...
After creating the configuration map, you need to create the service account and required permissionscan choose to set up a secret for the server. This step is optional.
| Code Block |
|---|
| language | yml |
|---|
| title | parasoftsoavirt-permissionssecret.yaml |
|---|
|
apiVersion: v1
kind: ServiceAccountSecret
metadata:
name: parasoftsoavirt-accountsecret
namespace: parasoft-sv-namespace
automountServiceAccountTokentype: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: parasoft-read
namespace: parasoft-sv-namespace
rules:
- apiGroups:
- ""
resources:
- "namespaces"
- "pods"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: parasoft-read-bind
namespace: parasoft-sv-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: parasoft-read
subjects:
- kind: ServiceAccount
name: parasoft-account
namespace: parasoft-sv-namespace |
Use the yaml file to create the service account and required permissions:
| Code Block |
|---|
|
kubectl create -f parasoft-permissions.yaml |
You should see something similar to the output below in your console:
| Code Block |
|---|
|
serviceaccount/parasoft-account created
role.rbac.authorization.k8s.io/parasoft-read created
rolebinding.rbac.authorization.k8s.io/parasoft-read-bind created |
The following creates the SOAVirt server. If a custom Persistent Volume Claim name was used in previous steps, make sure to update the 'claimName' field to match the custom name.
Note: kind: Deployment is not supported. Use either kind: Pod or kind: StatefulSet.
Opaque
# It is recommended to encrypt password values using the -encodepass CLI option or the encodepass.sh script.
# After encryption, both username and password values must be base64 encoded.
# Example: echo -n "[string]" | base64
# For additional security, see https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/.
data:
# Specifies username for CTP authentication
#env.manager.username: [CTP Server Username]
# Specifies password for CTP authentication
#env.manager.password: [CTP Server Password]
# Specifies username for license server authentication
#license.network.user: [License Server Username]
# Specifies password for license server authentication
#license.network.password: [License Server Password]
# Specifies username for DTP authentication
#dtp.user: [DTP Server Username]
# Specifies password for DTP authentication
#dtp.password: [DTP Server Password] |
Use the yaml file to create the secret for the SOAVirt server:
| Code Block |
|---|
|
kubectl create -f soavirt-secret.yaml |
| Info |
|---|
| title | Encrypting Your Password |
|---|
|
To encrypt a password, run the following command to create a pod that has the parasoft/soavirt-server image without starting the server. | Code Block |
|---|
kubectl run soavirt-encodepass -n parasoft-sv-namespace --image parasoft/soavirt-server --command -- tail -f /dev/null |
Once the pod is created, run the following command to execute the encodepass.sh script inside the pod. Make sure to substitute the desired password. | Code Block |
|---|
kubectl exec -n parasoft-sv-namespace --stdin --tty soavirt-encodepass -- /usr/local/parasoft/soavirt/webapps/ROOT/scripts/encodepass.sh <YOUR_PASSWORD> |
After the password is encrypted, delete the pod. | Code Block |
|---|
kubectl delete pod soavirt-encodepass -n parasoft-sv-namespace |
|
Once you have set up the configuration map and the secret for the server, you need to create the service account and required permissions.
| Code Block |
|---|
| language | yml |
|---|
| title | parasoft-permissions.yaml |
|---|
|
apiVersion: v1
kind: ServiceAccount
metadata:
name: parasoft-account
namespace: parasoft-sv-namespace
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: parasoft-read
namespace: parasoft-sv-namespace
rules:
- apiGroups:
- ""
resources:
- "namespaces"
- "pods"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: parasoft-read-bind
namespace: parasoft-sv-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: parasoft-read
subjects:
- kind: ServiceAccount
name: parasoft-account
namespace: parasoft-sv-namespace |
Use the yaml file to create the service account and required permissions:
| Code Block |
|---|
|
kubectl create -f parasoft-permissions.yaml |
You should see something similar to the output below in your console:
| Code Block |
|---|
|
serviceaccount/parasoft-account created
role.rbac.authorization.k8s.io/parasoft-read created
rolebinding.rbac.authorization.k8s.io/parasoft-read-bind created |
The following creates the SOAVirt server. If a custom Persistent Volume Claim name was used in previous steps, make sure to update the 'claimName' field to match the custom name.
Note: kind: Deployment is not supported. Use either kind: Pod or kind: StatefulSet.
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt-pod.yaml |
|---|
|
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: soavirt
namespace: parasoft-sv-namespace
labels:
app: soavirt
spec:
replicas: 1
selector:
matchLabels:
app: soavirt
serviceName: soavirt
template:
metadata:
labels:
app: soavirt
spec:
securityContext:
runAsNonRoot: true
serviceAccountName: parasoft-account
automountServiceAccountToken: true
volumes:
- name: soavirt-pv
persistentVolumeClaim: |
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt-pod.yaml |
|---|
|
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: soavirt
namespace: parasoft-sv-namespace
labels:
app: soavirt
spec:
replicas: 1
selector:
matchLabels:
app: soavirt
serviceName: soavirt
template:
metadata:
labels:
app: soavirt
spec:
securityContext:
runAsNonRoot: true
serviceAccountName: parasoft-account
automountServiceAccountToken: true
volumes:
- name: soavirt-pv
persistentVolumeClaim:
claimName: soavirt-pvc
- name: soavirt-config
configMap:
name: soavirt-config
containers:
- name: soavirt
image: parasoft/soavirt-server
imagePullPolicy: IfNotPresent
# When running on Kubernetes nodes with more than 32 CPU cores the product will print the following in the logs: This machine exceeds the licensed number of CPU cores
# To reduce the number of cores available, uncomment the following resource specification (if you are using OpenShift, see the note below) or contact Parasoft to enable running on higher core counts.
# resources:
# limits:
# cpu: "4"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfileclaimName: soavirt-pvc
type- name: RuntimeDefaultsoavirt-config
volumeMountsconfigMap:
- name: soavirt-pvconfig
containers:
mountPath - name: /usr/local/parasoft/soavirt/webapps/ROOT/workspace
- nameimage: parasoft/soavirt-configserver
mountPath: /usr/local/parasoft/soavirt/webapps/config.properties
subPath: config.properties
ports:
- name: http
containerPort: 9080
- name: https
containerPort: 9443
startupProbe:
imagePullPolicy: IfNotPresent
# When running on Kubernetes nodes with more than 32 CPU cores the product will print the following in the logs: This machine exceeds the licensed number of CPU cores
# To reduce the number of cores available, uncomment the following resource specification (if you are using OpenShift, see the note below) or contact Parasoft to enable running on higher core counts.
# resources:
# httpGetlimits:
# pathcpu: /soavirt/api/v6/healthcheck
"4"
securityContext:
portallowPrivilegeEscalation: 9080false
initialDelaySecondscapabilities:
30
periodSecondsdrop: 30["ALL"]
timeoutSecondsseccompProfile:
30
failureThresholdtype: 3RuntimeDefault
livenessProbevolumeMounts:
- httpGet:name: soavirt-pv
pathmountPath: /usr/local/parasoft/soavirt/apiwebapps/v6ROOT/healthcheckworkspace
- port: 9080name: soavirt-config
initialDelaySecondsmountPath: 30/usr/local/parasoft/soavirt/webapps/config.properties
periodSecondssubPath: 30config.properties
ports:
- timeoutSecondsname: http
30
envcontainerPort: 9080
- name: CATALINA_OPTShttps
valuecontainerPort: "-Dparasoft.auto.deploy.new=false9443
startupProbe:
-Dparasoft.cloudvm=true
httpGet:
path: /soavirt/api/v6/healthcheck
-Dparasoft.cloudvm.config=Kubernetes" port: 9080
- nameinitialDelaySeconds: PARASOFT_POD_NAME30
valueFromperiodSeconds: 30
timeoutSeconds: fieldRef:30
fieldPathfailureThreshold: metadata.name3
- name: PARASOFT_POD_NAMESPACElivenessProbe:
valueFromhttpGet:
fieldRef:
path: /soavirt/api/v6/healthcheck
port: 9080
fieldPath: metadata.namespace
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 30
envFrom:
- secretRef:
name: soavirt-secret
optional: true
env:
- name: CATALINA_OPTS
value: "-Dparasoft.auto.deploy.new=false
-Dparasoft.cloudvm=true
-Dparasoft.cloudvm.config=Kubernetes"
- name: PARASOFT_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: PARASOFT_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
|
| Info |
|---|
|
If you are using OpenShift and your host is using more than 32 cores, you will |
| Info |
|---|
|
If you are using OpenShift and your host is using more than 32 cores, you will need to look at your OpenShift version's documentation about Quotas and Limit Ranges for CPU as there are significant differences between versions. This link is to the documentation for version 4.16, but you should consult the documentation for your exact version: https://docs.openshift.com/container-platform/4.16/nodes/clusters/nodes-cluster-limit-ranges.html |
...
| Code Block |
|---|
|
kubectl create -f soavirt-pod.yaml |
| Anchor |
|---|
| UsingALocalLicense |
|---|
| UsingALocalLicense |
|---|
|
Using a Local License: To use a node-lock license, you will need to retrieve the machine ID from the deployed server in order to procure your license from Parasoft.
Open a shell to the running container:
| Code Block |
|---|
kubectl exec --stdin --tty soavirt-0 -n parasoft-sv-namespace -- /bin/bash |
Make a curl call to the SOAVirt REST API to retrieve the machine ID:
| Code Block |
|---|
curl http://localhost:9080/soavirt/api/v6/status?fields=machineId |
- Note the machine ID in the response and provide it to your Parasoft representative, who will send you a license password.
- Once you've received your license password, apply it in the soavirt-config.yaml.
Apply the updated soavirt-config.yaml to the running container:
| Code Block |
|---|
kubectl apply -f soavirt-config.yaml |
The license will be applied when the pod is restarted automatically. Alternatively, you can delete and recreate the pod for the changes to take effect.
| Code Block |
|---|
kubectl delete -f soavirt.yaml
kubectl create -f soavirt.yamlthe pod is restarted automatically. Alternatively, you can delete and recreate the pod for the changes to take effect.
| Code Block |
|---|
kubectl delete -f soavirt-pod.yaml
kubectl create -f soavirt-pod.yaml |
Volume Mount Security Policies (Optional)
If your security policy requires applications to only write to mounted volumes, then in addition to the workspace (which is already set in the example pod) you will need to mount the following locations:
| No Format |
|---|
|
/usr/local/parasoft/soavirt/logs
/usr/local/parasoft/soavirt/temp
/usr/local/parasoft/soavirt/webapps/ROOT/WEB-INF/configs/builtin
/usr/local/parasoft/soavirt/webapps/ROOT/felix-cache
/usr/local/parasoft/soavirt/webapps/ROOT/apifiles
/usr/local/parasoft/soavirt/work/Catalina/localhost/ROOT
/usr/local/tomcat/logs/ |
Deploying SOAVirt Server in Kubernetes with a Helm Chart
...