Deploying the AP Java Container with Dynamic Method

Describes how to deploy the Sample AP Java Container using the Dynamic deployment method.

The following steps describe how to deploy the Application Protector Java Container.

  1. Run the following command to generate the client certificate for connecting to the RPP.
CreateCertificate_Linux_x64_<Version>.sh client --name <Directory> --dns <Release_Name>.<namespace>.svc

For example:

CreateCertificate_Linux_x64_<Version>.sh client --name rpproxy-client --dns rpp.iap-java.svc

For more information about generating the client certificates, refer to the section Creating Certificates.

The following client certificates files are created in the rpproxy-client folder:

  • cert.pem
  • cert.key
  • CA.pem
  • secret.txt

This certificate is used by the protector as a client certificate to authenticate the RPP to download policy packages.

Ensure that the namespace and release name that you specify in this command are the same names that you specify in step 7 while deploying the RPP Helm chart.

Note: This certificate is created only if you are not using the common certificate.

2. Run the following command to generate the secret for the RPP client certificate created in step 1.

kubectl -n <RPP_Namespace> create secret generic rpp-client-certs --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem> --from-file=secret.txt=<path-to-secret.txt>

For more information about generating the client certificates, refer to the section Creating Certificates.

Specify this secret as the value of the protector/policy/certificates parameter in the values.yaml file.

  1. On the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the Application Protector Java Container.

    The spring-apjava-dynamic > values.yaml file contains the default configuration values for deploying the RPP container on the Kubernetes cluster.


# -- create image pull secrets and specify the name here.
# remove the [] after 'imagePullSecrets:' once you specify the secrets
imagePullSecrets: []
# - name: regcred

nameOverride: ""
fullnameOverride: ""

# Sample springapp protector image configuration
springappImage:
  # -- sample springapp protector image registry address
  repository:
  # -- sample springapp protector image tag name
  tag:
  # -- The pullPolicy for a container and the tag of the image affect 
  # when the kubelet attempts to pull (download) the specified image.
  pullPolicy: IfNotPresent

# specify CPU and memory requirement of sample springapp protector container
springappContainerResources:
  limits:
    cpu: 1500m
    memory: 3000Mi
  requests:
    cpu: 1200m
    memory: 1000Mi

...
...
   
## -- pod service account to be used
## leave the field empty if not applicable
serviceAccount:
  # The name of the service account to use.
  name:

# Specify any additional annotation to be associated with pod
podAnnotations:
  checksum/sdk-config: '{{ include (print $.Template.BasePath "/sdk-configmap.yaml") . | sha256sum }}'

## set the Pod's security context object
## leave the field empty if not applicable
podSecurityContext:
  fsGroup: 1000

## set the Spring App Container's security context object
## leave the field empty if not applicable
springappContainerSecurityContext:
  capabilities:
    drop:
    - ALL
  allowPrivilegeEscalation: false
  privileged : false
  runAsNonRoot : true
  readOnlyRootFilesystem: true
  seccompProfile:
    type: RuntimeDefault

# protector configuration
protector:
  # Session information
  session:
    # Session timeout in minutes. Default is 15 minutes.
    sessiontimeout: 15
  # Policy information for the protector initialization
  policy:
    # Cadence determines how often the protector connects with ESA / proxy to 
    # fetch the policy updates in background. Default is 60 seconds. 
    # So by default, every 60 seconds protector tries to fetch the policy updates.
    # If the cadence is set to "0", then the protector will get the policy only 
    # once, which is not recommended.
    #
    # Default 60.
    cadence: 60

    # -- Host/IP to the service providing Resilient Packages either rpproxy 
    # service or ESA.
    host:

    # -- certificates used to communicate with service providing Resilient packages.
    # specify certificate secret name.
    # -- TLS certificate rp-proxy service.
    # kubectl -n $NAMESPACE create secret generic pty-rpp-tls \
    #   --from-file=cert.pem=./certs/cert.pem \
    #   --from-file=cert.key=./certs/cert.key \
    #   --from-file=CA.pem=./ca/CA.pem \
    #   --from-file=secret.txt=./certs/secret.txt
    certificates: 
  
  # Logforwarder configuration
  logs:
    # -- In case that connection to fluent-bit is lost, set how audits/logs are handled
    # 
    # drop  : Protector throws logs away if connection to the fluentbit is lost.
    # error : (default) Protector returns error without protecting/unprotecting 
    #         data if connection to the fluentbit is lost.
    mode: error

    # -- Host/IP to fluent-bit where audits/logs will be forwarded from the protector
    #
    # Default localhost
    host:

# -- specify the initial no. of sample protector Pod replicas
replicaCount: 1

# HPA configuration
autoScaling:
  # -- lower limit on the number of replicas to which the autoscaler
  # can scale down to.
  minReplicas: 1
  # -- upper limit on the number of replicas to which 
  # the autoscaler can scale up. It cannot be less that minReplicas.
  maxReplicas: 10
  # -- CPU utilization threshold which triggers the autoscaler
  targetCPU: 70

## specify the ports exposed in your springapp configurations where,
## name - distinguishes between different ports.
## port - the port on which you wan't to expose the service externally.
## targetPort - the port no. configured while creating Tunnel.
springappService:

  # allows you to configure service type: LoadBalancer or ClusterIP
  type: LoadBalancer

  # Specify service related annotations here
  annotations:
    ##AWS
    #service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    ##AZURE
    #service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    ##GCP
    #networking.gke.io/load-balancer-type: "Internal"

  name: "restapi"
  port: 8080
  targetPort: 8080
  1. Modify the default values in the values.yaml file as required.
FieldDescription
springappImageSpecify the repository and tag details for the Sample Application Protector Java Container image.
springappContainerResourcesSpecify the CPU and memory requirements for the Sample Application Protector Java Container.
serviceAccount/nameSpecify the name of the pod service account. Leave the field empty if it is not applicable.
podSecurityContextSpecify the privilege and access control settings for the pod.
The default values are set as follows:
  • fsGroup - 1000
Container Security Context:
  • springappContainerSecurityContext
Specify the privilege and access control settings for the Sample Application Protector Java Container.
protector/session/sessiontimeoutSpecify the time during which a session object is valid.
By default, the value is set to 15. The session timeout is measured in minutes.
protector/policy/cadenceSpecify the time interval in seconds after which the protector connects with the RPProxy to retrieve the policy package.
By default, the value is set to 60.
Ensure that the value is not set to 0. Else, the protector will retrieve the policy only once.
protector/policy/hostSpecify the host name or IP address of the RPProxy.
protector/policy/certificatesSpecify the name of the secret for the certificate, which you have created in step 2 that is used to authenticate the RPProxy for downloading the policy package.
protector/logs/modeSpecify one of the following options in case the connection to the Log Forwarder is lost:
  • drop - The protector deletes the logs.
  • error - The protector returns an error without protecting or unprotecting the data.

By default, the value is set to error.
protector/logs/hostSpecify the service hostname of the Log Forwarder, where the logs are forwarded.
The default value is <Helm_Installation_Name>-<Helm_Chart_Name>.<Namespace>.svc.
For example, iaplog-logforwarder.iapjava.svc.
replicaCountSpecify the initial number of the Application Protector Java Container pod replicas.
autoScalingSpecify the configurations required for the Horizontal Pod Autoscaling.
springappService/typeSpecify the service type for the Sample Application Protector Java Container.
By default, this value is set to LoadBalancer.
springappService/annotationsSpecify the annotations for the respective Cloud platforms if you want to use the internal load balancer. By default, this value is left blank.
springappService/nameSpecify a name for the tunnel to distinguish between ports.
By default, the value is set to restapi.
springappService/portSpecify the port number on which you want to expose the Kubernetes service externally.
By default, the value is set to 8080.
springappService/targetportSpecify the port on which the Sample application is running inside the Docker container.
By default, the value is set to 8080.
  1. Run the following command to deploy the Application Protector Java Container on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace where you want to deploy the AP Java container> <Location of the directory that contains the Helm charts>

For example:

helm install iap-java-dynamic --namespace iap-java <Custom_path>/spring-apjava-dynamic/

<Custom_path> is the directory where you have extracted the installation package.

  1. Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>

For example:

kubectl get pods -n iap-java

NAME                                         READY   STATUS    RESTARTS        AGE

iap-java-dynamic-7b97d5dff7-grqph            2/2     Running   0               11h

log1-logforwarder-f6gvj                      1/1     Running   0               11h

log1-logforwarder-ls4hn                      1/1     Running   0               11h

log1-logforwarder-phk4t                      1/1     Running   0               11h

log1-logforwarder-z2mz7                      1/1     Running   0               11h

rpp-rpproxy-5fd7d859b6-p9544                 1/1     Running   0               11h
  1. Run the following command to obtain the service details.
kubectl get svc -n <Namespace>

For example:

kubectl get svc -n iap-java

NAME              TYPE           CLUSTER-IP      EXTERNAL-IP                                        PORT(S)     AGE
logforwarder      ClusterIP      172.20.14.88    <none>                                        15780/TCP   2m37s
rpproxy           ClusterIP      172.20.181.92   <none>                                             25400/TCP   113s
iap-java-dynamic  LoadBalancer   172.20.60.61    internal-a70jkfsdf98908.us-east-1.elb.amazonaws.com        8080:30746/TCP    24s

Use the DNS name of the load balancer that appears in the EXTERNAL-IP column while running the security operations.

For more information about running security operations, refer to the section Running Security Operations.

  1. Run the following command to obtain the IP address of the Load Balancer.

    ping <DNS of Load Balancer>

    For example:

    ping internal-b70jkfs23423jg8.us-east-1.elb.amazonaws.com

    The following output appears that displays the IP address of the Load Balancer.

    PING internal-b70jkfs23423jg8.us-east-1.elb.amazonaws.com (10.49.5.152) 56(84) bytes of data.
64 bytes from ip-10-49-5-152.ec2.internal (10.49.5.152): icmp_seq=1 ttl=255 time=0.831 ms
64 bytes from ip-10-49-5-152.ec2.internal (10.49.5.152): icmp_seq=2 ttl=255 time=0.262 ms

    Use this IP address while running the security operations.

  2. Navigate to the Amazon EC2 Console and edit inbound rules of the Load Balancer security group to ensure that it can receive requests on the 8080 port number.

    For more information about editing inbound rules for a security group, refer to the section Configure security group rules.


Last modified : January 17, 2026