📙 You will learn

How to change a ThreadFix license with Kubernetes.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: See Pre-requisites list below

Pre-requisites list:

• ThreadFix instance running in Kubernetes

• kubectl access to Kubernetes cluster

• Helm version greater than 3.2

Enter the following commands on a command line to perform the described action.

There are two ways to apply a license to ThreadFix running in Kubernetes, through a Kubernetes secret or a Helm value. Follow the appropriate section for the current installation method. If unsure of which method is currently being used, run the following command.

helm get values $(helm ls | grep threadfix | awk '{print $1}') | grep -E '^"?threadfix\.license' >> /dev/null && echo 'Helm Value' || echo 'Kubernetes Secret'

Kubernetes Secret

Follow this section if managing a ThreadFix license with a manually created Kubernetes Secret.

1. Copy the new ThreadFix license to the current working directory with the name threadfix.license
   

2. Get the current ThreadFix license secret name.

   TF_LICENSE_SECRET=$(kubectl get deploy -l app.kubernetes.io/name=auth,app.kubernetes.io/part-of=threadfix -o jsonpath='{ .items[].spec.template.spec.volumes[?(@.name=="tf-license")].secret.secretName }')

3. Backup the current ThreadFix license.

   kubectl get secret $TF_LICENSE_SECRET -o go-template='{{ index .data "threadfix.license" }}' | base64 -d > threadfix.license.bak

4. Remove the current license from the Kubernetes cluster.

   kubectl delete secret $TF_LICENSE_SECRET

5. Create a new license secret.

   kubectl create secret generic $TF_LICENSE_SECRET --from-file=threadfix.license=threadfix.license

6. Restart all ThreadFix containers.

   for name in $(kubectl get deploy -l app.kubernetes.io/part-of=threadfix -o jsonpath='{.items[*].metadata.name}'); do kubectl rollout restart deploy $name; done

Helm Value

Use this method if managing the ThreadFix license from the user’s values file.

1. Get the Helm release name for the ThreadFix instance.

   TF_RELEASE=$(helm ls | grep threadfix | awk '{print $1}')

2. Get the current installed version of ThreadFix.

   TF_VERSION=$(helm ls --filter "$TF_RELEASE" | grep -o 'threadfix-[Az0-9\.\-]*' | sed 's|threadfix-||g')

3. Export the currently installed Helm values.

   helm get values $TF_RELEASE > currentValues.yaml

4. Backup values to a separate file.

   cp currentValues.yaml currentValues.yaml.bak

5. Add the new license to myValues.yaml by performing the following:

   1. Open the myValues.yaml file with a text editor.

   2. Navigate to the item named "threadfix.license".

   3. Replace the lines after "threadfix.license" with the content of the new ThreadFix license.

      1. Indentation is important for this file to render correctly. Ensure that the new content adheres to the same indentation as the previous item.

   4. Save this file.
      

6. Update the ThreadFix Helm installation.

   helm upgrade --no-hooks $TF_RELEASE denimgroup/threadfix --version $TF_VERSION -f currentValues.yaml

   If not using 'denimgroup/threadfix' as the chart name, this value must be changed to the location of the ThreadFix chart. Use helm search repo threadfix to find the correct chart name.
   

7. If the new license does not apply after a few minutes, restart ThreadFix deployments.

   for name in $(kubectl get deploy -l app.kubernetes.io/part-of=threadfix -o jsonpath='{.items[*].metadata.name}'); do kubectl rollout restart deploy $name; done