準備配置檔
設定 AppScan 360° 環境後,在安裝之前,請準備配置檔 singular-singular.clusterKit.properties 或 singular-singular.clusterKit.yaml。這個檔案是供 AppScan 360° 中央平台、AppScan 補救諮詢 與軟體組成分析 (SCA) 安裝檔案在安裝過程中參照使用。
若要準備配置檔:
- 在您選擇的文字編輯器中建立新檔案。
- 如下表所述,使用適當參數填入檔案。註: 您可以提供伺服器憑證做為自訂檔案的一部分,以當作服務進入點輸入憑證來使用。若使用此憑證,應以 PEM 結構化憑證的形式提供,如下所示:
*.crt或*.cer檔案中的公開金鑰*.key檔案中的私密金鑰
- 依照您的安裝方法將檔案命名為
singular-singular.clusterKit.properties或singular-singular.clusterKit.yaml,然後將其儲存至您已儲存或打算儲存安裝套件的資料夾。註: 在安裝程序中,自解壓縮安裝檔案必須能找到這個檔案。 - 如有需要,請配置自簽憑證。
配置注意事項
您可以提供伺服器憑證做為自訂檔案的一部分,以當作服務進入點輸入憑證來使用。若使用此憑證,應以 PEM 結構化憑證的形式提供,如下所示:
*.crt或*.cer檔案中的公開金鑰*.key檔案中的私密金鑰
配置參數
註: 以引號括住所有參數值。
提示: 按一下此頁面右上角的向右箭頭 (>) 以展開表格內容。
| 參數 | 說明 | 範例值 |
|---|---|---|
CK_DOCKER_REGISTRY_ADDRESS |
Docker 映像檔登錄位址 (FQDN),可能具有以冒號分隔的埠。 | pi-dpr-lin.appscan.com |
CK_DOCKER_REGISTRY_USERNAME |
Docker 映像檔登錄使用者名稱。 | |
CK_DOCKER_REGISTRY_PASSWORD |
Docker 映像檔登錄密碼。 | |
CK_DOCKER_REGISTRY_CONTEXT |
Docker 登錄環境定義。若要推送至根目錄,請設定為空字串,若不適用,則將其移除。 | |
CK_DOCKER_REGISTRY_CONTEXT_4_ADDONS |
用於附加程式的 Docker 登錄環境定義。若要推送至根目錄,請設定為空字串,若不適用,則將其移除。為保持一致性,可設定為與 CK_DOCKER_REGISTRY_CONTEXT 相同。 |
|
CK_HELM_REPOSITORY_CONTEXT |
Helm 儲存庫環境定義。若要推送至根目錄,請設定為空字串,若不適用,則將其移除。 | |
CK_HELM_REPOSITORY_CONTEXT_4_ADDONS |
用於附加程式的 Helm 儲存庫環境定義。若要推送至根目錄,請設定為空字串,若不適用,則將其移除。為保持一致性,可設定為與 CK_HELM_REPOSITORY_CONTEXT 相同。 |
|
CK_CNI_NETWORK_DOMAIN_SUFFIX |
指定的網域服務名稱 | appscan.com |
CK_CSI_STORAGE_CLASS_NAME |
Kubernetes 儲存驅動程式類別名稱 | longhorn |
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME |
Kubernetes 預先定義的 PV(持續性磁碟區),搭配自動產生 PVC(持續性磁碟區宣告)用於共用檔案系統。 註:
|
|
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY |
Kubernetes 共用儲存空間指定大小,需在安裝前計算。 | 100Gi |
CK_K8S_ASCP_NAMESPACE |
選用。用於平台元件的名稱空間。 | |
CK_K8S_ASRA_NAMESPACE |
選用。用於 ASRA 元件的名稱空間。 | |
NAMESPACE |
用於 SCA 安裝的一般名稱空間覆寫。 | |
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED |
表示輸入控制器是以 NGINX 為基礎,或是以輸入控制器支援(非透過註釋,而是由控制器本身支援)的 SSL onload(HTTPS 後端通訊協定)為基礎。 | false |
CK_INGRESS_INTERNAL_CLASS |
將輸入部署至 Kubernetes 叢集時要使用的輸入類別名稱。 | nginx |
CK_INGRESS_INTERNAL_HOST_DOMAIN |
將輸入部署至 Kubernetes 叢集以建置主機名稱時要使用的網域。 註: 若留空,則會從
CK_CNI_NETWORK_DOMAIN_SUFFIX 取得 |
appscan.com |
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN |
將輸入部署至 Kubernetes 叢集以建置主機名稱時要使用的子網域。 | expo.ascp |
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED |
指出是否使用指定的憑證做為適用的外部(叢集外)微服務輸入憑證。 註: 提供伺服器憑證做為自訂檔案的一部分,以用作服務進入點輸入憑證,或提供憑證做為 PEM 結構化憑證,如下所示:
|
false |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64 |
提供憑證的憑證管理中心 (CA) 簽署憑證,做為適用的外部(叢集外)微服務輸入憑證來使用。 | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64 |
提供用於適用外部(叢集外)微服務輸入憑證的憑證公開金鑰。 | <BASE64_ENCODED_VALUE> |
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64 |
提供用於適用外部(叢集外)微服務輸入憑證的憑證私密金鑰。 | <BASE64_ENCODED_VALUE> |
CK_CONFIGURATION_DISCLOSED_SITE_URL |
AppScan 360° 前端 URL。 註: 請勿在 URL 中包含正斜線 (/)。 |
https://expo.ascp.appscan.com |
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE |
定義加入新使用者的方法:
|
AutoOnboard |
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN |
LDAP 伺服器/服務網域。 重要: 從 AppScan 360° 1.1.0 版或更早版本升級時,LDAP 配置無法直接沿用。安裝前,您必須確認所有 LDAP 參數均符合 AppScan 360° 目前或更新後的要求。 |
appscan.il |
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME |
用於建立連線的 LDAP 伺服器/服務使用者名稱。 註: 為 CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 選取 'ManualOnboard' 時的相關情況。 |
<LDAP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS |
客戶獲授權存取的 LDAP 群組清單(以逗號分隔) AppScan 360° 註: 為
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 指定 "GroupsAccess" 時的相關情況。 |
|
CK_CONFIGURATION_DISCLOSED_LDAP_SSL |
指出是否向 LDAP 伺服器或服務建立安全連線(透過 SSL/TLS)。 | false |
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU |
AD (Active Directory) 中使用者在 LDAP 查詢的指定位置。用於在登入 AppScan 360° 時鑑別 AD 使用者。 | Users,DC=appscan,DC=com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST |
SMTP 郵件伺服器/服務主機名稱。 | wfilsus.israel.ottawa.watchfire.com |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT |
SMTP 郵件伺服器/服務埠。 | 25 |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME |
用於建立連線的 SMTP 郵件伺服器/服務使用者名稱。 | <SMTP_USERNAME> |
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL |
指出是否向 SMTP 郵件伺服器或服務建立安全連線(透過 SSL/TLS)。 | false |
|
|
選用。專用上游 Proxy 的主機名稱。 |
10.255.255.255 |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT |
選用。專用上游 Proxy 的埠。 | 3762 |
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_USERNAME |
選用。專用上游 Proxy 的使用者名稱。 | ProxyUserName |
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION |
MSSQL 資料儲存庫(資料庫)連線字串,用於建立與資料庫的連線。 | <DB_CONNECT_STRING> |
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD |
用於建立連線的 LDAP 伺服器/服務密碼。 註: 為
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE 指定 "ManualOnboard" 時的相關情況。 |
<LDAP_PASSWORD> |
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD |
用於建立連線的 SMTP 郵件伺服器/服務密碼。 | <SMTP_PASSWORD> |
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PASSWORD |
選用。專用上游 Proxy 的密碼。 | <PROXY_PASSWORD> |
CK_CONFIGURATION_DISCLOSED_OIDC_CLIENT_ID |
選用。用於與 OIDC 伺服器建立連線的 OpenIdConnect (OIDC) 用戶端 ID。
|
|
CK_CONFIGURATION_DISCLOSED_OIDC_AUTHORITY |
選用。在執行 OpenIdConnect (OIDC) 呼叫時使用的 OIDC 授權基本 URL。
|
|
CK_CONFIGURATION_CONFIDENTIAL_OIDC_CLIENT_SECRET |
用於與 OIDC 伺服器建立連線的 OpenIdConnect (OIDC) 用戶端密碼。 | |
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_OIDCS_AS_BASE64 |
用於配置 OIDC 的 Base64 編碼憑證。 | |
CK_CONFIGURATION_DISCLOSED_EXTERNAL_DOMAINS |
用於 OIDC 的網域。 | |
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_SMTPS_AS_BASE64 |
與 SMTP 相關聯的憑證。 | |
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_LDAPS_AS_BASE64 |
與 LDAP 相關聯的憑證。 | |
CK_CUSTOMER_CA_CERTIFICATES_ENABLED |
依照憑證參數中所述啟用憑證自訂。 | true |
SCA_CSI_STORAGE_CLASS_NAME |
K8S 儲存驅動程式類別名稱 | |
SCA_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY |
K8S 共用儲存空間指定大小,需在安裝前計算 | |
SCA_CSI_STORAGE_ACCESS_MODE |
K8S 儲存驅動程式存取模式 | |
SCA_CSI_STORAGE_VOLUME_NAME |
選用。用於搭配 PVC 使用的 K8S 預先定義持續性磁碟區。若為空白,則會自動產生。 | |
SCA_CONNECTIONSTRINGSSCAENGINEDATABASE |
SCA 引擎資料庫連線字串。 註: 必須安裝 Microsoft SQL Server。 如有需要,請使用反斜線 (\) 來跳出逗號。 |
|
SCA_CONNECTIONSTRINGSSCAAGGREGATIONDB |
聚集資料庫連線字串。 | |
SCA_AUTOUPDATER_REGISTRY_ADDRESS |
選用。若唯一的登錄不是 HCL AutoUpdater 登錄,則需要此變數。 |
hclcr.io |
SCA_AUTOUPDATER_REGISTRY_PATH |
選用。僅在登錄和路徑與預設值不同時才需要此變數。 | |
SCA_AUTOUPDATER_HELM_PATH |
選用。僅在 Helm 儲存庫路徑與預設值不同時才需要此變數。 | |
SCA_AUTOUPDATER_REGISTRY_USERNAME |
選用。SCA AutoUpdater 所要使用的登錄使用者名稱。 | |
SCA_AUTOUPDATER_REGISTRY_PASSWORD |
選用。SCA AutoUpdater 所要使用的登錄密碼。 |
配置自簽憑證
如果您的環境使用 SSO(例如使用 Okta 或 Keycloak)或 LDAP(例如使用 Active Directory 或 Domino LDAP)的自訂自簽憑證,則必須在安裝期間配置這些憑證。如果您使用的是受信任的主要憑證,則無需執行這些步驟。
若要為分散式安裝配置自簽憑證:
- 在安裝內容檔案 (
singular-singular.clusterKit.properties) 中,將憑證指定為base64-value。- 如果是 SSO 鑑別:
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_OIDCS_AS_BASE64=<base64-value> CK_CUSTOMER_CA_CERTIFICATES_ENABLED='true' - 如果是 LDAP 鑑別:
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_LDAPS_AS_BASE64=<base64-value> CK_CUSTOMER_CA_CERTIFICATES_ENABLED='true'
- 如果是 SSO 鑑別:
- 如果您配置的是 SSO,請指定外部網域,以允許 AppScan 360° 連線至您的 Okta 或 Keycloak 租戶。例如:
CK_CONFIGURATION_DISCLOSED_EXTERNAL_DOMAINS='xxxxx.demo.com,XXXXX.abc.com'
若要為 Helm 安裝配置自簽憑證:
- 使用客戶 CA 憑證設定更新內容檔案 (
singular-singular.clusterKit.yaml)。# # Settings that need to be customized by the customer are marked with 'CUSTOMIZE_ME' comments # global: customer: certificate: ca: # CUSTOMIZE_ME: # Indication whether to use customer given CA certificates, or not enabled: true secret: data: # CUSTOMIZE_ME: # The customer's supplied CA certificate used for signing LDAPs based service(s) caCrtForLDAPsAsBase64: ' ' # CUSTOMIZE_ME: # The customer's supplied CA certificate used for signing SMTPs based service(s) caCrtForSMTPsAsBase64: ' ' # CUSTOMIZE_ME: # The customer's supplied CA certificate used for signing OIDCs based service(s) caCrtForOIDCsAsBase64: ' ' - 在內容檔案中指定憑證。
- 將
enabled設定為true。 - 如果是 SSO,請在
caCrtForOIDCsAsBase64指定憑證。 - 如果是 LDAP,請在
caCrtForLDAPsAsBase64指定憑證
- 將
若要為單一 VM 安裝配置自簽憑證:
- 將自簽憑證放在憑證資料夾中(視情況選取 SSO 或 LDAP)。
- 在自訂單一 VM 安裝程序的步驟 8f 中,指定外部網域,以允許 AppScan 360° 連線至您的 SSO 或 LDAP 提供者。
範例singular-singular.clusterKit.properties
#
## Docker Registry info
#
CK_DOCKER_REGISTRY_ADDRESS='pi-dpr-lin.appscan.com'
CK_DOCKER_REGISTRY_USERNAME='user'
CK_DOCKER_REGISTRY_PASSWORD='password'
#
## Network info
#
CK_CNI_NETWORK_DOMAIN_SUFFIX='appscan.com'
#
## Storage info
#
CK_CSI_STORAGE_CLASS_NAME='longhorn'
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_VOLUME_NAME=''
CK_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY='100Gi'
#
## Ingress info
#
CK_INGRESS_CONTROLLER_CAPABILITIES_IS_HTTPS_BACKEND_PROTOCOL_SUPPORTED='false'
CK_INGRESS_INTERNAL_CLASS='nginx'
CK_INGRESS_INTERNAL_HOST_DOMAIN='appscan.com'
CK_INGRESS_INTERNAL_HOST_SUBDOMAIN='expo.ascp'
#
## Customer certificate info
#
CK_CUSTOMER_INGRESS_CERTIFICATE_ENABLED='false'
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_CA_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_CRT_AS_BASE64=' '
CK_CUSTOMER_INGRESS_CERTIFICATE_SECRET_DATA_TLS_KEY_AS_BASE64=' '
#
## Configuration/Disclosed info
#
CK_CONFIGURATION_DISCLOSED_SITE_URL='https://expo.ascp.appscan.com'
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_HOST=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_PORT=''
CK_CONFIGURATION_DISCLOSED_UPSTREAM_PROXY_USERNAME=''
CK_CONFIGURATION_DISCLOSED_EXTERNAL_IDP_MODE='AutoOnboard'
CK_CONFIGURATION_DISCLOSED_LDAP_DOMAIN='appscan.com'
CK_CONFIGURATION_DISCLOSED_LDAP_USERNAME='labmgr'
CK_CONFIGURATION_DISCLOSED_LDAP_AUTHORIZED_GROUPS=''
CK_CONFIGURATION_DISCLOSED_LDAP_SSL='false'
CK_CONFIGURATION_DISCLOSED_LDAP_TARGET_OU='CN=Users,DC=appscan,DC=com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_HOST='wfilsus.israel.ottawa.watchfire.com'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_PORT='25'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_USERNAME='admin@abcd'
CK_CONFIGURATION_DISCLOSED_MAIL_SMTP_ENABLE_SSL='false'
#
## Configuration/Confidential info
#
CK_CONFIGURATION_CONFIDENTIAL_DEFAULT_CONNECTION='Data Source=mssql-service.expo.ascp.appscan.com;Initial Catalog=AppScanCloudDB;User ID=ABC;Password=1234;MultipleActiveResultSets=True;TrustServerCertificate=True'
CK_CONFIGURATION_CONFIDENTIAL_LDAP_PASSWORD='12345678Abcdefg'
CK_CONFIGURATION_CONFIDENTIAL_MAIL_SMTP_PASSWORD='ABC!@#123'
CK_CONFIGURATION_CONFIDENTIAL_UPSTREAM_PROXY_PASSWORD=''
#
## OIDC Configuration and Certificates
#
CK_CONFIGURATION_DISCLOSED_OIDC_CLIENT_ID=''
CK_CONFIGURATION_DISCLOSED_OIDC_AUTHORITY=''
CK_CONFIGURATION_CONFIDENTIAL_OIDC_CLIENT_SECRET=''
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_OIDCS_AS_BASE64=''
CK_CONFIGURATION_DISCLOSED_EXTERNAL_DOMAINS=''
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_SMTPS_AS_BASE64=''
CK_CUSTOMER_CA_CERTIFICATE_SECRET_DATA_FOR_LDAPS_AS_BASE64=''
CK_CUSTOMER_CA_CERTIFICATES_ENABLED=''
#
## SCA Configuration
#
SCA_CSI_STORAGE_CLASS_NAME=''
SCA_CSI_STORAGE_SHARED_FILE_SYSTEM_REQUESTED_CAPACITY=''
SCA_CSI_STORAGE_ACCESS_MODE=''
SCA_CSI_STORAGE_VOLUME_NAME=''
SCA_CONNECTIONSTRINGSSCAENGINEDATABASE=''
SCA_CONNECTIONSTRINGSSCAAGGREGATIONDB=''
#
## SCA Auto Updater Configuration
#
SCA_AUTOUPDATER_REGISTRY_ADDRESS=''
SCA_AUTOUPDATER_REGISTRY_PATH=''
SCA_AUTOUPDATER_HELM_PATH=''
SCA_AUTOUPDATER_REGISTRY_USERNAME=''
SCA_AUTOUPDATER_REGISTRY_PASSWORD=''
#
## Registry Contexts Customization
#
CK_DOCKER_REGISTRY_CONTEXT=''
CK_HELM_REPOSITORY_CONTEXT=''
CK_DOCKER_REGISTRY_CONTEXT_4_ADDONS=''
CK_HELM_REPOSITORY_CONTEXT_4_ADDONS=''
#
## Namespace Customization
#
CK_K8S_ASCP_NAMESPACE=''
CK_K8S_ASRA_NAMESPACE=''
NAMESPACE=''
範例singular-singular.clusterKit.yaml
# Default values for ascp-dart-prime.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
#
# Settings that need to be customized by the customer are marked with 'CUSTOMIZE_ME' comments
#
global:
customer:
certificate:
ca:
# CUSTOMIZE_ME:
# Indication whether to use customer given CA certificates, or not
enabled: false
secret:
data:
# CUSTOMIZE_ME:
# The customer's supplied CA certificate used for signing LDAPs based service(s)
caCrtForLDAPsAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied CA certificate used for signing SMTPs based service(s)
caCrtForSMTPsAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied CA certificate used for signing OIDCs based service(s)
caCrtForOIDCsAsBase64: ''
ingress:
# CUSTOMIZE_ME:
# Indication whether to use a customer given certificate as the applicable external (out-of-cluster) micro services ingresses certificates, or not
enabled: false
secret:
data:
# CUSTOMIZE_ME:
# The customer's supplied certificate authority (CA) signing certificate of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
caCrtAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied public key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
tlsCrtAsBase64: ''
# CUSTOMIZE_ME:
# The customer's supplied private key of the certificate used as the applicable external (out-of-cluster) micro services ingresses certificates
tlsKeyAsBase64: ''
storage:
pvc:
linux:
enabled: true
# The customer's K8S storage driver access mode
# NOTE: Set on 'ReadWriteMany' and should not be changed
accessMode: ReadWriteMany
# CUSTOMIZE_ME:
# The customer's K8S storage driver class name
# NOTE: The CSI driver must support 'ReadWriteMany' access mode
# storageClassName: freenas-nfs-csi
storageClassName: longhorn
# CUSTOMIZE_ME:
# The customer's K8S predefined PV (Persistent Volume), to be used with the auto-generated PVC (Persistent Volume Claim) for the shared file system
# NOTES:
# 1. This field is optional, if left empty, the designated PV will be generated automatically by the PVC
# 2. This ability is generally used in case migrating from the Windows VM based version of AppScan 360°, and there is a need to keep the existing (shared) data
# 3. Note: In case the PV is NOT intended to be associated with any storage class, do the following:
# 3.1 The storage class name parameter (CK_CSI_STORAGE_CLASS_NAME) should be set to a pseudo one (e.g., 'manual')
# 3.2 The PV should be set in the same way (regarding its storage-class parameter) as the PVC
volumeName: null
# CUSTOMIZE_ME:
# The customer's K8S shared storage designated size, to be calculated before installation, following the calculation logic outlined in the formal documentation
requestedCapacity: 50Gi
accessMode: ReadWriteMany # SCA
requestedCapacity: 10Gi # SCA
storageClassName: manual # SCA
volumeName: ‘’ # SCA
ca:
seed:
enabled: true
issuer:
name: appscan-seed-ca-clusterissuer
kind: ClusterIssuer
root:
secret:
data:
# Auto generated root CA certificate
tlsCrtAsBase64: null
# Auto generated root CA private key
tlsKeyAsBase64: null
certificate:
name: appscan-root-ca-cert
duration: 26280h0m0s # 3 years
renewBefore: 8760h0m0s # 1 year
ingress:
controller:
capabilities:
# CUSTOMIZE_ME:
# Indicates whether the Ingress Controller is based on NGINX, or the SSL onload (HTTPS backend protocol) is supported by the ingress controller (not via an annotation, but by the controller itself!), or not
isHttpsBackendProtocolSupported: true
internal:
# CUSTOMIZE_ME:
# The ingress class name to be used when deploying ingresses into the customer's K8S cluster
class: nginx
host:
# CUSTOMIZE_ME:
# The (main) domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
# NOTE: If left empty, it will be taken from the 'global.network.domainSuffix' field
domain: appscan.com
# CUSTOMIZE_ME:
# The sub domain to be used when deploying ingresses into the customer's K8S cluster (for building the host name)
subDomain: as360
network:
# CUSTOMIZE_ME:
# The customer's designated (main) domain name
domainSuffix: appscan.com
configuration:
disclosed:
# CUSTOMIZE_ME:
# AS360 frontend URL (of the UI)
# NOTE: The URL must NOT have a trailing '/' at the end of the URL (A valid example: 'https://mydomain.server.com', an invalid example: 'https://mydomain.server.com/')
siteUrl: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service domain
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. This is a key setting, IFF set, it will override the UI related settings (alongside with all the other LDAP related settings below)
ldapDomain: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service user name (for establishing connection)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapUsername: ''
# CUSTOMIZE_ME:
# The customer's list of LDAP groups (comma-separated) that are authorized to access the AppScan 360°
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Relevant IFF 'GroupsAccess' is selected for the 'global.configuration.externalIDPMode' parameter
ldapAuthorizedGroups: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's LDAP server/service, or not
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Valid values are 'True' or 'False'
ldapSsl: ''
# CUSTOMIZE_ME:
# The customer's designated location of the users in the its AD (Active Directory) for LDAP queries, it is used to authenticate AD users during login to AppScan 360°
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
ldapTargetOU: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service host name
mailSmtpHost: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service port
mailSmtpPort: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service user name (for establishing connection)
mailSmtpUserName: ''
# CUSTOMIZE_ME:
# Indicates whether to establish a secured (over SSL/TLS) connection towards the customer's SMTP mail server/service, or not
# NOTE: Valid values are 'True' or 'False'
mailSmtpEnableSsl: ''
# CUSTOMIZE_ME:
# Define your method for onboarding new users:
# AutoOnboard: Any user with access to the server can log in to AppScan 360°.
# GroupsAccess: Any user in an authorized group (defined below) can log in to AppScan 360°.
# ManualOnboard: Users must be invited using the Add Users button on the Access management > Users page.
externalIDPMode: 'AutoOnboard'
# CUSTOMIZE_ME:
# The customer's comma delimited external domains to allow access to, particularly crucial for establishing communication with OpenID Connect (OIDC) servers
externalDomains: ''
# CUSTOMIZE_ME:
# Optional set of parameters, to be used IFF the customer has a dedicated upstream proxy (used to enable Internet access from within the customer's network),
# holding the customer's upstream proxy settings (for establishing connection), if applicable.
# NOTE: Currently there is NO support using a script to configure the upstream proxy settings
# The customer's upstream proxy host (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyHost: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy port (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyPort: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy username (an optional parameter, to be used IFF the customer has a dedicated upstream proxy)
upstreamProxyUsername: ''
# CUSTOMIZE_ME:
# The customer's designated K8S ASRA namespace to be used for AS360 installation
# NOTE: This field is optional, If left empty, a factory default will be used
k8sAsraNamespace: 'hcl-appscan-asra'
# CUSTOMIZE_ME:
# The customer's OpenIdConnect (OIDC) client ID (used to establish a connection with the OIDC server)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. IFF set, ALL other OIDC related parameters must be set as well in order to actually override the UI related settings
oidcClientId: ''
# CUSTOMIZE_ME:
# The customer's OIDC authority base URL to use when making OpenIdConnect (OIDC) calls
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. IFF set, ALL other OIDC related parameters must be set as well in order to actually override the UI related settings
oidcAuthority: ''
confidential:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
defaultConnection: ''
# CUSTOMIZE_ME:
# The customer's LDAP server/service password (for establishing connection)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. Relevant IFF 'ManualOnboard' is selected for the 'global.configuration.externalIDPMode' parameter
ldapPassword: ''
# CUSTOMIZE_ME:
# The customer's SMTP mail server/service password (for establishing connection)
mailSmtpPassword: ''
# CUSTOMIZE_ME:
# The customer's upstream proxy password (for establishing connection), an optional parameter, to be used IFF the customer has a dedicated upstream proxy
upstreamProxyPassword: ''
# CUSTOMIZE_ME:
# The customer's OpenIdConnect (OIDC) client secret (used to establish a connection with the OIDC server)
# NOTES:
# 1. This setting should be configured through the UI, it is exposed here only to allow troubleshooting misconfigured settings that were set through the UI, and caused account lockout
# 2. Once set, it has precedence over the UI settings
# 3. IFF set, ALL other OIDC related parameters must be set as well in order to actually override the UI related settings
oidcClientSecret: ''
#
# Below entries are not required for ASOP/AS360
#
opsConsoleDPKey: ''
licenseApiKey: ''
githubClientSecret: ''
common:
ingress:
enabled: false
service:
enabled: false
helmHooks:
rbacBaseName: helm-hooks-rbac
ascp-user-portal-ui:
enabled: true
ascp-domain-challenger:
enabled: true
ascp-egress-gatekeeper:
enabled: true
ascp-mr-tasks-manager:
enabled: true
ascp-mr-user-api:
enabled: true
ascp-mr-scanners-api:
enabled: true
ascp-mr-presence-api:
enabled: true
ascp-mr-iast-api:
enabled: true
scaenginefetchcve:
common:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
# If the connection string contains a comma, escape it with a backslash (\,)
scaservicesecrets:
ConnectionStrings__ScaAggregationDB: ''
scaenginescanmonitorapi:
common:
scaservicesecrets:
# CUSTOMIZE_ME:
# The customer's MSSQL data store (database) connection string (used to established a connection with the database)
# If the connection string contains a comma, escape it with a backslash (\,).
ConnectionStrings__ScaEngineDatabase: ''