Advanced Configurations

Table of Contents

CPU and memory pod requests and limits
New Image Registry for Older Versions
Pod replacement strategy
Jobs
- Trend Reporting
- Conjure Service
Custom Error Page Text
- Set Custom Error Page Text
- Update Custom Error Page Text
Set a Custom Domain Name

Configuration defaults are defined in the default values file of the SD Elements Helm chart. See the Retrieve Default Helm Chart Values section for instructions on retrieving default values.

The following are examples of more advanced optional settings. Please review values.yaml in the SD Elements Helm Chart for the full list of options and comments. If in doubt, contact sdesupport@securitycompass.com.

If you use advanced settings, put them in the values.custom.yaml file as you did with the settings used to deploy SD Elements.

global:
  storageClass: glusterfs-storage
sde:
  superuserEmail: sde-superuser@example.com
  superuserPassword: thePasswordForTheDefaultWebSuperUser
  defaultFromEmail: "ACME Corp. <noreply@example.com>"
  serverEmail: host@example.com
  defaultOrg: default
  feedbackEmail: sde-feedback@example.com
  supportEmail: sde-admin@example.com
  systemAdminEmail: it-support@example.com
sc-mail:
  config:
    mailFrom: noreply@example.com

Upgrading from any versions <2023.2 will require these values adjusted in the custom values.yaml file:

postgresql:
  primary:
    initdb:
      user: sde
  auth:
    username: sde
    password:  <replace with previous sc-database.clientPassword>
  # to enable metrics
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
rabbitmq:
  auth:
    erlangCookie: your-erlang-cookie
    password:  <replace with previous sc-broker.clientPassword>
  # to enable metrics
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true

These changes are required due to our introduction of Bitnami managed charts: postgresql and rabbitmq, replacing the previous charts sc-database and sc-broker respectively.

CPU and memory pod requests and limits

To configure CPU and memory requests for a pod, you can use the following example for a PostgreSQL resource

postgresql:
    ...
    primary:
        resources:
            requests:
                cpu: 1
                memory: 2048Mi
            limits:
                cpu: 4
                memory: 8192Mi

The requests field defines the minimum amount of CPU and memory that the container requires limits field establishes the maximum resources that the container is allowed to consume.

Workers example

worker:
    wsgiProcesses: 6
    synchronous:
        lowPriority:
            resources:
                limits:
                    cpu: 6
        highPriority:
            resources:
                limits:
                    cpu: 6

New Image Registry for Older Versions

This section is only compatible with SD Elements versions later than 2023.1.

To pull from the new image registry from an older version, the following configuration should be added to your existing configuration:

global:
  imageRegistry: repository.securitycompass.com/sde-docker-prod
  imageRegistryFormat: "%s/%s_%s/%s:%s"
  imageOrganization: prod

Pod replacement strategy

This section is only compatible with SD Elements versions later than 2023.2.

Since version 2023.4, the deployment strategy used to replace old Pods with new ones has been updated to Recreate for the following components:

Minio

It is possible to revert to the previous strategy by adding the following configuration to an overlay (e.g. values.custom.yaml).

minio:
  deploymentUpdate:
    type: RollingUpdate

Since version 2023.3, the deployment strategy used to replace old Pods with new ones has been updated to RollingUpdate for the following components:

Web
JITT
Workers
Reporting

It is possible to revert to the previous strategy by adding the following configuration to an overlay (e.g. values.custom.yaml).

web:
  updateStrategy:
    type: Recreate

sc-jitt:
  updateStrategy:
    type: Recreate

worker:
  updateStrategy:
    type: Recreate

reporting:
  updateStrategy:
    type: Recreate

Jobs

Asynchronous jobs are defined in values.yaml. You can remove default jobs and add new custom jobs. The jobs must be included under the specifications section and in map format.

The following are examples of custom jobs added under specifications:

job:
  specifications:
    custom_job:
      schedule: "01 1 * * *"
      niceness: 15
      command: ["/bin/sde.sh"]
      args:
        - "--{argument} {value}"
      failedJobsHistoryLimit: 1
      successfulJobsHistoryLimit: 1
      concurrencyPolicy: Forbid
      restartPolicy: OnFailure
      volumeWritePermission: false
      env:
        - name: {ENV_VAR_NAME}
      value: {ENV_VAR_VALUE}
      resources:
      requests:
        cpu: 1
        memory: 1024Mi
      limits:
        cpu: 2
        memory: 2048Mi

Trend Reporting

SD Elements 2023.2 introduces a daily cronjob that takes snapshots and generates data for trend reporting. Set the following in values.custom.yaml to:

Change the schedule

job:
  specifications:
    trend-reporting:
      schedule: "35 3 * * *"

Disable the feature
```
trendReporting:
  enabled: false
```

Conjure Service

AI Navigator, deployed through the Conjure service, is available to self-hosted customers upon request. All SD Elements SaaS customers will have access to AI Navigator by default.

Contact your Customer Success team to request access. Once provided, follow the steps below to deploy and enable the Conjure service.

Prerequisites

Access to the conjure service (see above)
An OpenAI API key from your OpenAI account. See OpenAI documentation for instructions on creating and managing API keys.
Connectivity to the OpenAI API

Deploy and Enable Conjure

Update the custom values file

sc-conjure:
    enabled: true
    openApiKey: {OPENAI_API_KEY}

Run helm upgrade to apply the changes.
Verify that the {RELEASE_NAME}-conjure pod is in a Running status.

Custom Error Page Text

The header and body sections of SD Elements error pages can be overridden through configuration in the custom values file by setting the web.customError.error_{PAGE}_{ELEMENT} node. See the Chart Values reference for configurable pages and elements.

While the nodes are free form and accept any input, only the following is warrantied.

Plain text
, <a>,  , , , and  HTML tags
Basic inline CSS styling (e.g., color property)

Set Custom Error Page Text

Example 1: Replace the 503 page header with plain text

Set web.customError.error_503_header in the custom values file.

web:
  customError:
    error_503_header: "<p><strong>SD Elements is Unavailable</strong></p>"

Example 2: Include a hyperlink in the 503 page body

Add or modify web.customError.error_503_header in the custom values file to include an HTML anchor tag.

web:
  customError:
    error_503_body: "<p>See the <a href=\"https://example.com\">knowledge base</a> for more information</p>"

HTML attributes such as href require a backslack character (\) to escape quotation marks

Full sample

web:
  customError:
    error_403_header: "<p><strong>403 Forbidden</strong></p>"
    error_403_body: "<p>You do not have access to this resource.</p>"
    error_404_header: "<p><strong>404 Not Found</strong></p>"
    error_404_body: "<p>The server cannot find the requested resource.</p>"
    error_500_header: "<p><strong>500 Internal Server Error</strong></p>"
    error_500_body: "<p>Well, this is embarrassing. Something went wrong and we don't know how to handle it.</p><br><p>If this error persists, you can report it to site administrators</p>"
    error_503_header: "<p><strong>503 Service Unavailable</strong></p>"
    error_503_body: "<p>We're probably just performing some maintenance. Please try again shortly.</p><br><p>If this error persists, you can report it to site administrators</p>"

Update Custom Error Page Text

When updating custom error page text for an existing SD Elements instance, use helm upgrade to apply the changes then restart the {RELEASE_NAME}-web deployment. See kubectl rollout restart for documentation on restarting Kubernetes deployments.

Set a Custom Domain Name

The sde.fqdn value configures the complete domain at which SD Elements will be accessed. sde.fqdn must be a valid fully-qualified domain name (e.g., example.com or sdelements.example.com) without a protocol or path to avoid configuration errors.

It configures multiple components to ensure consistent domain-related settings across the application:

Nginx Ingress Hostname: Sets the hostname for the Nginx Ingress controller, directing external traffic to the correct endpoint.
TLS Certificate Configuration: When cert-manager is enabled, sde.fqdn specifies the common name (CN) and DNS records for TLS certificates, ensuring secure communication.
Fallback for Site Domain and Name: If sde.siteDomain or sde.siteName are not defined in values.yaml, sde.fqdn is used as the default value for both, ensuring consistent site identification.
Email Configuration: Sets the SDE_SERVER_EMAIL environment variable to sdelements@${sde.fqdn} unless sde.serverEmail is explicitly defined, providing a default email address for server notifications.

Advanced Configuration