As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
Docker Compose to Kubernetes Migration
You will learn
How to migrate from ThreadFix on Docker Compose to ThreadFix on Kubernetes.
Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 30 minutes
Tools required: compose-to-k8s.sh (provided below), db-only.yaml (provided below), Helm > 3.5, kubectl
Prior to beginning any upgrades or migration, ThreadFix strongly recommends users review the Upgrade & Migration Guidelines.
Migration with Automated Scripts
The following instructions assume there is an existing ThreadFix application running in Docker Compose and a functional Kubernetes instance with kubectl access and Helm 3.5 or greater.
Create Migration Files
Download the following files (provided above):
compose-to-k8s.sh
db-only.yaml
Copy
compose-to-k8s.sh
to the existing ThreadFix application server.Log into the existing ThreadFix application server.
Make migration script executable with:
chmod +x compose-to-k8s.sh
.Create migration data with:
./compose-to-k8s.sh
By default this will use
/opt/threadfix
as the ThreadFix directory and will
output data to the current directory. Run./compose-to-k8s.sh --help
to view
all configurable itemsThe script will create the following files:
migrated_values.yaml
migrated_db.sql
appsec-data.zip
appsec-secrets.yaml (optional)
migrated_tls.yaml (optional)
Review the output from the script and make any necessary adjustments.
Validate all appropriate files have been created.
Copy the generated files and
db-only.yaml
to the server with Kubernetes access.
External Database
Reuse Existing Database
If reusing the existing external database:
In
migrated_values.yaml
, validateappsec.db.urlOverride
andauth.db.urlOverride
are set and point to the correct database
If the external database has separate credentials than the internal database:
Validate the
appsec.db.existingSecret
andauth.db.existingSecret
fields exist inmigrated_values.yaml
and a correspondingappsec-secrets.yaml
file has been created.On the server with kubectl access, run
kubectl apply -f appsec-secrets.yaml
to create the Kubernetes Secret for the AppSec database.
New External Database
If using a new external database, first migrate all data from the existing database to the new database following the vendor's instructions, then:
In
migrated_values.yaml
, remove theappsec.db.urlOverride
andauth.db.urlOverride
items.Follow the External Database guide for setting up the external database. Then proceed with the remainder of this guide.
Installing ThreadFix on Kubernetes with Helm
Follow any necessary preparation tasks before continuing.
Make any modifications to the
migrated_values.yaml
file if needed.Setup TLS:
If reusing the existing TLS certificate, add the TLS certificate and keys with:
kubectl apply -f migrated_tls.yaml
If using a new TLS certificate, add to Kubernetes with:
kubectl create secret tls threadfix-cert --key <key_file> --cert <cert_file>
Â
Setup an external database (Optional).
If
appsec-secrets.yaml
was created and an existing external database is being reused, apply with:
kubectl apply -f appsec-secrets.yaml
If an new external database is being used, follow applicable instructions on the External Database guide to add credentials for the external database
Add the ThreadFix Helm repository:
Add the ThreadFix Helm repository by running:
helm repo add denimgroup https://threadfix-downloads.s3-us-west-2.amazonaws.com/helm/
Update the repositories by running:
helm repo update
Â
Make
myValues
dir if not present.mkdir -p myValues
Â
Generate a unique password for PostgreSQL.
PG_PASSWORD=$(openssl rand -base64 25)
Â
Copy
migrated_values.yaml
in the tomyValues
dir.cp migrated_values.yaml myValues/
Â
Generate a helm args for all of the user values files.
HELM_INSTALL_ARGS=$(for values_file in myValues/*.yaml; do echo -n "-f $values_file "; done)
Â
Start the application in database only mode with:
helm install tf denimgroup/threadfix -f db-only.yaml $HELM_INSTALL_ARGS
Â
Wait until the database has started to proceed. Check status with
kubectl get po -w
. Use Ctrl-C to exit the command.Upload the exported database to the Kubernetes with:
cat migrated_db.sql | kubectl exec -i $(kubectl get po -l app.kubernetes.io/name=db,app.kubernetes.io/part-of=threadfix -o jsonpath='{.items[0].metadata.name}') -- bash -c 'mysql -u$MYSQL_USER -p"$MYSQL_PASSWORD"'
Â
Start the application with:
helm upgrade $HELM_INSTALL_ARGS --no-hooks tf denimgroup/threadfix
Â
Follow the on-screen instructions to access the application.
Use
kubectl get po -w
to watch the installation progress
Manual Migration
Export the Database
Change directory to the location of the ThreadFix install. ex.
cd /opt/threadfix
.Stop ThreadFix with:
docker-compose down
Â
Start the database only with:
docker-compose up -d db
Â
Export the database (replacing
<db_dump_file>
with the desired file name to create the database dump with):docker-compose exec -T db sh -c 'mysqldump --all-databases -u${MYSQL_USER} -p${MYSQL_PASSWORD} -h 127.0.0.1 2> /dev/null' > <db_dump_file>
Â
Copy the dump file to the machine with kubectl access.
Create Helm Values
Create a Helm Values file from the existing ThreadFix .env file (default location /opt/threadfix/.env
) where appropriate. The table below shows Compose variables with equivalent Helm values. If any value has not been changed from the default, it can safely be ignored.
Docker Compose Value | Helm Value |
---|---|
TFN_DB_USER | db.username |
TFN_DB_PASS | db.password |
APPSEC_DB_URL | appsec.db.urlOverride,auth.db.urlOverride |
APPSEC_DB_GLOBALLY_QUOTED | appsec.db.globallyQuoted,auth.db.globallyQuoted |
APPSEC_DB_VIBUR_CACHE_SIZE | appsec.vibur.cacheSize,auth.vibur.cacheSize |
APPSEC_DB_VIBUR_MIN_POOL | appsec.db.vibur.minPool,auth.db.vibur.minPool |
APPSEC_DB_VIBUR_MAX_POOL | appsec.db.vibur.maxPool,auth.db.vibur.maxPool |
APPSEC_DB_VIBUR_IDLE_CONN_LIMIT | appsec.db.vibur.idleConnectionLimit,auth.db.vibur.idleConnectionLimit |
SESSION_TIMEOUT_INACTIVE | auth.sessionTimeoutInactive |
SPRING_PROFILES_ACTIVE | global.threadfix.springProfilesActive |
Add Properties Files as YAML String
The following values need the contents of the listed file input as yaml strings.
Docker Compose Value | Helm Value |
---|---|
tn_license | "threadfix.license" |
tn_prop_loc | "network.properties |
tn_log_loc | "logback-all.xml" |
appsec_license | "threadfix.license" |
esapi_properties | "ESAPI.properties" |
LOGBACK_CONFIG_FILE | "logback-all.xml" |
saml_properties | "onelogin.saml.properties" |
Example:
"threadfix.license": 2|
-- listing properties --
clientId=XXXXXXXX-YYYY-YYYY-YYYY-XXXXXXXXXXX
version=ENTERPRISE
organization=My Org
targetDate=1000000000000
numberApplications=1
numberAssets=1
apiKey=RS7gz88T7J/7EYd+dhVo2/xxg5bKvkJg+AXK5+gE
eVBcBevX/sJDgsvWkryb+LZte7P0crzHW9G5ttWNTNX8d2KQ==
Other Values
The following values have no Helm equivalent and must be created as Kubernetes Secrets and linked to the ThreadFix installation.
External AppSec database credentials:
APPSEC_DB_USER
APPSEC_DB_PASSWORD
TLS certificates:
ssl_cert
ssl_key
External AppSec Database Credentials Setup
If using an internal Appsec database or sharing the same database credentials for Appsec and network, the AppSec database credentials values can be ignored. Otherwise, follow the External Database setup to prepare the external database.
TLS Setup
On the Kubernetes instance, create a TLS Secret with the following command (replacing <>
placeholders with actual values):
kubectl create secret tls tf-tls --key <path_to_tls_key> --cert <path_to_tls_cert>
Then add the following to the Helm values yaml file from above:
kong:
env:
SSL_CERT: /etc/secrets/tf-tls/tls.crt
SSL_CERT_KEY: /etc/secrets/tf-tls/tls.key
secretVolumes:
- tf-tls
Install ThreadFix with Helm
Make any other modifications to the Helm values file if needed.
Install Helm >= 3.5 or greater if not already installed. Perform one of the following:
Install from script with
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | sudo bash
Follow the instructions for Helm installation: https://helm.sh/docs/intro/install/
Add the ThreadFix Helm repository:
Add the ThreadFix Helm repository by running:
helm repo add denimgroup https://threadfix-downloads.s3-us-west-2.amazonaws.com/helm/
Update the repositories by running:
helm repo update
Â
Create db-only.yaml file with the following contents:
appsec: enabled: false auth: enabled: false crud: enabled: false db: enabled: true defect: enabled: false importer: enabled: false processor: enabled: false provider: enabled: false ui: enabled: false websocket: enabled: false kong: enabled: false kafka: enabled: false zk: enabled: false
Â
Make
myValues
dir if not present.mkdir -p myValues
Â
Generate a unique password for PostgreSQL.
PG_PASSWORD=$(openssl rand -base64 25)
Â
Create a myValues.yaml file.
echo "kong: postgresql: postgresqlPassword: $PG_PASSWORD " > myValues/postgresql.yaml
Â
Copy any created helm values files the to
myValues
dir.Generate a helm args for all of the user values files.
HELM_INSTALL_ARGS=$(for values_file in myValues/*.yaml; do echo -n "-f $values_file "; done)
Â
Start the application in Database Only mode with:
helm install tf denimgroup/threadfix -f db-only.yaml $HELM_INSTALL_ARGS
Â
Wait until the database has started to proceed. Check the status with
kubectl get po -w
. Use Ctrl-C to exit the command.Upload the exported database to the Kubernetes with:
cat <db_dump_file> | kubectl exec -i $(kubectl get po -l app.kubernetes.io/name=db,app.kubernetes.io/part-of=threadfix -o jsonpath='{.items[0].metadata.name}') -- bash -c 'mysql -u$MYSQL_USER -p"$MYSQL_PASSWORD"'
Â
Start the application with (replacing
<helm_values_file>
with the values file created earlier):helm upgrade $HELM_INSTALL_ARGS --no-hooks tf denimgroup/threadfix
Â
Follow the on screen instructions to access the application.
Use
kubectl get po -w
to watch the installation progress
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 1.2 Migration with Automated Scripts
- 1.2.1 Create Migration Files
- 1.3 External Database
- 1.4 Installing ThreadFix on Kubernetes with Helm
- 1.5 Manual Migration
- 1.5.1 Export the Database
- 1.5.2 Create Helm Values
- 1.5.3 Add Properties Files as YAML String
- 1.6 Other Values
- 1.7 Install ThreadFix with Helm
- 2 Table of Contents
Â
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.