.0.0"
Specifies the container IP to listen on.
appsettings.dASTApiSettings.containerListenPort int 
1444
Specifies the container port to use.
appsettings.dASTApiSettings.disableCorsOrigins bool 
false
Indicates whether to disable CORS origins.
appsettings.dastApiSSLSettings object 
{}
appsettings.databaseSettings.database string 
"DAST"
Specifies the name of the database instance
appsettings.databaseSettings.databaseProvider SQLServer | PostgreSQL | AzureSQLServer | AzurePostgreSQL | AmazonRdsPostgreSQL 
"SQLServer"
Identifies the type of SQL database used.
appsettings.databaseSettings.dboLevelDatabaseAccount.additionalConnectionProperties []string 
null
Specifies a list of additional connection properties to append to the database connection string for the DBO-level account. Expressed in the format of "someKey=someValue".
appsettings.databaseSettings.dboLevelDatabaseAccount.useWindowsAuthentication bool 
false
Indicates whether to use Windows Authentication
appsettings.databaseSettings.standardDatabaseAccount.additionalConnectionProperties []string 
null
Specifies a list of additional connection properties to append to the database connection string for the standard account. Expressed in the format of "someKey=someValue".
appsettings.databaseSettings.standardDatabaseAccount.createLogin bool 
false
Indicates whether to create a login for the standard account.
appsettings.disableAdvancedScanPrioritization bool 
false
Indicates whether to disable advanced scan prioritization.
appsettings.enableRestrictedScanSettings bool 
false
Indicates whether to enable restricted scan settings. For more information,
appsettings.environmentSettings.allowNonTrustedServerCertificate bool 
false
Indicates whether to allow non-trusted server certificate.
appsettings.fortifyConnectServerSettings.disableFortifyConnectServer bool 
true
Indicates whether to disable Fortify Connect server.
appsettings.fortifyConnectServerSettings.externalHost string 
"invalidHost.replaceme.org"
Specifies the Fortify Connect server external host listed in the Fortify ScanCentral DAST UI. Replace the default value with a valid external host name.
appsettings.fortifyConnectServerSettings.externalPort int 
2022
Specifies the port used by the FortifyConnect server externally.
appsettings.fortifyConnectServerSettings.internalPort int 
33467
Specifies the port used by FortifyConnect server internally.
appsettings.retainCompletedScans bool 
false
Indicates whether to retain completed scans.
appsettings.secureBasePath string 
null
Specifies the location of the SecureBase ZIP file to use for seeding the database. If not blank, you must use a container instance that contains the "DefaultData.zip file" (/app/DefaultData.zip) Caution! The LIM must be running and fully licensed prior to installing this Helm chart if the value is blank.
appsettings.smartUpdateSettings.licensingUrl string 
"https://licenseservice.fortify.microfocus.com/"
Specifies the URL used for licensing Smart Update.
appsettings.smartUpdateSettings.smartUpdateUrl string 
"https://smartupdate.fortify.microfocus.com/"
Specifies the URL used for SmartUpdates.
appsettings.utilityWorkerServiceSSLSettings.containerListenPort int 
1444
Container port to use.
appsettings.utilityWorkerServiceSettings.containerListenPort int 
1445
Container port to use.
commonPodAnnotations pod.annotations 
{}
Defines annotations to add to the Pods. These annotations are added to all Pods deployed in the current release.
customResources object 
{
  "enabled": false,
  "resources": {}
}
Defines Kubernetes resources to be installed and configured as part of the Helm chart. If you provide any resources, you must provide them as quoted, using single quotation marks '.
customResources.enabled bool 
false
Indicates whether to enable custom resource creation.
customResources.resources Kubernetes YAML 
{}
Specifies the custom resources to generate.
database.standardAccountCredentialsSecret kubernetes.io/basic-auth 
""
Specifies the name of the secret hosting the DBO-level account credentials.
debrickedAccessTokenSecretKey Opaque 
"access-token"
Specifies the name of the key in the secret hosting the Debricked access token. For more information, see Client-side library analysis and Debricked settings.
debrickedAccessTokenSecretName Opaque 
""
Specifies the name of the secret hosting the Debricked access token. For more information, see Client-side library analysis and Debricked settings.
defaultLogLevel Debug | Information | Warning | Error 
"Information"
Specifies the Default Log level. Can be overridden by specific application configurations.
fortifyConnectServer.additionalEnvironmentVariables list 
[]
Defines any additional environment variables to add to the Pod.
fortifyConnectServer.affinity pod.affinity 
{}
Defines Node Affinity configurations to add to the Pods.
fortifyConnectServer.containerSecurityContext pod.containers[*].securityContext 
{}
Defines security context configurations to add to Fortify Connect server container.
fortifyConnectServer.defaultContainerSshdConfigTemplate Chart | Default 
"Chart"
Whether to use the default container sshd_config template or the one provided by the Helm Chart.
fortifyConnectServer.image.digest string 
null
Specifies the version of the Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
fortifyConnectServer.image.pullPolicy string 
"IfNotPresent"
Specifies the image pull behavior for the Fortify Connect server image.
fortifyConnectServer.image.repository string 
"fortifydocker/scancentral-dast-fortifyconnect"
Specifies the Docker repository from which to pull the Fortify Connect server image.
fortifyConnectServer.image.tag string 
"24.4.ubi.9"
Specifies the version of the Fortify Connect server Docker image to pull.
fortifyConnectServer.nameOverride string 
null
Specifies a custom name for the Pod. NOTE: `-globalservice` will be appended by the release.
fortifyConnectServer.nodeSelector pod.nodeSelector 
null
Defines Node selection constraint configurations to add to the Pods.
fortifyConnectServer.podAnnotations pod.annotations 
{}
Defines annotations to add to the Pods.
fortifyConnectServer.podLabels pod.labels 
{}
Defines labels to add to the Pods.
fortifyConnectServer.podSecurityContext pod.securityContext 
{}
Defines security context configurations to add to the Pods.
fortifyConnectServer.replicas int 
1
Number of Pod(s) to deploy.
fortifyConnectServer.resources.limits.cpu string 
"4"
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request.
fortifyConnectServer.resources.limits.memory string 
"4Gi"
Specifies the maximum memory that can be consumed prior to pod eviction.
fortifyConnectServer.resources.requests.cpu string 
"4"
Specifies the minimum amount of compute that the pod is guaranteed to receive
fortifyConnectServer.resources.requests.memory string 
"4Gi"
Specifies the minimum amount of memory that the pod is guaranteed to receive
fortifyConnectServer.service.annotations service.annotations 
{}
Defines annotations to add to resulting Kubernetes resource.
fortifyConnectServer.service.loadBalancerClass string 
null
Required if service type is LoadBalancer.
fortifyConnectServer.service.nodePort string 
null
Specifies the port to expose on the Node. Required if service type is NodePort.
fortifyConnectServer.service.type ClusterIP | NodePort | LoadBalancer | ExternalName 
"LoadBalancer"
Specifies the ervice type.
fortifyConnectServer.sshKeySecretName string 
""
Specifies the name of the Secret hosting SSH Key data.
fortifyConnectServer.sshPrivateKeySecretKey string 
"private.key"
Specifies the name of the key in the Secret hosting SSH Private Key data.
fortifyConnectServer.sshPublicKeySecretKey string 
"public.key"
Specifies the name of the key in the Secret hosting SSH Public Key data.
fortifyConnectServer.sshdConfigConfigMapKey string 
"sshd-config-template"
Name of the key in the ConfigMap hosting a custom sshdConfig template.
fortifyConnectServer.sshdConfigConfigMapName ConfigMap 
""
Name of the ConfigMap hosting a custom sshdConfig template. If not specified and defaultContainerSshdConfigTemplate is set to 'Chart', release will use the one provided by the Helm Chart.
fortifyConnectServer.tolerations pod.tolerations 
[]
Defines Toleration configurations to add to the Pods.
fullnameOverride string 
null
Overrides the fully qualified app name of the release.
globalService.additionalEnvironmentVariables list 
[]
Defines any additional environment variables to add to the Pod.
globalService.affinity pod.affinity 
{}
Defines Node Affinity configurations to add to the Pods.
globalService.containerSecurityContext pod.containers[*].securityContext 
{}
Defines security context configurations to add to Globla service container.
globalService.healthCheckPort int 
8080
container port used for health checks
globalService.image.digest string 
null
Specifies the version of the Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
globalService.image.pullPolicy string 
"IfNotPresent"
Specifies the image pull behavior for the Global Service image.
globalService.image.repository string 
"fortifydocker/scancentral-dast-globalservice"
Specifies the Docker repository from which to pull the Global Service image.
globalService.image.tag string 
"24.4.ubi.9"
Specifies the version of the Global Service Docker image to pull.
globalService.logLevel Debug | Information | Warning | Error 
Information
Specifies the Log level.
globalService.nameOverride string 
null
Specifies a custom Pod name. NOTE: `-globalservice` will be appended by the release.
globalService.nodeSelector pod.nodeSelector 
null
Defines Node selection constraint configurations to add to the Pods.
globalService.podAnnotations pod.annotations 
{}
Defines annotations to add to the Pods.
globalService.podLabels pod.labels 
{}
Defines labels to add to the Pods.
globalService.podSecurityContext pod.securityContext 
{}
Defines security context configurations to add to the Pods.
globalService.replicas int 
1
Number of Pod(s) to deploy. Only one replica is supported at this time.
globalService.resources.limits.cpu string 
"4"
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request.
globalService.resources.limits.memory string 
"4Gi"
Specifies the maximum memory that can be consumed prior to pod eviction.
globalService.resources.requests.cpu string 
"4"
Specifies the minimum amount of compute that the pod is guaranteed to receive
globalService.resources.requests.memory string 
"2Gi"
Specifies the minimum amount of memory that the pod is guaranteed to receive
globalService.tolerations pod.tolerations 
[]
Defines Toleration configurations to add to the Pods.
imagePullSecrets list 
[]
Specifies a list of references to secrets in the same namespace to use for pulling any of the images used by the current release. You must provide this if pulling images directly from DockerHub.
jobmanagementrole.nameOverride string 
null
Enables name override for the job management role
nameOverride string 
null
Overrides the name of this chart.
proxyCredentialsSecretName kubernetes.io/basic-auth 
""
Specifies the name of the secret hosting proxy credentials.
serviceTokenSecretKey Opaque 
"service-token"
Specifies the name of the key in the secret hosting the Service Token.
twofactorauth.additionalEnvironmentVariables list 
[]
Defines any additional environment variables to add to the Pod.
twofactorauth.affinity pod.affinity 
{}
Defines Node Affinity configurations to add to the Pods.
twofactorauth.containerPort int 
1443
Container port used by twofactor auth.
twofactorauth.containerSecurityContext pod.containers[*].securityContext 
{}
Defines security context configurations to add to two factor auth container.
twofactorauth.image.digest string 
null
Specifies the version of the Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
twofactorauth.image.pullPolicy string 
"IfNotPresent"
Specifies the image pull behavior for the 2FA Server image.
twofactorauth.image.repository string 
"fortifydocker/fortify-2fa"
Specifies the Docker repository from which to pull the 2FA Server image.
twofactorauth.image.tag string 
"24.4.ubi.9"
Specifies the version of the 2FA Server Docker image to pull.
twofactorauth.ingress.annotations ingress.annotations 
{}
Specifies annotations to add to the resource.
twofactorauth.ingress.className string 
""
Identifies the ingress resource class name.
twofactorauth.ingress.enabled bool 
false
Indicates whether to enable ingress.
twofactorauth.ingress.hosts[0] object 
{
  "host": "dast-2fa.local",
  "paths": [
    {
      "path": "/",
      "pathType": "Prefix"
    }
  ]
}
Identifies the host running the ingress server for the API.
twofactorauth.ingress.hosts[0].paths[0].pathType string 
"Prefix"
Specifies the path type.
twofactorauth.ingress.tls list 
[]
Defines TLS configurations. The following example shows the configuration values syntax: [{"hosts":["some-host"],"secretName":"some-name"}]
twofactorauth.masterTokenSecretKey string 
"master-token"
Specifies the name of the key in the Secret hosting the two-factor authentication master token.
twofactorauth.masterTokenSecretName string 
""
Specifies the name of the secret hosting the two-factor authentication master token. NOTE: Token should be a minimum of 36 characters.
twofactorauth.nameOverride string 
null
Specifies a custom name for the Pod. NOTE: `-2fa` will be added by the release.
twofactorauth.nodeSelector pod.nodeSelector 
null
Defines Node selection constraint configurations to add to the Pods.
twofactorauth.podAnnotations pod.annotations 
{}
Defines annotations to add to the Pods.
twofactorauth.podLabels pod.labels 
{}
Defines labels to add to the Pods.
twofactorauth.podSecurityContext pod.securityContext 
{}
Defines security context configurations to add to the Pods.
twofactorauth.replicas int 
1
Number of Pod(s) to deploy.
twofactorauth.resources.limits.cpu string 
"16"
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request.
twofactorauth.resources.limits.memory string 
"64Gi"
Specifies the maximum memory that can be consumed prior to pod eviction.
twofactorauth.resources.requests.cpu string 
"16"
Specifies the minimum amount of compute that the pod is guaranteed to receive.
twofactorauth.resources.requests.memory string 
"16Gi"
Specifies the minimum amount of memory that the pod is guaranteed to receive.
twofactorauth.service.port int 
59752
Port to expose for HTTPS calls.
twofactorauth.service.type string 
"ClusterIP"
Service type to use.
twofactorauth.tolerations pod.tolerations 
[]
Defines Toleration configurations to add to the Pods.
upgradejob.additionalEnvironmentVariables list 
[]
Defines any additional environment variables to add to the Pod.
upgradejob.affinity pod.affinity 
{}
Defines Node Affinity configurations to add to the Pods.
upgradejob.containerSecurityContext pod.containers[*].securityContext 
{}
Defines security context configurations to add to upgrade job container.
upgradejob.image.digest string 
null
Specifies the version of the Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
upgradejob.image.pullPolicy string 
"IfNotPresent"
Specifies the image pull behavior for the Fortify Configuration Tool CLI image.
upgradejob.image.repository string 
"fortifydocker/scancentral-dast-config"
Specifies the Docker repository from which to pull the Fortify Configuration Tool CLI image.
upgradejob.image.tag string 
"24.4.ubi.9"
Specifies the version of the Fortify Configuration Tool CLI Docker image to pull.
upgradejob.nameOverride string 
null
Specifies a custom name for the Pod. NOTE: `-upgrade-job` will be appended by the release.
upgradejob.nodeSelector pod.nodeSelector 
null
Defines Node selection constraint configurations to add to the Pods.
upgradejob.podAnnotations pod.annotations 
{}
Defines annotations to add to the Pods.
upgradejob.podLabels pod.labels 
{}
Defines labels to add to the Pods.
upgradejob.podSecurityContext pod.securityContext 
{}
Defines security context configurations to add to the Pods.
upgradejob.prepJob.image.digest string 
null
Specifies the version of the Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
upgradejob.prepJob.image.pullPolicy string 
"IfNotPresent"
Specifies the image pull behavior for the upgrade job image.
upgradejob.prepJob.image.repository string 
"bitnami/kubectl"
Specifies the Docker repository from which to pull the Kubectl image.
upgradejob.prepJob.image.tag string 
"1.28"
Specifies the version of the Kubectl image to pull.
upgradejob.prepJob.resources.limits.cpu string 
".5"
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request
upgradejob.prepJob.resources.limits.memory string 
"1Gi"
Specifies the maximum memory that can be consumed prior to pod eviction.
upgradejob.prepJob.resources.requests.cpu string 
".5"
Specifies the minimum amount of compute that the pod is guaranteed to receive
upgradejob.prepJob.resources.requests.memory string 
"1Gi"
Specifies the minimum amount of memory that the pod is guaranteed to receive
upgradejob.resources.limits.cpu string 
"4"
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request.
upgradejob.resources.limits.memory string 
"4Gi"
Specifies the maximum memory that can be consumed prior to pod eviction.
upgradejob.resources.requests.cpu string 
"4"
Specifies the minimum amount of compute that the pod is guaranteed to receive
upgradejob.resources.requests.memory string 
"4Gi"
Specifies the minimum amount of memory that the pod is guaranteed to receive
upgradejob.run bool 
true
Whether to run upgrade flow for creation, migration or updates on the backend databases on every helm upgrade.
upgradejob.tolerations pod.tolerations 
[]
Defines Toleration configurations to add to the Pods.
utilityService.additionalEnvironmentVariables list 
[]
Defines any additional environment variables to add to the Pod.
utilityService.affinity pod.affinity 
{}
Defines Node Affinity configurations to add to the Pods.
utilityService.certificate.certificatePasswordSecretKey string 
"password"
Specifies the name of the key that holds the password for unlocking the certificate file.
utilityService.certificate.enabled bool 
true
Indicates whether to enable TLS server certificates. When set to false, HTTP (plain-text) communication is used.
utilityService.certificate.pfxCertSecretKey string 
"tls.pfx"
Specifies the name of the key that holds the PFX file with both public and private keys.
utilityService.containerSecurityContext pod.containers[*].securityContext 
{}
Defines security context configurations to add to utility service container.
utilityService.datastore.additionalEnvironmentVariables list 
[]
Defines any additional environment variables to add to the Pod.
utilityService.datastore.image.digest string 
null
Specifies the version of the Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
utilityService.datastore.image.pullPolicy string 
"IfNotPresent"
Specifies the image pull behavior for the SQL Server Docker image.
utilityService.datastore.image.repository string 
"mcr.microsoft.com/mssql/server"
Specifies the location from which to pull the SQL Server Docker image.
utilityService.datastore.image.tag string 
"2022-latest"
Specifies the version of the SQL Server image to pull.
utilityService.datastore.mssqlStorage.sizeLimit String 
"1500Mi"
Specifies the maximum size of MSSQL's internal storage.
utilityService.datastore.resources.limits.cpu string 
"1"
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request.
utilityService.datastore.resources.limits.ephemeral-storage string 
"1500Mi"
Specifies maximum amount of storage space available to datastore before pod is evicted.
utilityService.datastore.resources.limits.memory string 
"4Gi"
Specifies the maximum memory that can be consumed prior to pod eviction.
utilityService.datastore.resources.requests.cpu string 
"1"
Specifies the minimum amount of compute that the pod is guaranteed to receive
utilityService.datastore.resources.requests.ephemeral-storage string 
"1500Mi"
Specifies the minimum amount of storage space allocated to datastore.
utilityService.datastore.resources.requests.memory string 
"4Gi"
Specifies the minimum amount of memory that the pod is guaranteed to receive
utilityService.healthCheckPort int 
8080
Specifies the container port used for health checks
utilityService.image.digest string 
null
Specifies the version of the Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
utilityService.image.pullPolicy string 
"IfNotPresent"
Specifies the image pull behavior for the Utility Service Docker image.
utilityService.image.repository string 
"fortifydocker/dast-scanner"
Specifies the Docker repository from which to pull the Utility Service image.
utilityService.image.tag string 
"24.4.ubi.9"
Specifies the version of the Utility Service image to pull.
utilityService.logLevel Debug | Information | Warning | Error 
Information
Log level.
utilityService.nameOverride string 
null
Specifies a custom name for the Pod. NOTE: `-utilityservice` will be appended by the release.
utilityService.nodeSelector pod.nodeSelector 
null
Defines Node selection constraint configurations to add to the Pods.
utilityService.podAnnotations pod.annotations 
{}
Defines annotations to add to the Pods.
utilityService.podLabels pod.labels 
{}
Defines labels to add to the Pods.
utilityService.podSecurityContext pod.securityContext 
{}
Defines security context configurations to add to the Pods.
utilityService.replicas int 
1
Number of Pod(s) to deploy. Values greater than '1' are not supported.
utilityService.resources.limits.cpu string 
"4"
Specifies the maximum amount of compute that can be consumed by pod.
utilityService.resources.limits.ephemeral-storage string 
"30Gi"
Specifies the maximum amount of storage space available to datastore before pod is evicted.
utilityService.resources.limits.memory string 
"32Gi"
Specifies the maximum memory that can be consumed prior to pod eviction.
utilityService.resources.requests.cpu string 
"4"
Specifies the minimum amount of compute that the pod is guaranteed to receive
utilityService.resources.requests.ephemeral-storage string 
"30Gi"
Specifies the guaranteed amount of storage space allocated to datastore.
utilityService.resources.requests.memory string 
"16Gi"
Specifies the minimum amount of memory that the pod is guaranteed to receive
utilityService.scandataStorage.sizeLimit String 
"15Gi"
Specifies the maximum amount of temporary data that can be stored for a scan. Must be less than or equal to the amount of ephemeral storage defined.
utilityService.service.port int 
48756
Identifies the port to expose for HTTPS calls.
utilityService.service.type string 
"ClusterIP"
Indicates the service type to use.
utilityService.tolerations pod.tolerations 
[]
Defines Toleration configurations to add to the Pods.