...
Deploying the SOAVirt Server in Kubernetes Manually
...
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt-service.yaml |
|---|
|
kind: Service
apiVersion: v1
metadata:
name: soavirt-service
namespace: parasoft-sv-namespace
spec:
selector:
tagapp: soavirt
type: NodePort
ports:
- name: http
protocol: TCP
port: 9080
targetPort: 9080
nodePort: 30080
- name: https
protocol: TCP
port: 9443
targetPort: 9443
nodePort: 30083 |
Use the yaml file to create service that can be used to access SOAVirt server in Kubernetes:
...
Once the service is created, you will need to create the secret configuration map for the SOAVirt server and configure a network license or a local license. Note: When using a single replica set, a local license can be used, but when more than one replica set is being used, a license server is needed. See Using a Local License for more information about acquiring and applying a local license.
The server EULA must be accepted by setting 'parasoft.eula.accepted=true' in the secretConfigMap.
Warning: When connecting to CTP the property 'server.hostname' should be set with the address of the Service.
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt-config.yaml |
|---|
|
apiVersion: v1
kind: SecretConfigMap
metadata:
name: soavirt-config
namespace: parasoft-sv-namespace
typedata:
Opaque
stringData:
config.properties: |
# Configuration properties for soavirt server
# === END USER LICENSE AGREEMENT ===
# Set to true to accept the end user license agreement
# Please review the EULA.txt file included in the distribution zip for soavirt.war
parasoft.eula.accepted=false
# === WORKING DIRECTORY ===
# Specifies workspace location
#working.dir=C:/Users/../workspace
# === LOGGING CONFIGURATION ===
# Specifies configuration file for logging
logging.config.file=/WEB-INF/default.logging.xml
# Replace with the following line to enable debug information
#logging.config.file=/WEB-INF/debug.logging.xml
# === CTP SERVER ===
# Specifies CTP server endpoint
#env.manager.server=http\://[CTP Server Host]\:8080
# Specifies the server name that will be displayed in CTP
#env.manager.server.name=[Server Name]
# Specifies username for CTP authentication
#env.manager.username=[CTP Server Username]
# Specifies password for CTP authentication
#env.manager.password=[CTP Server Password]
# Enables notifications to CTP for deployments
#env.manager.notify=true
# === SERVLET CONTAINER ===
# Specifies the hostname to use for remote access to this server
# Useful when a name or address must be strictly used for CTP connectivity
# If empty, the address will be auto-detected
#server.hostname=[Server Hostname]
# Specifies port for http
# Port should match your servlet container
server.port.http=9080
# Specifies port for https
# Port should match your servlet container
#serverserver.port.https=9443
# === PRODUCT LICENSING ===
# Enables virtualize functionality
virtualize.license.enabled=true
# Enables soatest functionality
soatest.license.enabled=true
# === NODE-LOCK LICENSE ===
# Specifies password for virtualize local license
#virtualize.license.local.password=[Virtualize License Password]
# Specifies password for soatest local license
#soatest.license.local.password=[Soatest License Password]
# === NETWORK LICENSE ===
# Enables network licensing for virtualize
virtualize.license.use_network=true
# Specifies the type of network license for virtualize ['performance_server_edition', 'runtime_server_edition', 'custom_edition']
virtualize.license.network.edition=custom_edition
# Specifies features for virtualize 'custom_edition' license
virtualize.license.custom_edition_features=Service Enabled, Performance, Extension Pack, Validate, Message Packs, Developer Sandbox 1000 Hits/Day, 10000 Hits/Day, 25000 Hits/Day, 50000 Hits/Day, 100000 Hits/Day, 500000 Hits/Day, 1 Million Hits/Day, Unlimited Hits/Day, 30 HPS, 100 HPS
# Enables network licensing for soatest
soatest.license.use_network=true
# Specifies the type of network license for soatest ['server_edition', 'custom_edition']
soatest.license.network.edition=custom_edition
# Specifies features for soatest 'custom_edition' license
soatest.license.custom_edition_features=RuleWizard, Command Line, SOA, Web, Server API Enabled, Message Packs, Advanced Test Generation Desktop, Advanced Test Generation 5 Users, Advanced Test Generation 25 Users, Advanced Test Generation 100 Users, Requirements Traceability, API Security Testing
# === LICENSE SERVER ===
# Enables using a specific license server
# If true, the license network properties below will be used to retrieve a license
# If false, the DTP server properties will be used to retrieve a license
license.network.use.specified.server=true
# Specifies license server URL, e.g., https://host[:port][/context-path]
license.network.url=https\://[License Server Host]\:8443
# Enables http authentication for the license server
license.network.auth.enabled=false
# Specifies username for license server authentication
#license.network.user=[License Server Username]
# Specifies password for license server authentication
#license.network.password=[License Server Password]
# === DTP SERVER ===
# Specifies DTP server URL, e.g., https://host[:port][/context-path]
#dtp.url=https\://[DTP Server Host]\:8443
# Specifies username for DTP authentication
#dtp.user=[DTP Server Username]
# Specifies password for DTP authentication
#dtp.password=[DTP Server Password]
# Specifies the name of the DTP project that you want to link to
#dtp.project=[DTP Project]
# === MISC ===
# Specifies scripting timeout in minutes
#scripting.timeout.minutes=10
# Enables logging telemetry data
#usage.reporting.enabled=true
# === OIDC ===
# Enables or disables user authentication via OpenID Connect
#oidc.enabled=false
# Specifies the URI of the OpenID Connect server
#oidc.issuer.uri=
# Specifies the ID provided by your OpenID Connect server
#oidc.client.id=
# Specifies the method that will be used to authenticate the user on the OpenID Connect server
#oidc.cli.mode=devicecode
# Specifies the path to the token file containing user authentication information
#oidc.devicecode.token.file=
# === REPORTS ===
# Specifies a tag that represents a unique identifier for each run
# e.g., ${config_name}-${project_module}-${scontrol_branch}-${exec_env}
#session.tag=${config_name}
# Specifies a build identifier used to label results
#build.id=${dtp_project}-yyyy-MM-dd
# Specifies data that should be included in the report
#report.developer_errors=true
#report.developer_reports=true
#report.authors_details=true
#report.testcases_details=false
#report.test_suites_only=true
#report.failed_tests_only=false
#report.output_details=false
#report.env_details=false
#report.organize_security_findings_by=CWE
#report.associations=false
#report.assoc.url.pr=
#report.assoc.url.fr=
#report.assoc.url.task=
#report.assoc.url.req=
#report.assoc.url.test=
# Specifies report format configuration ['html', 'pdf', 'xml', 'custom']
report.format=html
#report.custom.extension=
#report.custom.xsl.file=
# Specifies installation directory for Jtest or dotTEST that generates coverage report
#jtest.install.dir=
#dottest.install.dir= |
Use the yaml file to create the secret configuration map for the SOAVirt server:
| Code Block |
|---|
|
kubectl create -f soavirt-config.yaml |
After creating the secret configuration map, you need to create the service account and required permissionscan choose to set up a secret for the server. This step is optional.
| Code Block |
|---|
| language | yml |
|---|
| title | parasoftsoavirt-permissionssecret.yaml |
|---|
|
apiVersion: v1
kind: ServiceAccountSecret
metadata:
name: parasoftsoavirt-accountsecret
namespace: parasoft-sv-namespace
automountServiceAccountTokentype: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: parasoft-read
namespace: parasoft-sv-namespace
rules:
- apiGroups:
- ""
resources:
- "namespaces"
- "pods"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: parasoft-read-bind
namespace: parasoft-sv-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: parasoft-read
subjects:
- kind: ServiceAccount
name: parasoft-account
namespace: parasoft-sv-namespace |
Use the yaml file to create the service account and required permissions:
| Code Block |
|---|
|
kubectl create -f parasoft-permissions.yaml |
You should see something similar to the output below in your console:
| Code Block |
|---|
|
serviceaccount/parasoft-account created
role.rbac.authorization.k8s.io/parasoft-read created
rolebinding.rbac.authorization.k8s.io/parasoft-read-bind created |
The following creates the SOAVirt server. If a custom Persistent Volume Claim name was used in previous steps, make sure to update the 'claimName' field to match the custom name.
Note: kind: Deployment is not supported. Use either kind: Pod or kind: StatefulSet.
Opaque
# It is recommended to encrypt password values using the -encodepass CLI option or the encodepass.sh script.
# After encryption, both username and password values must be base64 encoded.
# Example: echo -n "[string]" | base64
# For additional security, see https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/.
data:
# Specifies username for CTP authentication
#env.manager.username: [CTP Server Username]
# Specifies password for CTP authentication
#env.manager.password: [CTP Server Password]
# Specifies username for license server authentication
#license.network.user: [License Server Username]
# Specifies password for license server authentication
#license.network.password: [License Server Password]
# Specifies username for DTP authentication
#dtp.user: [DTP Server Username]
# Specifies password for DTP authentication
#dtp.password: [DTP Server Password] |
Use the yaml file to create the secret for the SOAVirt server:
| Code Block |
|---|
|
kubectl create -f soavirt-secret.yaml |
| Info |
|---|
| title | Encrypting Your Password |
|---|
|
To encrypt a password, run the following command to create a pod that has the parasoft/soavirt-server image without starting the server. | Code Block |
|---|
kubectl run soavirt-encodepass -n parasoft-sv-namespace --image parasoft/soavirt-server --command -- tail -f /dev/null |
Once the pod is created, run the following command to execute the encodepass.sh script inside the pod. Make sure to substitute the desired password. | Code Block |
|---|
kubectl exec -n parasoft-sv-namespace --stdin --tty soavirt-encodepass -- /usr/local/parasoft/soavirt/webapps/ROOT/scripts/encodepass.sh <YOUR_PASSWORD> |
After the password is encrypted, delete the pod. | Code Block |
|---|
kubectl delete pod soavirt-encodepass -n parasoft-sv-namespace |
|
Once you have set up the configuration map and the secret for the server, you need to create the service account and required permissions.
| Code Block |
|---|
| language | yml |
|---|
| title | parasoft-permissions.yaml |
|---|
|
apiVersion: v1
kind: ServiceAccount
metadata:
name: parasoft-account
namespace: parasoft-sv-namespace
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: parasoft-read
namespace: parasoft-sv-namespace
rules:
- apiGroups:
- ""
resources:
- "namespaces"
- "pods"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: parasoft-read-bind
namespace: parasoft-sv-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: parasoft-read
subjects:
- kind: ServiceAccount
name: parasoft-account
namespace: parasoft-sv-namespace |
Use the yaml file to create the service account and required permissions:
| Code Block |
|---|
|
kubectl create -f parasoft-permissions.yaml |
You should see something similar to the output below in your console:
| Code Block |
|---|
|
serviceaccount/parasoft-account created
role.rbac.authorization.k8s.io/parasoft-read created
rolebinding.rbac.authorization.k8s.io/parasoft-read-bind created |
The yaml below creates the SOAVirt server. If a custom Persistent Volume Claim name was used in previous steps, make sure to update the 'claimName' field to match the custom name.
Required Settings for a Stable Machine ID
| Anchor |
|---|
| RequiredSettingsForStableMachineID |
|---|
| RequiredSettingsForStableMachineID |
|---|
|
As you modify the soavirt-pod.yaml sample shown below or craft your own yaml, be aware that the following fields need to be consistent across upgrades and redeployments in order to assure a stable machine ID:
- metadata: name
- metadata: namespace
- containers: name
In addition, the following environment variables are required:
- env: name: PARASOFT_POD_NAME
- env: name: PARASOFT_POD_NAMESPACE
Note: kind: Deployment is not supported. Use either kind: Pod or kind: StatefulSet.
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt-pod.yaml |
|---|
|
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: soavirt
namespace: parasoft-sv-namespace
labels:
app: soavirt
spec:
replicas: 1
selector:
matchLabels:
app: soavirt
serviceName: soavirt
template:
metadata:
labels |
| Code Block |
|---|
| language | yml |
|---|
| title | soavirt.yaml |
|---|
|
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: soavirt
namespace: parasoft-sv-namespace
labels:
tag: soavirt
spec:
replicas: 1
selector:
matchLabels:
tag: soavirt
serviceName: soavirt
template:
metadata:
labels:
tag: soavirt
spec:
securityContext:
runAsNonRoot: true
serviceAccountName: parasoft-account
automountServiceAccountToken: true
volumes:
- name: soavirt-pv
persistentVolumeClaim:
claimName: soavirt-pvc
- name: soavirt-config
secret:
secretName: soavirt-config
containers:
- name: soavirt
image: parasoft/soavirt-server
imagePullPolicy: IfNotPresent
# When running on Kubernetes nodes with more than 32 CPU cores the product will print the following in the logs: This machine exceeds the licensed number of CPU cores
# To reduce the number of cores available, uncomment the following resource specification (if you are using OpenShift, see the note below) or contact Parasoft to enable running on higher core counts.
# resources:
# limits:
# cpu: "4"
securityContext:
allowPrivilegeEscalation: false
capabilities:
dropapp: ["ALL"]soavirt
spec:
seccompProfilesecurityContext:
typerunAsNonRoot: RuntimeDefaulttrue
volumeMounts:
serviceAccountName: parasoft-account
automountServiceAccountToken: true
volumes:
- name: soavirt-pv
persistentVolumeClaim:
mountPathclaimName: /usr/local/parasoft/soavirt/webapps/ROOT/workspace
soavirt-pvc
- name: soavirt-config
mountPath: /usr/local/parasoft/soavirt/webapps/config.propertiesconfigMap:
subPathname: soavirt-config.properties
portscontainers:
- name: httpsoavirt
containerPortimage: 9080parasoft/soavirt-server
startupProbeimagePullPolicy: IfNotPresent
# When running on Kubernetes nodes with more than 32 httpGet:
CPU cores the product will print the following in the pathlogs: /soavirt/api/v6/healthcheck
port: 9080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 30
This machine exceeds the licensed number of CPU cores
# To reduce the number of cores available, uncomment the following resource specification (if you are using OpenShift, see the note below) or contact Parasoft to enable running on higher core counts.
# resources:
# failureThresholdlimits: 3
# livenessProbe:
cpu: "4"
httpGetsecurityContext:
pathallowPrivilegeEscalation: /soavirt/api/v6/healthcheckfalse
capabilities:
port: 9080
initialDelaySecondsdrop: 30["ALL"]
periodSecondsseccompProfile:
30
timeoutSecondstype: 30 RuntimeDefault
envvolumeMounts:
- name: CATALINA_OPTSsoavirt-pv
value: "-Dparasoft.auto.deploy.new=falsemountPath: /usr/local/parasoft/soavirt/webapps/ROOT/workspace
- -Dparasoft.cloudvm=truename: soavirt-config
-Dparasoft.cloudvm.config=Kubernetes"mountPath: /usr/local/parasoft/soavirt/webapps/config.properties
- namesubPath: PARASOFT_POD_NAMEconfig.properties
valueFromports:
- fieldRef:name: http
fieldPathcontainerPort: metadata.name9080
- name: PARASOFT_POD_NAMESPACEhttps
valueFromcontainerPort: 9443
startupProbe:
fieldRef:
httpGet:
path: /soavirt/api/v6/healthcheck
port: 9080
initialDelaySeconds: 30
fieldPathperiodSeconds: metadata.namespace
|
| Info |
|---|
|
If you are using OpenShift and your host is using more than 32 cores, you will need to look at your OpenShift version's documentation about Quotas and Limit Ranges for CPU as there are significant differences between versions. This link is to the documentation for version 4.16, but you should consult the documentation for your exact version: https://docs.openshift.com/container-platform/4.16/nodes/clusters/nodes-cluster-limit-ranges.html |
Use the yaml file to create the SOAVirt server:
| Code Block |
|---|
|
kubectl create -f soavirt.yaml |
...
30
timeoutSeconds: 30
failureThreshold: 3
livenessProbe:
httpGet:
path: /soavirt/api/v6/healthcheck
port: 9080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 30
envFrom:
- secretRef:
name: soavirt-secret
optional: true
env:
- name: CATALINA_OPTS
value: "-Dparasoft.auto.deploy.new=false
-Dparasoft.cloudvm=true
-Dparasoft.cloudvm.config=Kubernetes"
- name: PARASOFT_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: PARASOFT_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
|
| Info |
|---|
|
If you are using OpenShift and your host is using more than 32 cores, you will need to look at your OpenShift version's documentation about Quotas and Limit Ranges for CPU as there are significant differences between versions. This link is to the documentation for version 4.16, but you should consult the documentation for your exact version: https://docs.openshift.com/container-platform/4.16/nodes/clusters/nodes-cluster-limit-ranges.html |
Use the yaml file to create the SOAVirt server:
| Code Block |
|---|
|
kubectl create -f soavirt-pod.yaml |
| Anchor |
|---|
| UsingALocalLicense |
|---|
| UsingALocalLicense |
|---|
|
Using a Local License: To use a node-lock license, you will need to retrieve the machine ID from the deployed server in order to procure your license from Parasoft.
Open a shell to the running container:
| Code Block |
|---|
kubectl exec --stdin --tty soavirt-0 -n parasoft-sv-namespace -- /bin/bash |
Make a curl call to the SOAVirt REST API to retrieve the machine ID:
| Code Block |
|---|
curl http://localhost:9080/soavirt/api/v6/status?fields=machineId |
- Note the machine ID in the response and provide it to your Parasoft representative, who will send you a license password.
- Once you've received your license password, apply it in the soavirt-config.yaml.
Apply the updated soavirt-config.yaml to the running container:
| Code Block |
|---|
kubectl apply -f soavirt-config.yaml |
The license will be applied when the pod is restarted automatically. Alternatively, you can delete and recreate the pod for the changes to take effect.
| Code Block |
|---|
kubectl delete -f soavirt-pod.yaml
kubectl create -f soavirt-pod.yaml |
Volume Mount Security Policies (Optional)
If your security policy requires applications to only write to mounted volumes, then in addition to the workspace (which is already set in the example pod) you will need to mount the following locations:
| No Format |
|---|
|
/usr/local/parasoft/soavirt/logs
/usr/local/parasoft/soavirt/temp
/usr/local/parasoft/soavirt/webapps/ROOT/WEB-INF/configs/builtin
/usr/local/parasoft/soavirt/webapps/ROOT/felix-cache
/usr/local/parasoft/soavirt/webapps/ROOT/apifiles
/usr/local/parasoft/soavirt/work/Catalina/localhost/ROOT
/usr/local/tomcat/logs/ |
Modifying the java.security File (Optional)
You may want to use a modified java.security file if, for example, you want to enable or disable specific SSL cipher suites or make other related security configurations. To do so, create a modified copy of your java.security file, store it in a ConfigMap, and mount it into the pod at /usr/local/parasoft/java.security.
There are a few options you will want to keep in mind when applying your changes:
- When using your modified java.security settings, it's important to disable the global properties. If you don't, they will override your modifications:
-Djava.security.disableSystemPropertiesFile=true - To override the default security file, explicitly specify that the JVM should use your custom security properties file:
-Djava.security.properties==/usr/local/parasoft/java.security
Note the double equal sign (==) that tells Java to fully replace the java.security settings that would normally be loaded from the jvm. - To debug which java.security properties were loaded, add the
java.security.debug property:
-Djava.security.debug=properties
Put all together, you would add the following to the env: section of the soavirt container:
| Code Block |
|---|
|
- name: JAVA_OPTS
value: "-Djava.security.disableSystemPropertiesFile=true
-Djava.security.properties==/usr/local/parasoft/java.security
-Djava.security.debug=properties" |
...
Open a shell to the running container:
| Code Block |
|---|
kubectl exec --stdin --tty soavirt-0 -n parasoft-sv-namespace -- /bin/bash |
...
Make a curl call to the SOAVirt REST API to retrieve the machine ID:
| Code Block |
|---|
curl http://localhost:9080/soavirt/api/v6/status?fields=machineId |
...
Apply the updated soavirt-config.yaml to the running container:
| Code Block |
|---|
kubectl apply -f soavirt-config.yaml |
The license will be applied when the pod is restarted automatically. Alternatively, you can delete and recreate the pod for the changes to take effect.
...
Deploying SOAVirt Server in Kubernetes with a Helm Chart
...