Deploying AP Java Container Using Static Method

Describes how to deploy the Sample AP Java container using the Static deployment method.

The following steps describe how to deploy the Application Protector Java Container.

  1. Run the following command to generate the client certificate to authenticate with the KMS-Proxy service.
CreateCertificate_Linux_x64_<Version>.sh client --name <Directory> --dns <Release_Name>.<namespace>.svc

For example:

CreateCertificate_Linux_x64_<Version>.sh client --name kms-client --dns kms-proxy.<namespace>.svc

For more information about generating the client certificates, refer to the section Creating Certificates.

The following client certificates files are created in the kms-client folder:

  • cert.pem
  • cert.key
  • CA.pem
  • secret.txt

This certificate is used by the protector as a client certificate to authenticate the protector with the KMS-Proxy service.

Ensure that the namespace and release name that you specify in this command are the same names that you specify in step 5 while deploying the KMS-Proxy Helm chart.

2. Run the following command to generate the secret for the KMS-Proxy client certificate created in step 1.

kubectl -n <KMS-Proxy_Namespace> create secret generic service-certs --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem> --from-file=secret.txt=<path-to-secret.txt>

For more information about generating the client certificates, refer to the section Creating Certificates.

Specify this secret as the value of the kms/certificates parameter in the values.yaml file.

  1. On the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the Sample Application Protector Java Container.

    The spring-apjava-devops > values.yaml file contains the default configuration values for deploying the Sample Application Protector Java Container on the Kubernetes cluster.


## -- create image pull secrets and specify the name here.
## remove the [] after 'imagePullSecrets:' once you specify the secrets
imagePullSecrets: []
# - name: regcred

nameOverride: ""
fullnameOverride: ""

# Sample protector image configuration
springappImage:
  # -- sample protector image registry address
  repository:
  # -- sample protector image tag name
  tag:
  # -- The pullPolicy for a container and the tag of the image affect 
  # when the kubelet attempts to pull (download) the specified image.
  pullPolicy: IfNotPresent

# policy loader sidecar image configuration
policyLoaderImage: 
  # -- policy loader sidecar container image registry address
  repository:
  # -- policy loader sidecar container image tag name
  tag:
  # -- The pullPolicy for a container and the tag of the image affect 
  # when the kubelet attempts to pull (download) the specified image.
  pullPolicy: IfNotPresent

# specify CPU and memory requirement of Sample springapp protector container
springappContainerResources:
  limits:
    cpu: 1500m
    memory: 3000Mi
  requests:
    cpu: 1200m
    memory: 1000Mi

# specify CPU and memory requirement of policy loader container
policyLoaderResources:
  limits:
    cpu: 200m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 200Mi

...
...
   
# -- pod service account to be used.
# A k8s service account can be linked to cloud identity to allow pod to access
# cloud services like Object storage solutions.
serviceAccount: 
  # The name of the service account to use.
  name:

# Specify any additional annotation to be associated with pod
podAnnotations:
  checksum/sdk-config: '{{ include (print $.Template.BasePath "/sdk-configmap.yaml") . | sha256sum }}'

# set the Pod's security context object.
podSecurityContext:
  runAsUser: 1000
  runAsGroup: 1000
  fsGroup: 1000

## set the Spring App Container's security context object
## leave the field empty if not applicable
springappContainerSecurityContext:
  capabilities:
    drop:
    - ALL
  allowPrivilegeEscalation: false
  privileged : false
  runAsNonRoot : true
  readOnlyRootFilesystem: true
  seccompProfile:
    type: RuntimeDefault

# -- set the policy loader sidecar Container's security context object
# leave the field empty if not applicable
policyLoaderContainerSecurityContext:
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  privileged : false
  seccompProfile:
    type: RuntimeDefault

# protector configuration
protector:
  # Session information
  session:
    # Session timeout in minutes. Default is 15 minutes.
    sessiontimeout: 15
  # Policy information for the protector initialization
  # Note: Policy update is control by policy puller sidecar, Below configuration
  # are for protector to refresh policy once it is updated by policy puller sidecar.
  policy:
    # -- Cadence determines how often the protector connects local filesystem 
    # to fetch the policy updates in background. Default is 60 seconds. 
    # So by default, every 60 seconds protector tries to fetch the policy updates.
    # If the cadence is set to "0", then the protector will get the policy only 
    # once, which is not recommended.
    cadence: 60

  # KMS proxy service configuration
  kms:
    # -- kms proxy service hostname.
    # kms proxy service helps protector to decrypt resilient policy package.
    host:

    # -- certificates to authenticate with kms proxy service.
    # Specify certificate secret name.
    # kubectl -n $NAMESPACE create secret generic pty-kms-proxy-tls \
    #   --from-file=cert.pem=./certs/cert.pem \
    #   --from-file=cert.key=./certs/cert.key \
    #   --from-file=CA.pem=./ca/CA.pem \
    #   --from-file=secret.txt=./certs/secret.txt
    certificates:

  # Logforwarder configuration
  logs:
    # -- specify log levels.
    # In case that connection to fluent-bit is lost, set how audits/logs are handled
    # 
    # drop  : Protector throws logs away if connection to the fluentbit is lost
    # error : (default) Protector returns error without protecting/unprotecting 
    #         data if connection to the fluentbit is lost
    mode: error

    # -- Host/IP of Logforwarder service where audits/logs are forwarded by the 
    # sample protector
    host:

# policy puller sidecar configuration
policyPuller:
  policy:
    # -- Control how often the sidecar application will read the configuration 
    # file for policy update information.
    # Interval is reset when previous pull operation is completed.
    # IMPORTANT: do not set interval to 0. 
    interval: 30

    # -- If using VolumeMount as storage destination for policy package
    # specify the persistent volume claim name to be used to mount the volume.
    pvcName:

    # -- Path to KMS encrypted Resilient policy package. Specify an URL encoded
    # path to package file. Here are few examples,
    # If stored in S3 then, s3://[s3 bucket name]/[to]/<[policy]>/<[package]>
    # If stored in GC then, gc://<[path]>/<[to]>/<[policy]>/<[package]>
    # If stored in Azure blob, "https://<[account name]>.blob.core.windows.net/<[container name]>/<[path to file]>"
    # Important: updating it will not trigger pod restart.
    path:
  
  logs:
    # -- control policy puller log level
    # logs are forwarded to stdout
    # Supported Values
    # INFO - default
    # DEBUG
    level: INFO


# -- specify the initial no. of sample protector Pod replicas
replicaCount: 1

# HPA configuration
autoScaling:
  # -- lower limit on the number of replicas to which the autoscaler
  # can scale down to.
  minReplicas: 1
  # -- upper limit on the number of replicas to which 
  # the autoscaler can scale up. It cannot be less that minReplicas.
  maxReplicas: 10
  # -- CPU utilization threshold which triggers the autoscaler
  targetCPU: 70

## specify the ports exposed in your springapp configurations where,
## name - distinguishes between different ports.
## port - the port on which you wan't to expose the service externally.
## targetPort - the port no. configured while creating Tunnel.
springappService:

  # allows you to configure service type: LoadBalancer or ClusterIP
  type: LoadBalancer

  # Specify service related annotations here
  annotations:
    ##AWS
    #service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    ##AZURE
    #service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    ##GCP
    #networking.gke.io/load-balancer-type: "Internal"

  name: "restapi"
  port: 8080
  targetPort: 8080
  1. Modify the default values in the values.yaml file as required.
FieldDescription
springappImageSpecify the repository and tag details for the Application Protector Java Container image.
policyLoaderImageSpecify the repository and tag details for the Policy Loader image.
springappContainerResourcesSpecify the CPU and memory requirements for the Application Protector Java Container.
policyLoaderResourcesSpecify the CPU and memory requirements for the Policy Loader container.
serviceAccount/nameSpecify the name of the service account that enables you to access the Object storage solutions of the Cloud service.
podSecurityContextSpecify the privilege and access control settings for the pod.
The default values are set as follows:
  • runAsUser - 1000
  • runAsGroup - 1000
  • fsGroup - 1000
Container Security Context:
  • springappContainerSecurityContext
  • policyLoaderSecurityContext
Specify the privilege and access control settings for the Application Protector Java Container and the Policy Loader containers, respectively.
protector/session/sessiontimeoutSpecify the time during which a session object is valid.
By default, the value is set to 15. The session timeout is measured in minutes.
protector/policy/cadenceSpecify the time interval in seconds after which the protector retrieves the policy that has been updated by the Policy Loader container.
By default, the value is set to 60.
Ensure that the value is not set to 0. Else, the protector will retrieve the policy only once.
protector/kms/hostSpecify the host name of the KMS Proxy service that is used to decrypt the policy package.
protector/kms/certificatesSpecify the name of the secret for the certificate that is used to authenticate with the KMS Proxy service, which you have created in step 2.
protector/logs/modeSpecify one of the following options in case the connection to the Log Forwarder is lost:
  • drop - The protector deletes the logs.
  • error - The protector returns an error without protecting or unprotecting the data.

By default, the value is set to error.
protector/logs/hostSpecify the service hostname of the Log Forwarder, where the logs are forwarded.
The default value is <Helm_Installation_Name>-<Helm_Chart_Name>..svc.
For example, iaplog-logforwarder.iapjava.svc.
policyPuller/policy/intervalSpecify the time interval in seconds after which the Policy Loader sidecar container will retrieve the policy package from the specified path.
By default, the value is set to 30.
Ensure that the interval is not set to 0. Else, the Policy Loader container will not retrieve the updated policy package.
policyPuller/pathSpecify the path where the encrypted policy package has been uploaded.
For example, if the package is stored in an AWS S3 bucket, then you need to specify the following path: s3://[s3 bucket name]/[to]/<[policy]>/<[package].
If the package is stored in local filesystem VolumeMount, then you need to specify the following path: [to]/<[policy]>/<[package]>.
policyPuller/logs/levelSpecify the log level of the Policy Loader container.
By default, the value is set to INFO.
replicaCountSpecify the initial number of the Application Protector Java Container pod replicas.
autoScalingSpecify the configurations required for the Horizontal Pod Autoscaling.
springappService/typeSpecify the service type for the Application Protector Java Container.
By default, this value is set to LoadBalancer.
springappService/annotationsSpecify the annotations for the respective Cloud platforms if you want to use the internal load balancer. By default, this value is left blank.
springappService/nameSpecify a name for the tunnel to distinguish between ports.
By default, the value is set to restapi.
springappService/portSpecify the port number on which you want to expose the Kubernetes service externally.
By default, the value is set to 8080.
springappService/targetportSpecify the port on which the Sample application is running inside the Docker container.
By default, the value is set to 8080.
  1. Run the following command to deploy the Application Protector Java Container on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace where you want to deploy the Application Java Container> <Location of the directory that contains the Helm charts>

For example:

helm install iap-java-devops --namespace iap-java <Custom_path>/spring-apjava-devops/

<Custom_path> is the directory where you have extracted the installation package.

  1. Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>

For example:

kubectl get pods -n iap-java

NAME                                         READY   STATUS    RESTARTS        AGE

kms-10-v1-kms-proxy-7b97d5dff7-grqph         2/2     Running   0               11h

log1-logforwarder-f6gvj                      1/1     Running   0               11h

log1-logforwarder-ls4hn                      1/1     Running   0               11h

log1-logforwarder-phk4t                      1/1     Running   0               11h

log1-logforwarder-z2mz7                      1/1     Running   0               11h

iap-java-devops-5fd7d859b6-p9544             1/1     Running   0               11h

Alternatively, if you do not want to modify the values.yaml file, you can use set arguments to update the values during runtime.
For more information about deploying containers using set arguments, refer to the section Appendix - Deploying the Helm Charts by Using the Set Argument.

The test user can run the getVersion API to verify the version of the Application Protector Java Container.

  1. Run the following command to obtain the service details.
kubectl get svc -n <Namespace>

For example:

kubectl get svc -n iap-java

NAME              TYPE           CLUSTER-IP      EXTERNAL-IP                                        PORT(S)     AGE
logforwarder      ClusterIP      172.20.14.88    <none>                                        15780/TCP   2m37s
rpproxy           ClusterIP      172.20.181.92   <none>                                             25400/TCP   113s
iap-java-devops  LoadBalancer   172.20.60.61    internal-b70jkfs23423jg8.us-east-1.elb.amazonaws.com        8080:30746/TCP    24s

Use the DNS name of the load balancer that appears in the EXTERNAL-IP column while running the security operations.

For more information about running security operations, refer to the section Running Security Operations.

  1. Run the following command to obtain the IP address of the Load Balancer.

    ping <DNS of Load Balancer>

    For example:

    ping internal-b70jkfs23423jg8.us-east-1.elb.amazonaws.com

    The following output appears that displays the IP address of the Load Balancer.

    PING internal-b70jkfs23423jg8.us-east-1.elb.amazonaws.com (10.49.5.152) 56(84) bytes of data.
64 bytes from ip-10-49-5-152.ec2.internal (10.49.5.152): icmp_seq=1 ttl=255 time=0.831 ms
64 bytes from ip-10-49-5-152.ec2.internal (10.49.5.152): icmp_seq=2 ttl=255 time=0.262 ms

    Use this IP address while running the security operations.

  2. Navigate to the Amazon EC2 Console and edit the inbound rules of the security group of the Load Balancer to ensure that it can receive requests on the 8080 port number.

For more information about editing inbound rules for a security group, refer to the section Configure security group rules.


Last modified : January 17, 2026