{"id":19657826,"url":"https://github.com/gdatasoftwareag/vaas-helm","last_synced_at":"2026-02-27T14:25:07.707Z","repository":{"id":210064872,"uuid":"724058049","full_name":"GDATASoftwareAG/vaas-helm","owner":"GDATASoftwareAG","description":"Helm Chart for VaaS on-premise","archived":false,"fork":false,"pushed_at":"2026-02-23T14:18:33.000Z","size":268,"stargazers_count":2,"open_issues_count":4,"forks_count":1,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-02-23T22:29:20.498Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go Template","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GDATASoftwareAG.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-11-27T10:05:57.000Z","updated_at":"2026-02-23T14:15:55.000Z","dependencies_parsed_at":"2026-01-30T15:00:04.799Z","dependency_job_id":null,"html_url":"https://github.com/GDATASoftwareAG/vaas-helm","commit_stats":null,"previous_names":["gdatasoftwareag/vaas-helm"],"tags_count":64,"template":false,"template_full_name":null,"purl":"pkg:github/GDATASoftwareAG/vaas-helm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GDATASoftwareAG%2Fvaas-helm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GDATASoftwareAG%2Fvaas-helm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GDATASoftwareAG%2Fvaas-helm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GDATASoftwareAG%2Fvaas-helm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GDATASoftwareAG","download_url":"https://codeload.github.com/GDATASoftwareAG/vaas-helm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GDATASoftwareAG%2Fvaas-helm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29899700,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T12:09:13.686Z","status":"ssl_error","status_checked_at":"2026-02-27T12:09:13.282Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-11T15:33:49.607Z","updated_at":"2026-02-27T14:25:07.701Z","avatar_url":"https://github.com/GDATASoftwareAG.png","language":"Go Template","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Verdict-as-a-Service\n## Verdict-as-a-Service Helm Chart\n\nVaas helm is a chart for deploying Verdict-as-a-Service on-premise.\n\n\u003c!-- tag::InstallVaaSHelm[] --\u003e\n\n### Install Verdict-as-a-Service via helm\n\n* Create a minimal values.yaml file. \n\nTo access the VaaS docker containers, you have to provide at least one imagePullSecret.\n\nTo set the image pull secret, you need to create a custom values.yaml file that includes the necessary configurations for image pull secrets. Here's how you can do it:\n\n 1. **Direct Image Pull Secrets**: If you have a direct image pull secret (a base64 encoded JSON containing Docker auth config), you can set it directly in the values.yaml file under either of these keys\n * `global.secret.dockerconfigjson`\n * `global.secret.imagePullSecret`\n * `imagePullSecret`\n\n```yaml\nglobal:\n secret:\n dockerconfigjson: \"BASE64_ENCODED_JSON_CONTAINING_DOCKER_AUTH_CONFIG\"\n imagePullSecret: \"BASE64_ENCODED_JSON_CONTAINING_DOCKER_AUTH_CONFIG\"\nimagePullSecret: \"BASE64_ENCODED_JSON_CONTAINING_DOCKER_AUTH_CONFIG\"\n```\n\nYou can generate this value with a bash command like this\n```bash\necho '{\n \"auths\": {\n \"ghcr.io\": {\n \"auth\": \"TO_BE_REPLACED\"\n }\n }\n}' | sed \"s/TO_BE_REPLACED/$(echo \"username:token\" | base64 -w 0 )/g\" | base64 -w 0\n```\n\nYou need to substitute the username and password with the credentials we provided to you.\n\n 2. **Global Image Pull Secrets**: You can specify a list of predeployed image pull secrets under the global.imagePullSecrets key. These are the names of Kubernetes secrets that contain the registry credentials.\n\n```yaml\nglobal:\n imagePullSecrets:\n - name: my-image-pull-secret\n - name: my-other-image-pull-secret\n ...\n```\n\n\n* Install Verdict-as-a-Service:\n\n```bash\nhelm install vaas oci://ghcr.io/gdatasoftwareag/charts/vaas -f values.yaml -n vaas --create-namespace\n```\n\n* Updating Verdict-as-a-Service\n\n```bash\nhelm upgrade vaas oci://ghcr.io/gdatasoftwareag/charts/vaas -f values.yaml -n vaas\n```\n\u003c!-- end::InstallVaaSHelm[] --\u003e\n\n\u003c!-- tag::HardwareRequirements[] --\u003e\n\n## Hardware Requirements\n\nVerdict-as-a-Service on premise requires the following:\n\n### Minimal requirements\n\n* **Kubernetes Version**: 1.27\n* Helm package manager\n* **Nodes**: 1 Linux x86-x64 node\n* **CPU cores**: 4\n* **Memory**: 3 GB\n* **Storage per node**: 2 GB, can be in memory (ephemeral)\n\n### Recommended requirements\n\n* **Kubernetes Version**: latest stable\n* Helm package manager\n* **Nodes**: 2 or more Linux x86-x64 nodes\n* **CPU cores**: (# of nodes) + (0.5 core * # parallel requests)\n* **Memory**: (# of cores GB) + (2 GB * # parallel requests)\n* **Storage per node**: (# of parallel requests) * (size of largest file to analyse)\n\n\u003c!-- end::HardwareRequirements[] --\u003e\n\n\u003c!-- tag::GettingStarted[] --\u003e\n\n## Getting started with Verdict-as-a-Service on-premise\n\nTested prerequisites:\n\n* Ubuntu 22.04\n* Minikube 1.32.0\n* Java 17\n* Vaas Java SDK 6.1.0\n\n\n### Deploy Verdict-as-a-Service in a Minikube test-environment\n\n* Start Minikube:\n\n```bash\nminikube start --cpus=\"6\" --memory=\"8g\" --addons ingress\n```\n\n* Check your Minikube IP: ```minikube ip```\n\n* Add Minikube IP to your /etc/hosts:\n\n```\n\u003cyour-minikube-ip\u003e vaas\n```\n\n* Run ```minikube dashboard```\n\n* Deploy the VaaS helm chart: ```./helm.sh```\n\n* Check the \"Workload status\" in the Minikube dashboard and wait until it is green.\n\n\u003c!-- end::GettingStarted[] --\u003e\n\n\u003c!-- tag::UseVaaSJavaSDK[] --\u003e\n### Use Verdict-as-a-Service with the Java SDK\n\n* Make sure that Java 17 \u0026 Gradle is installed.\n\n* Set these environment variables for testing your local instance\n\n```bash\nexport CLIENT_ID=vaas # default client id for self-hosted vaas\nexport CLIENT_SECRET=$(kubectl get secret -n vaas vaas-client-secret -o jsonpath=\"{.data.secret}\" | base64 -d) # extracts the client secret from the k8s secret\nexport SCAN_PATH=./build.gradle # path to the file you want to scan\nexport VAAS_URL=http://vaas # URL of the VaaS instance you set earlier in your /etc/hosts\nexport TOKEN_URL=http://vaas/auth/protocol/openid-connect/token # URL of the token endpoint you set earlier in your /etc/hosts\n```\n\nAlternatively, if you are using an SDK version that still supports websockets, you have to set another host for the VAAS_URL:\n\n```bash\nexport VAAS_URL=ws://vaas/ws # URL of the VaaS instance you set earlier in your /etc/hosts\n```\n\n* Execute FileScan example in Java SDK example folder\n\n```bash\ngradle fileScan\n```\n\n\u003c!-- end::UseVaaSJavaSDK[] --\u003e\n\n## Configuring Verdict-as-a-Service\n\n\u003c!-- tag::CloudLookups[] --\u003e\n\n### Cloud lookups\n\nThe default configurations are set to provide the best verdict. When you have the need to run this helm-chart without sending the file hashes to our cloud, you can deactivate the cloud lookups with these options:\n\n```yaml\ncloud:\n hashLookup:\n enabled: false\n allowlistLookup:\n enabled: false\n```\n\nWith the `hashLookup`, VaaS uses the G DATA Cloud to obtain additional information about a file and thus enrich the quality of the verdict. Without the hashLookup, this additional information is omitted and files that would ONLY be recognized via the cloud are therefore not recognized.\n\nThe `allowlistLookup` is a request of the hash to the G DATA Cloud, against a list of files that we know for sure are not malicious, to prevent false positives. Some clean files are still detected by the scanners signatures and the `allowlistLookup` will prevent these files to be detected as `malicious` or `pup`.\n\n\u003c!-- end::CloudLookups[] --\u003e\n\n\u003c!-- tag::FileSize[] --\u003e\n\n### File size limit\nThe current file size limit is set to 2G. If you want to adjust the file size for your use case, you have to set the deployments body size limit in `vaas.gateway.ingress.annotations`:\n\n```yaml\ngateway:\n ingress:\n annotations:\n nginx.ingress.kubernetes.io/proxy-body-size: \u003cyour maximum filesize\u003e\n```\n\n\u003c!-- end::FileSize[] --\u003e\n\n\u003c!-- tag::ConfigureMonitoring[] --\u003e\n\n### Configure monitoring with Sentry\n\nTo enable Sentry monitoring, you have to set at least your DSN in the `sentry` section of your `values` file like in the following example. \nASP.NET Core should be selected as the platform for creating a Sentry project.\n\n```yaml\nsentry:\n dsn: \"\u003cyour sentry dsn\u003e\"\n```\n\nIf nothing is set except the DSN, the defaults lead to the following settings:\n\n- Environment: `Production`\n- MaxBreadcrumbs: `50`\n- MaxQueueItems: `50`\n- EnableTracing: `true`\n- TracesSampleRate: `0.5`\n\nThese values can be overwritten in the `values` file:\n \n```yaml\nsentry:\n dsn: \"\u003cyour sentry dsn\u003e\"\n environment: \"\u003cyour environment\u003e\"\n maxBreadcrumbs: \u003cyour maxBreadcrumbs\u003e\n maxQueueItems: \u003cyour maxQueueItems\u003e\n enableTracing: \u003cyour enableTracing\u003e\n tracesSampleRate: \u003cyour tracesSampleRate\u003e\n```\n\nIn addition, Sentry will always behave as follows:\n\n- AttachStacktrace: `true`\n- ShutdownTimeout: `5s`\n- SendDefaultPii: `false`\n- MinimumBreadcrumbLevel: `Debug`\n- MinimumEventLevel: `Warning`\n\n\u003c!-- end::ConfigureMonitoring[] --\u003e\n\n### Other values\n\n\u003c!-- tag::OtherValues[] --\u003e\n\n| Parameter | Description | Value |\n| ----------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------ |\n| imagePullSecret | Image pull secret | \"e30K\" |\n| global.imagePullSecrets | List of image pull secrets | [] |\n| global.secret.dockerconfigjson | Docker authentication configuration | \"e30K\" |\n| global.secret.imagePullSecret | Image pull secret | \"e30K\" |\n| cloud.hashLookup.enabled | Enable/Disable the cloud hash lookup | true |\n| cloud.allowlistLookup.enabled | Enable/Disable the cloud allowlist lookup | true |\n| gatewayApi.enabled | Enable/Disable Gateway API resources | false |\n| gatewayApi.nameOverride | Overrides the Gateway API application name | \"\" |\n| gatewayApi.fullnameOverride | Overrides the Gateway API full name | \"gateway-api\" |\n| gatewayApi.gatewayClassName | Gateway class name for Gateway API | \"eg\" |\n| gatewayApi.annotations | Additional annotations for Gateway API | {} |\n| gatewayApi.infrastructure.annotations | Infrastructure-specific annotations for Gateway API | {} |\n| gatewayApi.listeners.https.hostname | Hostname for HTTPS listener | \"\" |\n| gatewayApi.listeners.https.protocol | Protocol for HTTPS listener | HTTPS |\n| gatewayApi.listeners.https.port | Port for HTTPS listener | 443 |\n| gatewayApi.listeners.https.tlsSecretName | TLS secret name for HTTPS listener | \"gateway-api-tls\" |\n| gatewayApi.listeners.http.hostname | Hostname for HTTP listener | \"\" |\n| gatewayApi.listeners.http.protocol | Protocol for HTTP listener | HTTP |\n| gatewayApi.listeners.http.port | Port for HTTP listener | 80 |\n| gateway.httpRoute.enabled | Enable/Disable HTTPRoute resource for Gateway API | false |\n| gateway.httpRoute.hostname | Hostname for HTTPRoute | \"\" |\n| gateway.ingress.enabled | Enable/Disable the Ingress resource (deprecated: use gatewayApi and httpRoute instead) | true |\n| gateway.ingress.annotations | Additional annotations for Ingress | {} |\n| gateway.ingress.hosts | Hostnames and paths for Ingress | [] |\n| gateway.ingress.tls` | TLS configuration for Ingress | [] |\n| gateway.ingress.className | Class name for Ingress | \"\" |\n| gateway.authentication.authority | Authority for authentication | \"\" |\n| gateway.nameOverride | Overrides the application name | \"\" |\n| gateway.fullnameOverride | Overrides the full name | \"\" |\n| gateway.networkPolicy.enabled | Enable/Disable the default Network Policy | false |\n| gateway.networkPolicy.ingressNSMatchLabels | Labels to match to allow traffic from other namespaces | {} |\n| gateway.networkPolicy.ingressNSPodMatchLabels | Pod labels to match to allow traffic from other namespaces | {} |\n| gateway.service.type | Type of Kubernetes service | \"\" |\n| gateway.service.http.port | HTTP port for the service | 8080 |\n| gateway.service.ws.port | WebSocket port for the service | 9090 |\n| gateway.podDisruptionBudget.minAvailable` | Minimum available pods in case of disruption | 1 |\n| gateway.replicaCount | Number of replicas | 1 |\n| gateway.revisionHistoryLimit | Number of revisions in history | 1 |\n| gateway.resources.limits.memory | Maximum memory usage | 512Mi |\n| gateway.resources.requests.cpu | Requested CPU performance | 0.5 |\n| gateway.resources.requests.memory | Requested memory usage | 256Mi |\n| gateway.containerSecurityContext.enabled | Enable/Disable container security context | true |\n| gateway.podSecurityContext.enabled | Enable/Disable pod security context | true |\n| gateway.uploadUrl | URL for the upload service | \"http://localhost:8080/upload\" |\n| gateway.podAnnotations | Annotations for pods | {} |\n| gateway.nodeSelector | Node labels for pod assignment | {} |\n| gateway.affinity | Affinity settings for pods | {} |\n| gateway.terminationGracePeriodSeconds | Max time in seconds for scans to complete | 30 |\n| gdscan.networkPolicy.enabled | Enable/Disable the default Network Policy | false |\n| gdscan.networkPolicy.ingressNSMatchLabels | Labels to match to allow traffic from other namespaces | {} |\n| gdscan.networkPolicy.ingressNSPodMatchLabels | Pod labels to match to allow traffic from other namespaces | {} |\n| gdscan.nodeSelector | gdscan node labels for pod assignment | {} |\n| gdscan.replicaCount | Number of replicas for the gdscan deployment | 1 |\n| gdscan.terminationGracePeriodSeconds | Max time in seconds for scans to complete. Set to same value as gateway.terminationGracePeriodSeconds | 30 |\n| mini-identity-provider.nodeSelector | mini-identity-provider Node labels for pod assignment | {} |\n| mini-identity-provider.ingress.className | Class name for Ingress | \"\" |\n\n\u003c!-- end::OtherValues[] --\u003e\n\n\u003c!-- tag::ProductionEnviroment[] --\u003e\n\n## Production environment\n\nIn production you will have to configure a few values.\n\n\u003c!-- tag::ConfHostname[] --\u003e\n\n### Ingress\n\nThe default hostname is \"vaas\". To change it and provide a tls configuration, add this to your values.yaml:\n\n```yaml\nmini-identity-provider:\n issuer: \"http://vaas/auth\"\n ingress:\n className: \"\"\n hosts:\n - host: vaas\n paths:\n - path: /auth(/|$)(.*)\n pathType: ImplementationSpecific\n service:\n name: provider\n port: 8080\n tls: []\n\ngateway:\n ingress:\n className: \"\"\n hosts:\n - host: vaas\n paths:\n - path: /ws\n pathType: ImplementationSpecific\n service:\n name: gateway\n port: 9090\n - host: vaas\n paths:\n - path: /\n pathType: ImplementationSpecific\n service:\n name: gateway\n port: 8080\n tls: []\n uploadUrl: \"http://vaas/upload\"\n```\n\nIf you want to use only the HTTP API, it is sufficient to set the port to 8080 for the standard route:\n```yaml\nmini-identity-provider:\n issuer: \"http://vaas/auth\"\n ingress:\n className: \"\"\n hosts:\n - host: vaas\n paths:\n - path: /auth(/|$)(.*)\n pathType: ImplementationSpecific\n service:\n name: provider\n port: 8080\n tls: []\n\ngateway:\n ingress:\n className: \"\"\n hosts:\n - host: vaas\n paths:\n - path: /\n pathType: ImplementationSpecific\n service:\n name: gateway\n port: 8080\n tls: []\n```\n\nTo check out, which of the SDKS supports the HTTP API, please check out this [table](https://github.com/GDATASoftwareAG/vaas?tab=readme-ov-file#sdks).\n\nReplace the \"vaas\" with your hostname in the following values:\n\n* mini-identity-provider.issuer\n* mini-identity-provider.ingress.hosts.0.host\n* gateway.ingress.0.host\n* gateway.ingress.1.host\n* gateway.uploadUrl\n\n\u003c!-- end::ConfHostname[] --\u003e\n\nIf you require a different ingressClassName than \"default\", set:\n\n* gateway.ingress.className\n* mini-identity-provider.ingress.className\n\n### Zero-trust network configurations\n\nIf you are using a zero-trust network configuration, network policies have to be enabled (default). The update\nCronJob requires access to the Kubernetes API. If the update fails with logs like:\n\n```\nE0603 09:35:50.444603 1 memcache.go:265] couldn't get current server API group list: Get \"https://10.96.0.1:443/api?timeout=32s\": dial tcp 10.96.0.1:443: i/o timeout\n```\n\nyou have to configure the k8sApiPort:\n\n```\ngdscan:\n autoUpdate:\n networkPolicy:\n k8sApiPort: 6443\n```\n\n## Managing the secrets in the values.yaml\n\nBy default all secrets are generated by the helm chart. If you want to manage them yourself or you are using ArgoCD, you can\nspecify the secrets in the values.yaml.\n\n| Parameter | Description | Value |\n| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------ |\n| mini-identity-provider.auth.existingSecret | Use existing secret for auth details (auth.secret will be ignored and picked up from this secret). The secret has to contain the keys id and secret | \"\" |\n| mini-identity-provider.auth.secret | The client secret | \"\" |\n| mini-identity-provider.auth.id | The Client id | \"vaas\" |\n| mini-identity-provider.signing.existingSecret | Use existing secret for signing details (signing.cert and signing.key will be ignored and picked up from this secret). The secret has to contain the keys tls.cert and tls.key | \"\" |\n| mini-identity-provider.signing.crt | The signing/encryption certificate in PEM format | \"\" |\n| mini-identity-provider.signing.key | The signing/encryption private key in PEM format | \"\" |\n| gateway.uploadToken.existingSecret | Use existing secret for signing the upload token | \"\" |\n| gateway.uploadToken.key | The upload token signing key | \"\" |\n\nProvide your own secret:\n\n* mini-identity-provider.auth.existingSecret \n* mini-identity-provider.signing.existingSecret\n* gateway.uploadToken.existingSecret\n\nSpecify secret in the values.yaml:\n\n* mini-identity-provider.auth.secret \n* mini-identity-provider.auth.id \n* mini-identity-provider.signing.crt \n* mini-identity-provider.signing.key\n* gateway.uploadToken.key\n\nYou can generate the certificate and private key with\n\n```bash\nopenssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048\nopenssl req -new -x509 -key private_key.pem -out certificate.pem -days 3650 -subj \"/CN=Mini Identity Provider Server Signing Certificate\"\n```\n\nYou can generate the upload token signing key with\n\n```bash\ncat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 256 | head -n 1\n```\n\n\u003c!-- end::ProductionEnviroment[] --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgdatasoftwareag%2Fvaas-helm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgdatasoftwareag%2Fvaas-helm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgdatasoftwareag%2Fvaas-helm/lists"}