📙 You will learn
How to install ThreadFix and its dependencies on an existing Kubernetes Cluster.Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A
Suitable for large scale deployments where resources can be added to handle greater throughput of scans and vulnerability data.
Minimum Requirements
Helm >= 3.2
kubectl
Running kubernetes cluster with the following:
Version >=1.16
>= 32 GB RAM available in cluster
>=8 GB RAM per node
> 4 core equivalents available in cluster
> 250 GB disk space available in default storage provider
For most cloud providers this will automatically be provisioned
A valid ThreadFix license
A kubernetes user with proper permissions
Recommended Pre-requisites
A valid TLS certificate for a ThreadFix installation in PEM format
Kubernetes cluster meeting the user’s installation capacity, note /wiki/spaces/T3UD2/pages/2497912598
Follow any applicable /wiki/spaces/T3UD2/pages/2497911489 prior to installation
Follow any applicable pre-install tasks prior to installation Add link to Pre-install instructions here/ What does this reference?
Installation
For the following instructions, add '-n ' to any kubectl or helm install if installing ThreadFix to separate namespace.
Create myValues directory (if it does not exist).
mkdir -p myValues
If any other steps from the “Preparation Guides” have been completeddone, ensure that their resulting values files reside in the
myValuesdirectory.Create a ThreadFix license configuration.
Locate the threadfix.license file.
Run the following command (replacing <threadfix.license-path> with the path to the license file):
kubectl create secret generic tf-license --from-file=threadfix.license=<threadfix.license-path>
Create a TLS certificate configuration (optional).
Convert the TLS certificate to base 64 encoded PEM if in a different format. For more information see the Adding a TLS Certificate (Kubernetes) guide
Run the following (replacing <tls-key> and <tls-cert> with their respective paths):
kubectl create secret tls tf-tls --key <tls-key> --cert <tls-cert>
Create TLS configuration values
echo "kong: env: SSL_CERT: /etc/secrets/tf-tls/tls.crt SSL_CERT_KEY: /etc/secrets/tf-tls/tls.key secretVolumes: - tf-tls" > myValues/tls.yaml
Add the ThreadFix Helm repository:
Add the ThreadFix Helm repository by running the following command
helm repo add denimgroup https://threadfix-downloads.s3-us-west-2.amazonaws.com/helm/
Update the repositories by running:
helm repo update
Generate a unique password for PostgreSQL
PG_PASSWORD=$(openssl rand -base64 25)
Create a myValues.yaml file
echo "kong: postgresql: postgresqlPassword: $PG_PASSWORD global: threadfix: licenseCMOverride: tf-license" > myValues/myValues.yamlGenerate a helm args for all of the values files
HELM_INSTALL_ARGS=$(for values_file in myValues/*.yaml; do echo -n "-f $values_file "; done)
Install ThreadFix with the following command:
helm install tf denimgroup/threadfix $HELM_INSTALL_ARGS
ThreadFix will automatically generate internal credentials. Save these in a secure location for recovery purposes.
Network Properties:
kubectl get secrets tf-network-props -o 'go-template={{index .data "network.properties"}}' | base64 -dDatabase password:
kubectl get secret tf-db -o jsonpath={.data.password} | base64 -dPostgres password:
kubectl get secret tf-postgresql -o jsonpath={.data.postgresql-password} | base64 -d
The Helm command will return instruction on how to retrieve the load balancer address for the ThreadFix installation. Follow the progress of the installation with the following.
kubectl get po -w
When all pods report the status Running or Completed, the installation is complete and ready to use.