...
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt-service.yaml |
|---|
|
kind: Service
apiVersion: v1
metadata:
name: soavirt-service
namespace: parasoft-sv-namespace
spec:
selector:
apptag: soavirt
type: NodePort
ports:
- name: http
protocol: TCP
port: 9080
targetPort: 9080
nodePort: 30080
- name: https
protocol: TCP
port: 9443
targetPort: 9443
nodePort: 30083 |
Use the yaml file to create service that can be used to access SOAVirt server in Kubernetes:
...
Once the service is created, you will need to create the secret configuration map for the SOAVirt server and configure a network license or a local license. Note: When using a single replica set, a local license can be used, but when more than one replica set is being used, a license server is needed. See Using a Local License for more information about acquiring and applying a local license.
The server EULA must be accepted by setting 'parasoft.eula.accepted=true' in the ConfigMapsecret.
Warning: When connecting to CTP the property 'server.hostname' should be set with the address of the Service.
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt-config.yaml |
|---|
|
apiVersion: v1
kind: ConfigMapSecret
metadata:
name: soavirt-config
namespace: parasoft-sv-namespace
type: Opaque
datastringData:
config.properties: |
# Configuration properties for soavirt server
# === END USER LICENSE AGREEMENT ===
# Set to true to accept the end user license agreement
# Please review the EULA.txt file included in the distribution zip for soavirt.war
parasoft.eula.accepted=false
# === WORKING DIRECTORY ===
# Specifies workspace location
#working.dir=C:/Users/../workspace
# === LOGGING CONFIGURATION ===
# Specifies configuration file for logging
logging.config.file=/WEB-INF/default.logging.xml
# Replace with the following line to enable debug information
#logging.config.file=/WEB-INF/debug.logging.xml
# === CTP SERVER ===
# Specifies CTP server endpoint
#env.manager.server=http\://[CTP Server Host]\:8080
# Specifies the server name that will be displayed in CTP
#env.manager.server.name=[Server Name]
# Specifies username for CTP authentication
#env.manager.username=[CTP Server Username]
# Specifies password for CTP authentication
#env.manager.password=[CTP Server Password]
# Enables notifications to CTP for deployments
#env.manager.notify=true
# === SERVLET CONTAINER ===
# Specifies the hostname to use for remote access to this server
# Useful when a name or address must be strictly used for CTP connectivity
# If empty, the address will be auto-detected
#server.hostname=[Server Hostname]
# Specifies port for http
# Port should match your servlet container
server.port.http=9080
# Specifies port for https
# Port should match your servlet container
server#server.port.https=9443
# === PRODUCT LICENSING ===
# Enables virtualize functionality
virtualize.license.enabled=true
# Enables soatest functionality
soatest.license.enabled=true
# === NODE-LOCK LICENSE ===
# Specifies password for virtualize local license
#virtualize.license.local.password=[Virtualize License Password]
# Specifies password for soatest local license
#soatest.license.local.password=[Soatest License Password]
# === NETWORK LICENSE ===
# Enables network licensing for virtualize
virtualize.license.use_network=true
# Specifies the type of network license for virtualize ['performance_server_edition', 'runtime_server_edition', 'custom_edition']
virtualize.license.network.edition=custom_edition
# Specifies features for virtualize 'custom_edition' license
virtualize.license.custom_edition_features=Service Enabled, Performance, Extension Pack, Validate, Message Packs, Developer Sandbox 1000 Hits/Day, 10000 Hits/Day, 25000 Hits/Day, 50000 Hits/Day, 100000 Hits/Day, 500000 Hits/Day, 1 Million Hits/Day, Unlimited Hits/Day, 30 HPS, 100 HPS
# Enables network licensing for soatest
soatest.license.use_network=true
# Specifies the type of network license for soatest ['server_edition', 'custom_edition']
soatest.license.network.edition=custom_edition
# Specifies features for soatest 'custom_edition' license
soatest.license.custom_edition_features=RuleWizard, Command Line, SOA, Web, Server API Enabled, Message Packs, Advanced Test Generation Desktop, Advanced Test Generation 5 Users, Advanced Test Generation 25 Users, Advanced Test Generation 100 Users, Requirements Traceability, API Security Testing
# === LICENSE SERVER ===
# Enables using a specific license server
# If true, the license network properties below will be used to retrieve a license
# If false, the DTP server properties will be used to retrieve a license
license.network.use.specified.server=true
# Specifies license server URL, e.g., https://host[:port][/context-path]
license.network.url=https\://[License Server Host]\:8443
# Enables http authentication for the license server
license.network.auth.enabled=false
# Specifies username for license server authentication
#license.network.user=[License Server Username]
# Specifies password for license server authentication
#license.network.password=[License Server Password]
# === DTP SERVER ===
# Specifies DTP server URL, e.g., https://host[:port][/context-path]
#dtp.url=https\://[DTP Server Host]\:8443
# Specifies username for DTP authentication
#dtp.user=[DTP Server Username]
# Specifies password for DTP authentication
#dtp.password=[DTP Server Password]
# Specifies the name of the DTP project that you want to link to
#dtp.project=[DTP Project]
# === MISC ===
# Specifies scripting timeout in minutes
#scripting.timeout.minutes=10
# Enables logging telemetry data
#usage.reporting.enabled=true
# === OIDC ===
# Enables or disables user authentication via OpenID Connect
#oidc.enabled=false
# Specifies the URI of the OpenID Connect server
#oidc.issuer.uri=
# Specifies the ID provided by your OpenID Connect server
#oidc.client.id=
# Specifies the method that will be used to authenticate the user on the OpenID Connect server
#oidc.cli.mode=devicecode
# Specifies the path to the token file containing user authentication information
#oidc.devicecode.token.file=
# === REPORTS ===
# Specifies a tag that represents a unique identifier for each run
# e.g., ${config_name}-${project_module}-${scontrol_branch}-${exec_env}
#session.tag=${config_name}
# Specifies a build identifier used to label results
#build.id=${dtp_project}-yyyy-MM-dd
# Specifies data that should be included in the report
#report.developer_errors=true
#report.developer_reports=true
#report.authors_details=true
#report.testcases_details=false
#report.test_suites_only=true
#report.failed_tests_only=false
#report.output_details=false
#report.env_details=false
#report.organize_security_findings_by=CWE
#report.associations=false
#report.assoc.url.pr=
#report.assoc.url.fr=
#report.assoc.url.task=
#report.assoc.url.req=
#report.assoc.url.test=
# Specifies report format configuration ['html', 'pdf', 'xml', 'custom']
report.format=html
#report.custom.extension=
#report.custom.xsl.file=
# Specifies installation directory for Jtest or dotTEST that generates coverage report
#jtest.install.dir=
#dottest.install.dir= |
Use the yaml file to create the secret configuration map for the SOAVirt server:
| Code Block |
|---|
|
kubectl create -f soavirt-config.yaml |
After creating the secret configuration map, you can choose to set up a secret for the server. This step is optional.need to create the service account and required permissions.
| Code Block |
|---|
| language | yml |
|---|
| title | soavirtparasoft-secretpermissions.yaml |
|---|
|
apiVersion: v1
kind: SecretServiceAccount
metadata:
name: soavirtparasoft-secretaccount
namespace: parasoft-sv-namespace
typeautomountServiceAccountToken: Opaque
# It is recommended to encrypt password values using the -encodepass CLI option or the encodepass.sh script.
# After encryption, both username and password values must be base64 encoded.
# Example: echo -n "[string]" | base64
# For additional security, see https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/.
data:
# Specifies username for CTP authentication
#env.manager.username: [CTP Server Username]
# Specifies password for CTP authentication
#env.manager.password: [CTP Server Password]
# Specifies username for license server authentication
#license.network.user: [License Server Username]
# Specifies password for license server authentication
#license.network.password: [License Server Password]
# Specifies username for DTP authentication
#dtp.user: [DTP Server Username]
# Specifies password for DTP authentication
#dtp.password: [DTP Server Password] |
Use the yaml file to create the secret for the SOAVirt server:
| Code Block |
|---|
|
kubectl create -f soavirt-secret.yaml |
| Info |
|---|
| title | Encrypting Your Password |
|---|
|
To encrypt a password, run the following command to create a pod that has the parasoft/soavirt-server image without starting the server. | Code Block |
|---|
kubectl run soavirt-encodepass -n parasoft-sv-namespace --image parasoft/soavirt-server --command -- tail -f /dev/null |
Once the pod is created, run the following command to execute the encodepass.sh script inside the pod. Make sure to substitute the desired password. | Code Block |
|---|
kubectl exec -n parasoft-sv-namespace --stdin --tty soavirt-encodepass -- /usr/local/parasoft/soavirt/webapps/ROOT/scripts/encodepass.sh <YOUR_PASSWORD> |
After the password is encrypted, delete the pod. | Code Block |
|---|
kubectl delete pod soavirt-encodepass -n parasoft-sv-namespace |
|
Once you have set up the configuration map and the secret for the server, you need to create the service account and required permissions.
| Code Block |
|---|
| language | yml |
|---|
| title | parasoft-permissions.yaml |
|---|
|
apiVersion: v1
kind: ServiceAccount
metadata:
name: parasoft-account
namespace: parasoft-sv-namespace
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: parasoft-read
namespace: parasoft-sv-namespace
rules:
- apiGroups:
- ""
resources:
- "namespaces"
- "pods"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: parasoft-read-bind
namespace: parasoft-sv-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: parasoft-read
subjects:
- kind: ServiceAccount
name: parasoft-account
namespace: parasoft-sv-namespace |
Use the yaml file to create the service account and required permissions:
| Code Block |
|---|
|
kubectl create -f parasoft-permissions.yaml |
You should see something similar to the output below in your console:
| Code Block |
|---|
|
serviceaccount/parasoft-account created
role.rbac.authorization.k8s.io/parasoft-read created
rolebinding.rbac.authorization.k8s.io/parasoft-read-bind created |
The following creates the SOAVirt server. If a custom Persistent Volume Claim name was used in previous steps, make sure to update the 'claimName' field to match the custom name.
Note: kind: Deployment is not supported. Use either kind: Pod or kind: StatefulSet.
true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: parasoft-read
namespace: parasoft-sv-namespace
rules:
- apiGroups:
- ""
resources:
- "namespaces"
- "pods"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: parasoft-read-bind
namespace: parasoft-sv-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: parasoft-read
subjects:
- kind: ServiceAccount
name: parasoft-account
namespace: parasoft-sv-namespace |
Use the yaml file to create the service account and required permissions:
| Code Block |
|---|
|
kubectl create -f parasoft-permissions.yaml |
You should see something similar to the output below in your console:
| Code Block |
|---|
|
serviceaccount/parasoft-account created
role.rbac.authorization.k8s.io/parasoft-read created
rolebinding.rbac.authorization.k8s.io/parasoft-read-bind created |
The following creates the SOAVirt server. If a custom Persistent Volume Claim name was used in previous steps, make sure to update the 'claimName' field to match the custom name.
Note: kind: Deployment is not supported. Use either kind: Pod or kind: StatefulSet.
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt.yaml |
|---|
|
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: soavirt
namespace: parasoft-sv-namespace
labels:
tag: soavirt
spec:
replicas: 1
selector:
matchLabels:
tag: soavirt
serviceName: soavirt
template:
metadata:
labels:
tag: soavirt
spec:
securityContext:
runAsNonRoot: true
serviceAccountName: parasoft-account
automountServiceAccountToken: true
volumes:
- name: soavirt-pv
persistentVolumeClaim:
claimName: soavirt-pvc
- name: soavirt-config
secret:
secretName: soavirt-config
containers:
- name: soavirt
image: parasoft/soavirt-server
imagePullPolicy: IfNotPresent
# When running on Kubernetes nodes with more than 32 CPU cores the product will print the following in the logs: This machine exceeds the licensed number of CPU cores
# To reduce the number of cores available, uncomment the following resource specification (if you are using OpenShift, see the note below) or contact Parasoft to enable running on higher core counts.
# resources:
# limits:
# cpu: "4"
securityContext:
allowPrivilegeEscalation: false |
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt-pod.yaml |
|---|
|
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: soavirt
namespace: parasoft-sv-namespace
labels:
app: soavirt
spec:
replicas: 1
selector:
matchLabels:
app: soavirt
serviceName: soavirt
template:
metadata:
labels:
app capabilities:
soavirt
spec:
securityContext:drop: ["ALL"]
runAsNonRoot seccompProfile: true
serviceAccountNametype: parasoft-accountRuntimeDefault
automountServiceAccountToken: true
volumesvolumeMounts:
- name: soavirt-pv
persistentVolumeClaim:
claimNamemountPath: soavirt-pvc/usr/local/parasoft/soavirt/webapps/ROOT/workspace
- name: soavirt-config
configMap: mountPath: /usr/local/parasoft/soavirt/webapps/config.properties
namesubPath: soavirt-config.properties
containersports:
- name: soavirthttp
image containerPort: parasoft/soavirt-server9080
imagePullPolicystartupProbe:
IfNotPresent
# When running on Kubernetes nodes with more thanhttpGet:
32 CPU cores the product will print the following in the logspath: This machine exceeds the licensed number of CPU cores
# To reduce the number of cores available, uncomment the following resource specification (if you are using OpenShift, see the note below) or contact Parasoft to enable running on higher core counts.
# resources:
#/soavirt/api/v6/healthcheck
port: 9080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 30
limitsfailureThreshold: 3
# livenessProbe:
cpu: "4"
securityContexthttpGet:
allowPrivilegeEscalation path: false
/soavirt/api/v6/healthcheck
capabilitiesport: 9080
initialDelaySeconds: 30
drop: ["ALL"]
seccompProfile:periodSeconds: 30
timeoutSeconds: 30 type: RuntimeDefault
volumeMountsenv:
- name: soavirt-pvCATALINA_OPTS
mountPath: /usr/local/parasoft/soavirt/webapps/ROOT/workspace
value: "-Dparasoft.auto.deploy.new=false
- name: soavirt-configDparasoft.cloudvm=true
mountPath: /usr/local/parasoft/soavirt/webapps/config.properties -Dparasoft.cloudvm.config=Kubernetes"
- subPathname: config.propertiesPARASOFT_POD_NAME
ports valueFrom:
- namefieldRef:
http
containerPortfieldPath: 9080metadata.name
- name: httpsPARASOFT_POD_NAMESPACE
containerPortvalueFrom: 9443
startupProbe:
httpGetfieldRef:
path: /soavirt/api/v6/healthcheck
portfieldPath: 9080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 30
failureThreshold: 3
livenessProbe:
httpGet:
path: /soavirt/api/v6/healthcheck
port: 9080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 30
envFrom:
- secretRef:
name: soavirt-secret
optional: true
env:
- name: CATALINA_OPTS
value: "-Dparasoft.auto.deploy.new=false
-Dparasoft.cloudvm=true
-Dparasoft.cloudvm.config=Kubernetes"
- name: PARASOFT_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: PARASOFT_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
metadata.namespace
|
| Info |
|---|
|
If you are using OpenShift and your host is using more than 32 cores |
| Info |
|---|
|
If you are using OpenShift and your host is using more than 32 cores, you will need to look at your OpenShift version's documentation about Quotas and Limit Ranges for CPU as there are significant differences between versions. This link is to the documentation for version 4.16, but you should consult the documentation for your exact version: https://docs.openshift.com/container-platform/4.16/nodes/clusters/nodes-cluster-limit-ranges.html |
...
| Code Block |
|---|
|
kubectl create -f soavirt-pod.yaml |
| Anchor |
|---|
| UsingALocalLicense |
|---|
| UsingALocalLicense |
|---|
|
Using a Local License: To use a node-lock license, you will need to retrieve the machine ID from the deployed server in order to procure your license from Parasoft.
Open a shell to the running container:
| Code Block |
|---|
kubectl exec --stdin --tty soavirt-0 -n parasoft-sv-namespace -- /bin/bash |
Make a curl call to the SOAVirt REST API to retrieve the machine ID:
| Code Block |
|---|
curl http://localhost:9080/soavirt/api/v6/status?fields=machineId |
- Note the machine ID in the response and provide it to your Parasoft representative, who will send you a license password.
- Once you've received your license password, apply it in the soavirt-config.yaml.
Apply the updated soavirt-config.yaml to the running container:
| Code Block |
|---|
kubectl apply -f soavirt-config.yaml |
- apply it in the soavirt-config.yaml.
Apply the updated soavirt-config.yaml to the running container:
The license will be applied when the pod is restarted automatically. Alternatively, you can delete and recreate the pod for the changes to take effect.
| Code Block |
|---|
kubectl delete -f soavirt-pod.yaml
kubectl create -f soavirt-podconfig.yaml |
Volume Mount Security Policies (Optional)
If your security policy requires applications to only write to mounted volumes, then in addition to the workspace (which is already set in the example pod) you will need to mount the following locations:
...
...
The license will be applied when the pod is restarted automatically. Alternatively, you can delete and recreate the pod for the changes to take effect.
| Code Block |
|---|
kubectl delete -f soavirt.yaml
kubectl create -f soavirt.yaml |
Deploying SOAVirt Server in Kubernetes with a Helm Chart
...