Resolve "Migrate Fortify to a new Passthrough pattern"
General MR
Summary
Passthrough Pattern and BB Common Implementation For Fortify
Relevant logs/screenshots
Linked Issue
Upgrade Notices
Fortify SSC Passthrough and bb-common Migration
This release migrates Fortify SSC to the passthrough chart pattern and integrates the bb-common library chart for Istio and NetworkPolicy management. These are two coordinated BigBang-wide initiatives affecting all packages.
What Changed
1. Passthrough Pattern
The upstream fortifydocker/helm-ssc chart is now included as an unmodified subchart (alias: upstream) instead of being forked via KPT. All upstream template files have been removed from the chart and are now provided by the subchart dependency.
2. bb-common Library Chart
Static Istio and NetworkPolicy templates under chart/templates/bigbang/ have been replaced with bb-common generated resources. The bb-common library chart centralizes generation of:
- NetworkPolicies (with smart naming from policy content)
- PeerAuthentication
- AuthorizationPolicies
- Sidecars
- ServiceEntries
- VirtualServices
Breaking Changes for Users with Custom Values
Values must shift under the upstream: key
Any values that configure the upstream Fortify SSC chart must now be nested under upstream:. BigBang-specific top-level keys (domain, istio, networkPolicies, bbtests, mysql, fortify_autoconfig, fortify_license) remain unchanged at the chart root.
addons:
fortify:
values:
+ upstream:
+ image:
+ tag: "25.4.0.0137"
+ resources:
+ limits:
+ cpu: 4
+ memory: 16Gi
- image:
- tag: "25.4.0.0137"
- resources:
- limits:
- cpu: 4
- memory: 16Gi
# These BigBang keys are NOT affected:
mysql:
enabled: true
networkPolicies:
enabled: true
fortify_autoconfig: |
...Removed templates
The following static templates have been deleted and are now provided by either the upstream subchart or bb-common:
| Removed | Replaced By |
|---|---|
templates/webapp.yaml |
Upstream subchart |
templates/service.yaml |
Upstream subchart |
templates/pvc.yaml |
Upstream subchart |
templates/secrets.yaml |
templates/keystore-job.yaml |
templates/script-configmap.yaml |
templates/keystore-job.yaml |
templates/tomcat-configmap.yaml |
fortify_autoconfig values |
templates/bigbang/istio/* |
bb-common (templates/bigbang/istio.yaml) |
templates/bigbang/virtualservice.yaml |
bb-common (templates/bigbang/routes.yaml) |
templates/bigbang/defaultPeerAuthentication.yaml |
bb-common (templates/bigbang/istio.yaml) |
templates/bigbang/networkpolicies/* (8 of 9) |
bb-common (templates/bigbang/network-policies.yaml) |
templates/bigbang/log4j2-configmap.yaml |
fortify_autoconfig values |
templates/bigbang/network-attachment-definition.yaml |
Removed (unused) |
Keystore generation moved to a Job
The init container that generated the JKS keystore has been replaced with a Kubernetes Job (keystore-job.yaml) that runs as a pre-install/pre-upgrade hook. This creates the fortify-ssc-secret before the main deployment starts.
NetworkPolicy naming changes
bb-common generates NetworkPolicy names based on their content (e.g., allow-ingress-to-fortify-8080-from-ns-istio-gateway-pod-public-ingressgateway). If you reference Fortify NetworkPolicies by name in external tooling, those names will change.
No Changes Required For
- BigBang umbrella users who do not override Fortify upstream values (the chart defaults already have correct
upstream:nesting) -
fortify_autoconfig,fortify_license,mysql,bbtests,istio,networkPolicies,domainvalues (these remain at chart root level) - Cypress test configuration
- SSO/SAML configuration via BigBang
For additional information on the bb-common integration, refer to Streamlining Integration with bb-common.
Umbrella Branch
142-migrate-fortify-to-a-new-passthrough-pattern