As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

📙 You will learn

How to add custom root certificates to an AppSec Container.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: kubectl, Helm

In the following instructions replace <certificate> with the name of the desired root certificate file.

Enter the following commands on a command line to perform the described action.

  1. Copy the root certificate to the server with kubectl access

  2. Add the Denim Group Helm repository if not present

    helm repo add denimgroup https://threadfix-downloads.s3-us-west-2.amazonaws.com/helm/

  3. Get the Helm release name for the ThreadFix instance.

    TF_RELEASE=$(helm ls | grep threadfix | awk '{print $1}')

  4. Get the current installed version of ThreadFix.

    TF_VERSION=$(helm ls --filter "$TF_RELEASE" | grep -o 'threadfix-[Az0-9\.\-]*' | sed 's|threadfix-||g')

  5. Set pod and deployment env vars for later use:

    TF_APPSEC_POD=$(kubectl get po -l app.kubernetes.io/name=appsec -o jsonpath='{ .items[].metadata.name }')

  6. Validate that the generated parameters are set.

    echo $TF_RELEASE
echo $TF_VERSION
echo $TF_APPSEC_POD

  7. Copy the certificate to the appsec pod:

    kubectl cp <certificate> $TF_APPSEC_POD:/<certificate>

  8. Add the certificate to the Java truststore:

    kubectl exec $TF_APPSEC_POD -- keytool --importcert -file <certificate> -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -noprompt

  9. Copy the generated cacerts file to the user machine:

    kubectl cp $TF_APPSEC_POD:/usr/local/openjdk-8/jre/lib/security/cacerts cacerts

  10. Create a configmap with the copied cacerts file:

    kubectl create configmap tf-cacerts --from-file=cacerts=./cacerts

  11. Create myValues dir if not present

    mkdir -p myValues

  12. Create a file named 'root-ca.yaml':

    echo "appsec:
  extraVolumes:
    - configMap:
        defaultMode: 420
        name: tf-cacerts
  extraVolumeMounts:
    - mountPath: /usr/local/openjdk-8/jre/lib/security/cacerts
      name: cacerts
      readOnly: true
      subPath: cacerts" > myValues/root-ca.yaml

  13. Export current Helm values:

    helm get values $TF_RELEASE > currentValues.yaml

  14. helm upgrade $TF_RELEASE denimgroup/threadfix --version $TF_VERSION -f currentValues.yaml -f myValues/root-ca.yaml

  15. The appsec pod will automatically restart.The progress can be viewed with:

    kubectl get pods -w

Table of Contents

  • No labels

[www.threadfix.it] | [www.coalfire.com]
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.