Helmfile Installation with Local Registry Support

This guide details how to install AppScan 360° using Helmfile while leveraging a Local (Private) Registry. This approach is ideal for customers who need to mirror artifacts from the official HCL Harbor registry to their own environment for security, compliance, or offline (air-gapped) installations.

Key Features:

  • Artifact Sync: A script to copy Docker images and Helm charts from HCL Harbor to your private registry.

  • Customization: YAML-based configuration to override registry locations.

Automated Deployment: Single-command deployment using Helmfile.

System Requirements & Components

Before beginning the installation, ensure the following components are available.

1. Artifact Source (HCL Harbor)

The official HCL Harbor registry (hclcr.io) hosts the source files:

  • AppScan 360° Docker images.

  • Helm charts (packaged as .tgz releases).

2. Target Environment (Customer Registry)

You must have a private registry available (e.g., registry.customer.local/as360).

  • Requirement: The registry must be OCI-enabled.

  • Limitation: Pushing artifacts to the root of the registry is currently not supported.

3. Tooling

The following tools are provided in the installation bundle:

  • Helmfile: Orchestrates the deployment of components (ASCP, ASRA, DTCS, SCA).

  • copy-artifacts.sh: A script that reads from an artifactList file to copy images and charts from HCL Harbor to your local registry.

4. Credentials

Ensure you have authenticated access to both registries:

  • HCL Harbor: Read-only credentials.Installation Procedure

  • Customer Registry: Read/Write credentials.

Installation Procedure

Step 1: Acquire the Installation Bundle

Download and extract the installation package provided by HCL. The directory structure will look like this:
AppScan-360-Helm-Files
├── Copy Artifacts
│   ├── artifactList.txt        # List of images/charts 
to sync
│   ├── copy-artifacts.sh       # The synchronization 
script
├── Helm.d
│   ├── helmfile-ASCP.yaml.gotmpl
│   ├── helmfile-ASRA.yaml.gotmpl
│   ├── helmfile-SCA.yaml.gotmpl
│   ├── helmfile-DTCS.yaml.gotmpl
│   └── helmFileCustomization
│       └── singular-singular.clusterKit-Sample.yaml  # 
Main config file
├── helmfile.yaml.gotmpl

└── README.md

Step 2: Sync Artifacts to Local Registry

If you are using a private registry (offline/isolated mode), you must first copy the required files from HCL Harbor.

Run the synchronization script located in the Copy Artifacts folder:
./copy-artifacts.sh

Script Inputs:

  1. Destination Registry: Enter your registry URL and repository (e.g., registry.customer.local/as360).

  2. Artifact List: The script automatically reads the imalist file (containing [IMAGES] and [HELM] sections).

Success: This step ensures all Docker images and Helm charts are mirrored to your environment.

Step 3: Configure Registry Overrides

You must update the configuration file to tell Helmfile to look at your local registry instead of HCL Harbor.

  1. Open helmFileCustomization/singular-singular.clusterKit-Sample.yaml.

  2. Locate the Singular File section.

  3. Update the registry and repository fields with your local details.

Example Configuration:
helm:
  package:
     registry: 'registry.customer.local'
     context: 'as360/charts'
workload:
  affiliatedSidecarsProject: appscan360
  container:
    image:
      registry: 'registry.customer.local'
      repository: 'as360/images'
      pullPolicy: IfNotPresent

How this works:

  • Primary Logic: The system reads registry details from this customization file.

  • Fallback Logic: If these details are missing or the file is not configured, the system defaults to pulling directly from HCL Harbor (useful for existing customers migrating configurations).

Step 4: Run the Installation

Once the artifacts are synced and the configuration is updated, execute the deployment.

Run the following command from the root of the installation directory:

helmfile sync

What happens next?

Helmfile will read your customization file and deploy ASCP, ASRA, DTSC, and SCA using the images and charts from your specified local registry.

Include Software Composition Analysis (SCA)

Software Composition Analysis (SCA) is included when you install AppScan 360° with a parameter.
Note: Software Composition Analysis (SCA) is not included in the AppScan 360° by default; you must enable it.
To include SCA:
includeSCA=true helmfile sync
To disable SCA, you must uninstall AppScan 360° completely:
includeSCA=true helmfile destroy
To enable automatic updates of the Software Composition Analysis (SCA) vulnerability database, set the following environment variables that point to the HCL Harbor registry with the correct credentials.
export SCA_AUTOUPDATER_REGISTRY_USERNAME=<HCL_HARBOR_USERNAME>
export SCA_AUTOUPDATER_REGISTRY_PASSWORD=<HCL_HARBOR_PASSWORD>
Important: If you do not set up automatic updates, you must update the vulnerability database manually.

Dast Template Converter Service (DTCS)

By default DTCS is installed along with AppScan360 other components.

In case customer doesn’t want to have Dast technology installed, they can skip this component by following command.

To exclude Dast Template Converter Service:
excludeDTCS=true helmfile sync
To disable DAST, you must uninstall AppScan 360° completely:
excludeDTCS=true helmfile destroy