Deploying LIM in Kubernetes

This document describes how to configure and use the helm-lim 24.4 Helm chart for complete LIM container orchestration in Kubernetes. You can find the LIM Helm chart at https://hub.docker.com/r/fortifydocker/helm-lim/.

Kubernetes Versions
Tool Prerequisites
Installation
Upgrade

Kubernetes Versions

These charts have been tested using the following Kubernetes versions:

Kubernetes 1.28
Kubernetes 1.29
Kubernetes 1.30

Tool Prerequisites

OpenText recommends that you use the same tool versions to avoid unpredictable results.

Installation

The following instructions are for example purposes and are based on a default Kubernetes environment running under Linux, using the default namespace. Windows systems may require different syntax for certain commands and other Kubernetes Cluster providers may require additional/different configurations. Your Kubernetes administrator may require the use of specific namespaces and/or other configuration adjustments.

Installation Prerequisites

A working Kubernetes Cluster
A PersistentVolumeClaim to use for LIM persistence

Installation Steps

Prepare default Admin credentials Secret and values
Prepare JWT Secret and value(s)
Prepare Server Certificate Secret(s) and value(s)
Prepare Signing Certificate Secrets and values
Install Release
Set up port forwarding
Verifying LIM availability and admin login

Prepare default Admin credentials Secret and values

The Helm chart requires a default administrator credentials Secret.

NOTE: The Secret will be named lim-admin-credentials.

To create the credentials Secret, use the kubectl create secret command, as shown in the following code sample.

kubectl create secret generic lim-admin-credentials \
 --type=basic-auth \
 --from-literal=username=lim_admin \
 --from-literal=password="$(openssl rand -base64 32| tr -d [:punct:])"

Prepare JWT Secret and value(s)

The Helm chart requires a JSON web token (JWT) Secret.

NOTE: The Secret will be named lim-jwt-security-key.

To create the JWT Secret, use the kubectl create secret command, as shown in the following code sample.

kubectl create secret generic lim-jwt-security-key \
 --type=Opaque \
 --from-literal=token="$(openssl rand -base64 32| tr -d [:punct:])"

Prepare Server Certificate Secret(s) and value(s)

Optionally, you can use a PEM (.crt) server certificate. If a certificate is used, then you must create a server certificate Secret for the Helm chart.

To use a PEM server certificate:

Use the following command to create the server certificate.

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /tmp/lim-server-key.pem -out /tmp/lim-server-cert.pem -subj "/C=CA/ST=Ontario/L=Waterloo/O=OpenText/OU=IT"

Use the kubectl create secret command, as shown in the following code sample, to create the Secret in Kubernetes.

kubectl create secret generic lim-server-certificate \
  --type=TLS \
  --from-file=tls.crt=/tmp/lim-server-cert.pem \
  --from-file=tls.key=/tmp/lim-server-key.pem

Use the following commands to delete the certificate file(s).
```
rm /tmp/lim-server-key.pem /tmp/lim-server-cert.pem   
```

Prepare Signing Certificate Secrets and values

The Helm chart requires a signing certificate Secret.

To create the signing certificate Secret:

Use the following command to generate LIM signing certificate password.
```
LIM_SIGNING_CERT_PWD="$(openssl rand -base64 32)"
```

Use the following command to create the server certificate.

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /tmp/lim-signing-key.pem -out /tmp/lim-signing-cert.pem -subj "/C=CA/ST=Ontario/L=Waterloo/O=OpenText/OU=IT"

Use the following command to create a PFX file from the certificate.

openssl pkcs12 -export -out /tmp/lim-signing-cert.pfx -inkey /tmp/lim-signing-key.pem -in /tmp/lim-signing-cert.pem  -passout "pass:${LIM_SIGNING_CERT_PWD}"

Use the kubectl create secret command, as shown in the following code sample, to create the certificate Secret in Kubernetes.

kubectl create secret generic lim-signing-certificate \
 --type=Opaque \
 --from-file=tls.pfx=/tmp/lim-signing-cert.pfx

Use the kubectl create secret command, as shown in the following code sample, to create the password Secret in Kubernetes.

kubectl create secret generic lim-signing-certificate-password \
 --type=Opaque \
 --from-literal=pfx.password=$LIM_SIGNING_CERT_PWD

Use the following command to delete the certificate file(s).

rm /tmp/lim-signing-key.pem /tmp/lim-signing-cert.pem /tmp/lim-signing-cert.pfx

Use the following command to unset the LIM signing certificate password form the terminal.
```
unset LIM_SIGNING_CERT_PWD
```

Install release

The following command installs the LIM using the recommended defaults. In some cases, you might need to customize these values using the Helm --set parameter or by creating a values.yaml override file and passing it to the command line with the Helm -f flag. For more information about the values you can override, see the Helm Chart Values table.

TIP: To find the available LIM 24.4 helm chart version, go to https://hub.docker.com/r/fortifydocker/helm-lim/tags.

Use the following command to install the LIM.

helm install <release-name> oci://registry-1.docker.io/fortifydocker/helm-lim --version <LIM Helm Chart Version> \
 --set defaultAdministrator.credentialsSecretName=lim-admin-credentials \
 --set jwt.securityKeySecretName=lim-jwt-security-key \
 --set serverCertificate.certificateSecretName=lim-server-certificate \
 --set signingCertificate.certificateSecretName=lim-signing-certificate \
 --set signingCertificate.certificatePasswordSecretName=lim-signing-certificate-password \
 --set dataPersistence.existingClaim=<Existing Persistent Volume Claim>

Setting up port forwarding through kubectl

You can use kubectl to forward a local port to a port on the Pod.

To set up port forwarding:

Verify that your LIM Pod is running successfuly. It may take a few minutes before your pod gets to a proper 1/1 Running configuration. You can run the command above multiple times or use the flag -w to watch for any changes.
```
kubectl get pods
```
NOTE: It may take several minutes before your Pod reaches a proper 1/1 Running configuration. You can run the previous command multiple times or use command with the - w option to watch for any changes.
Open a new terminal shell.
Use the kubectl port-forward command, as shown in the following code sample, to set up port forwarding to access your LIM endpoint.
```
kubectl port-forward svc/lim 8080:37562
```

After setting up port forwarding in kubectl, you should be able to access the LIM user interface in a browser.

To verify that the LIM is running:

In a browser, navigate to https://localhost:8080.

To verify that you can log in to the LIM using the admin credentials that were passed to the Helm chart:

In a browser, navigate to https://localhost:8080/login.
Log in with your default admin credentials.

Upgrade

This section explains upgrading of LIM Helm charts to version 24.4.

Upgrade Prerequisites

A running LIM environment
kubectl access to LIM environment
helm access to LIM environment
Access to the LIM web client
LIM admin credentials

Upgrading from Version 24.2.0.2

Upgrade LIM with Helm:

helm upgrade <Existing Installed LIM Release Name> oci://registry-1.docker.io/fortifydocker/helm-lim --version <LIM Helm Chart Version>  --reuse-values

Upgrading from Version prior to 24.2.0.2

Retrieve licenses

Before upgrading your LIM in Kubernetes, you must retrieve the license information for the LIM and the product licenses currently associated with the LIM, as well as configuration details for all license pools.

To retrieve your license and pool details:

In a browser, access your LIM.
Log in with your default admin credentials.
Select ADMIN.
Note the following items:
- Your Fortify License and Infrastructure Manager Activation Token.
- The License Server Description.
- The Fortify License Server URL.
Select PRODUCT LICENSES.
Access the Details page for each registered license and note the respective Activation Token.
Select LICENSE POOLS.
Access the Details page for each license pool and note the respective configuration.

Remove/Release licenses

Before upgrading your LIM in Kubernetes, you must delete the license pools, remove the product licenses, and release the server license for the LIM.

IMPORTANT - You must perform the steps in Retrieve Licenses before proceeding. Otherwise, the actions in this procedure can lock your licenses to a deactivated cluster.

To delete pools and remove and release licenses:

In a browser, access your LIM.
Log in with your default admin credentials.
Select LICENSE POOLS.
Click Delete on each of the configured license pools.
Select PRODUCT LICENSES.
Click Remove on each of the licenses.
Select ADMIN.
Click Release on the Server License.

Destroy previous LIM Deployment

Before upgrading the LIM, you must destroy the previously deployed version.

IMPORTANT Make sure that your kubectl and Helm contexts are set to the correct cluster before running the following commands.

To destroy the previous LIM:

Use the Helm delete command, as shown in the following code sample, to delete your LIM deployment:
```
helm delete <your_release_name> --namespace <your_namespace>
```

Update your values.yaml

Merge your previous values.yaml with the provided values.yaml of the current release using your favorite text editor.

Deploy the current LIM version.

To deploy the LIM

Use the Helm install command, as shown in the following code sample, to deploy your LIM:

helm install lim oci://registry-1.docker.io/fortifydocker/helm-lim --version <LIM Helm Chart Version> -f values.yaml

Register licenses

After deploying the new LIM version, you must license the updated LIM, add the product licenses to the new LIM version, and reconfigure the license pools.

To register licenses:

In a browser, access your LIM.
Log in with your default admin credentials.
Select ADMIN.
Enter the Fortify License and Infrastructure Manager Activation Token, License Server Description, and Fortify License Server URL values from your previous deployment.
Select PRODUCT LICENSES.
Click + LICENSE and add each of your licenses from the previous deployment. For more information, see "Working with product licenses" on Fortify License and Infrastructure Manager documentation.

Values

The following values are exposed by the Helm Chart. Unless specified as Required, values should only be overridden as made necessary by your specific environment.

Required

Key	Type	Default	Description
dataPersistence.existingClaim	PersistentVolumeClaim	`""`	Specifies a managed Persistent Volume Claim (PVC) name. A PVC must be created before binding the volume. This setting is required if dataPersistence is enabled.
defaultAdministrator.credentialsSecretName	kubernetes.io/basic-auth	`""`	Specifies the name of the secret hosting admin credentials.
defaultAdministrator.email	string	`"invalid_email@somecompany.org"`	Specifies the admin email address.
jwt.securityKeySecretName	Opaque	`""`	Specifies the name of the Secret hosting the JWT securityKey to use.
serverCertificate.certificatePasswordSecretName	Opaque	`""`	Specifies the name of the Secret hosting the server certificate PFX password.
serverCertificate.certificateSecretName	Opaque, TLS	`""`	Specifies the name of the Secret hosting the server certificate value.
signingCertificate.certificatePasswordSecretName	Opaque	`""`	Specifies the name of the Secret hosting the server certificate PFX password.
signingCertificate.certificateSecretName	Opaque	`""`	Specifies the name of the Secret hosting the signing certificate value.

Optional, but recommended

Key	Type	Default	Description
defaultAdministrator.fullName	string	`"LIM Default Admin"`	Specifies the admin full name.

Other Values

Key	Type	Default	Description
additionalEnvironmentVariables	list	`[]`	Defines any additional environment variables to add to the Pods.
affinity	pod.affinity	`{}`	Defines Node Affinity configurations to add to Pods.
allowNonTrustedServerCertificate	bool	`false`	Determines whether to allow non-trusted server certificate.
containerPort.name	string	`"https"`	Specifies the name of the container port.
containerPort.port	int	`1443`	Specifies the port to expose in the container.
containerSecurityContext	pod.containers[*].securityContext	`{}`	Defines security context configurations to add to the LIM container.
customResources	object	`{"enabled":false,"resources":{}}`	Defines Kubernetes resources to be installed and configured as part of the Helm chart. If you provide any resources, you must provide them as quoted, and you must set customResources.enabled to true.
customResources.enabled	bool	`false`	Indicates whether to enable custom resource creation.
customResources.resources	Kubernetes YAML	`{}`	Specifies the custom resources to generate.
dataPersistence.disabled	bool	`false`	Indicates whether to disable data persistence. OpenText recommends that you leave data persistence set to true.
dataPersistence.storeLogs	bool	`false`	Indicates whether to store logs.
fortifyLicensingUrl	url	`"https://licenseservice.fortify.microfocus.com/"`	Specifies the Fortify License Service URL.
fullnameOverride	string	`.Release.name`	Overrides the fully qualified app name of the release.
image.digest	string	`nil`	Specifies the version of the Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
image.pullPolicy	string	`"IfNotPresent"`	Specifies the image pull behavior.
image.repository	string	`"fortifydocker/lim"`	Specifies the Docker repository from which to pull the LIM Docker image.
image.tag	string	`"24.4.ubi.9"`	Specifies the version of the LIM Docker image to pull.
imagePullSecrets	list	`[]`	Specifies a list of references to secrets in the same namespace to use for pulling any of the images used by the current release.
ingress.annotations	object	`{}`	Specifies annotations to add to the resource.
ingress.className	string	`""`	Identifies the ingress resource class name.
ingress.enabled	bool	`false`	Indicates whether to enable Ingress.
ingress.hosts[0]	object	`{"host":"lim.local","paths":[{"path":"/","pathType":"Prefix"}]}`	Specifies the hostname through which to accept requests.
ingress.hosts[0].paths[0]	object	`{"path":"/","pathType":"Prefix"}`	Specifies the path through which to accept requests.
ingress.hosts[0].paths[0].pathType	string	`"Prefix"`	Specifies the path type.
ingress.tls	list	`[]`	Defines TLS configurations. The setting is expressed in the following format: [{"hosts":["some-host"], "secretName":"some-name"}]
jwt.expirationMinutes	int	`5`	Indicates the lifespan of the access token in minutes.
jwt.refreshTokenExpirationMinutes	int	`60`	Indicates the lifespan of the refresh token in minutes. The refresh token is used for obtaining a new access token without having to enter a user name and password.
jwt.securityKeySecretKey	Opaque	`"token"`	Specifies the name of the key in secret hosting the JWT securityKey to use.
jwt.validAudience	string	`"FortifyLimAuthAudience"`	Identifies the intended recipients for the JWT. These are typically identified by their application ID or URL.
jwt.validIssuer	string	`"FortifyLimAuthIssuer"`	Identifies the entity that issued the JWT. This is usually identified by a URL.
nameOverride	string	`.Chart.name`	Overrides the name of this chart.
nodeSelector	pod.nodeSelector	`{"kubernetes.io/os":"linux"}`	Defines Node selection constraint configurations to add to the Pods.
podAnnotations	pod.annotations	`{}`	Defines annotations to add to the Pods.
podLabels	pod.labels	`{}`	Defines labels to add to the Pods.
podSecurityContext	pod.securityContext	forces `UID`, `GID` to `1000`, disallow privilege escalation	Defines security context configurations to add to the Pods.
proxy.address	string	`""`	Specifies the proxy server address.
proxy.credentialsSecretName	kubernetes.io/basic-auth	`""`	Specifies the name of the secret hosting proxy credentials.
proxy.enabled	bool	`false`	Indicates whether to enable a proxy.
proxy.mode	int	`0`	Specifies the proxy mode. Possible values are: None=0, AutoDetect=1, Manual=2.
proxy.port	int	`0`	Specifies the proxy server port.
readinessInitialDelay	int	`10`	Defines an initial delay in seconds for the readiness probe.
resources.limits.cpu	string	`".5"`	Defines the limits of cpu resources granted to the pod.
resources.limits.memory	string	`"1Gi"`	Defines the limits of memory resources granted to the pod.
resources.requests.cpu	string	`".5"`	Defines the initial request of cpu resources granted to the pod.
resources.requests.memory	string	`"1Gi"`	Defines the initial request of memory resources granted to the pod.
serverCertificate.certificateType	string	`"PEM"`	Specifies the type of server certificate to use. Possible values are PFX and PEM (for the .crt extension).
serverCertificate.enabled	bool	`true`	Indicates whether to enable TLS server certificates.
serverCertificate.pemCertPrivateKeySecretKey	string	`"tls.key"`	Specifies the name of the key that holds the private key (.key) of the PEM file in the provided Secret. provided Secret.
serverCertificate.pemCertPublicKeySecretKey	string	`"tls.crt"`	Specifies the name of the key that holds the public key (.crt) of the PEM file in the provided Secret.
serverCertificate.pfxCertSecretKey	string	`"tls.pfx"`	Specifies the name of the key that holds the .pfx file with both public and private keys.
serverCertificate.pfxPasswordSecretKey	string	`"pfx.password"`	Specifies the name of the key that holds the PFX password for accessing the .pfx certificate file.
service.port	int	`37562`	Specifies the port to expose for HTTPS calls.
service.type	string	`"ClusterIP"`	Specifies the type of Service to use.
signingCertificate.pfxCertSecretKey	string	`"tls.pfx"`	Specifies the name of the key that holds the .pfx file with both public and private keys.
signingCertificate.pfxPasswordSecretKey	string	`"pfx.password"`	Specifies the name of the key that holds the PFX password for accessing the .pfx certificate file.
tolerations	pod.tolerations	`[]`	Defines Toleration configurations to add to resulting Kubernetes Pod(s).

Table of Contents