akin-ozer/aqua-helm

Helm Charts For Installing Aqua Security Components

Aqua Security Helm Charts

This topic contains Helm charts and instructions for the deployment and maintenance of Aqua Cloud Native Security (CSP).

CSP deployments include the following components:

• Server (Console, Database, and Gateway)
• Enforcer
• Scanner (optional)

Contents

• Aqua Security Helm Charts
  • Contents
  • Helm charts
• Deployment instructions
  • Add Aqua Helm repository
  • Container registry credentials
  • PostgreSQL database
  • Customize your configuration
    • Server
    • Enforcer
    • Scanner
  • Deploy the Helm charts
    • Server chart
    • Enforcer chart
    • Scanner chart (optional)
• Additional deployment items
  • High-volume scanner installation
  • Non-public cloud provider deployments (examples)
• Troubleshooting
• Support

Helm charts

This repository includes three charts that may be deployed separately:

• Server - deploys the Console, Database, and Gateway components; and (optionally) the Scanner component
• Enforcer - deploys the Enforcer daemonset
• Scanner - deploys the Scanner deployment

Deployment instructions

Follow the steps in this section.

Add Aqua Helm Repository

First, you need to add the Aqua Helm repository to your local Helm repos, instead of cloning this aqua-helm source code repository, by executing the following command:

helm repo add aqua-helm https://helm.aquasec.com

• Search for all components of the latest version in our Aqua Helm repository

helm search aqua-helm

for helm 3.x

helm search repo aqua-helm

Example output:

NAME                  CHART VERSION		    APP VERSION		      DESCRIPTION
aqua-helm/enforcer    4.6.0        			  4.6        				  A Helm chart for the Aqua Enforcer
aqua-helm/scanner 	  4.6.0        			  4.6        				  A Helm chart for the aqua scanner cli component
aqua-helm/server  	  4.6.0        			  4.6        				  A Helm chart for the Aqua Console Componants

• Search for all components of a specific version in our Aqua Helm repository

Example: for Version 4.6

helm search aqua-helm -v 4.6

for helm 3.x

helm search repo aqua-helm --version 4.6

• Search for all components:

for helm 3.x

helm search repo aqua-helm --versions

Container registry credentials

The Aqua Server (Console and Gateway) components are available in our private repository, which requires authentication. By default, the charts create a secret based on the values.yaml file.

1. Create a new namespace named "aqua":

kubectl create namespace aqua

2. Optional: Create the secret:

kubectl create secret docker-registry csp-registry-secret  --docker-server="registry.aquasec.com" --namespace aqua --docker-username="jg@example.com" --docker-password="Truckin" --docker-email="jg@example.com"

PostgreSQL database

Aqua Security recommends implementing a highly-available PostgreSQL database for production use of Aqua CSP.

By default, the console chart will install a PostgreSQL database and attach it to persistent storage; this is recommended only for POC usage and testing.

For production use, you can override this default behavior and specify an existing PostgreSQL database by setting the following variables in values.yaml:

db:
  external:
    enabled: true
    name: example-aquasec
    host: aquasec-db
    port: 5432
    user: aquasec-db-username
    password: verysecret

Customize your configuration

The following tables list the configurable parameters for the Server, Enforcer, and Scanner charts.

Change some or all of these parameters per the requirements of your deployment, if the default values are not appropriate.

Server

Parameter	Description	Default
imageCredentials.create	Set if to create new pull image secret	true
imageCredentials.name	Your Docker pull image secret name	csp-registry-secret
imageCredentials.username	Your Docker registry (DockerHub, etc.) username	N/A
imageCredentials.password	Your Docker registry (DockerHub, etc.) password	N/A
rbac.enabled	Create a service account and a ClusterRole	false
rbac.roleRef	Use an existing ClusterRole	``
admin.token	Use this Aqua license token	N/A
admin.password	Use this Aqua admin password	N/A
db.external.enabled	Use an external database (instead of deploying a Postgres container)	false
db.external.name	PostgreSQL DB name	N/A
db.external.host	PostgreSQL DB hostname	N/A
db.external.port	PostgreSQL DB port	N/A
db.external.user	PostgreSQL DB username	N/A
db.external.password	PostgreSQL DB password	N/A
db.image.repository	Default PostgreSQL Docker image repository	database
db.image.tag	Default PostgreSQL Docker image tag	4.6
db.service.type	Default PostgreSQL service type	ClusterIP
db.persistence.enabled	Enable a use of a PostgreSQL PVC	true
db.persistence.storageClass	PostgreSQL PVC StorageClass	default
db.persistence.size	PostgreSQL PVC volume size	30Gi
db.persistence.accessMode	PostgreSQL PVC volume AccessMode	ReadWriteOnce
db.resources	PostgreSQL pod resources	{}
web.service.type	Web service type	ClusterIP
web.ingress.enabled	Install ingress for the web component	false
web.image.repository	Default Web Docker image repository	server
web.image.tag	Default Web Docker image tag	4.6
web.ingress.annotations	Web ingress annotations	{}
web.ingress.hosts	Web ingress hosts definition	[]
web.ingress.tls	Web ingress TLS	[]
web.persistence.enabled	Enable persistent volume for fast scanning cache	true
web.persistence.storageClass	Define the storage class if you don't want to use the default storage class	``
web.persistence.size	Size of the persistent volume in Gi	4
web.persistence.accessMode	Access mode of the persistent volume	ReadWriteOnce
gate.service.type	Gateway service type	ClusterIP
gate.image.repository	Default Gateway Docker image repository	gate
gate.image.tag	Default Gateway Docker image tag	4.6
gate.publicIP	Default Gateway service public IP	``
scanner.enabled	Enable the Scanner component	false
scanner.replicaCount	Number of Scanner replicas to run	1
scanner.user	Username of the Scanner user assigned to the Scanner role	N/A
scanner.password	Password of the Scanner user	N/A

Enforcer

Parameter	Description	Default
imageCredentials.create	Set if to create new pull image secret	false
imageCredentials.name	Your Docker pull image secret name	aqua-image-pull-secret
imageCredentials.username	Your Docker registry (DockerHub, etc.) username	N/A
imageCredentials.password	Your Docker registry (DockerHub, etc.) password	N/A
enforcerToken	Aqua Enforcer token	N/A
server	Gateway host name	aqua-gateway
port	Gateway port	3622

Scanner

Parameter	Description	Default
rbac.enabled	Create a service account and a ClusterRole	false
rbac.roleRef	Use an existing ClusterRole	``
admin.token	Use this Aqua license token	N/A
admin.password	Use this Aqua admin password	N/A
docker.socket.path	Docker Socket Path	/var/run/docker.sock
serviceAccount	Service account to use	csp-sa
server.serviceName	Service name of the Aqua Server (console) UI	csp-console-svc
server.port	Service svc port	8080
docker.socket.path	Docker socket path	/var/run/docker.sock
docker.socket.path	Docker socket path	/var/run/docker.sock
enabled	Enable the Scanner component	false
replicaCount	Number of Scanner replicas to run	1
user	Username of the Scanner user assigned to the Scanner role	N/A
password	Password of the Scanner user	N/A

Deploy the Helm charts

First, clone the GitHub repository with the charts

git clone https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/

Optional: Update the Helm charts values.yaml files with your environment's custom values. This eliminates the need to pass the parameters to the helm command. Then run one of the commands below to install the relevant services.

Server chart

helm upgrade --install --namespace aqua csp ./server --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>

Enforcer chart

helm upgrade --install --namespace aqua csp-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>,enforcerToken=<aquasec-token>

Scanner chart (optional)

helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>

Additional deployment items

High-volume scanner installation

Aqua CSP can deploy a scanner pod that is external to the Aqua Server. This dedicated scanner pod allows the Server to run unprivileged, and provides a high-throughput scan queue anywhere you choose. To install the Scanner alongside the Server components, set the following variables in values.yaml:

scanner:
  enabled: true
scanner.replicas: "Set quantity"

Non-public cloud provider deployments (examples)

Creating an ingress to access the Aqua Server

Example: IBM Cloud Private includes a bundled ingress controller. A sample ingress yaml file is included in the repo.

kubectl apply -f ingress-example.yaml

Alternative ingress configuration

Example: The services charts are set to create `ClusterIP' ingress types. You may tune these as appropriate for your environment.

Troubleshooting

This section not all-inclusive. It describes common issues that Aqua Security has encountered during deployments.

(1) Error: UPGRADE/INSTALL FAILED, configmaps is forbidden.

Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

Solution: Create a service account for Tiller to utilize.

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller --upgrade

(2) Error: No persistent volumes available for this claim and no storage class is set.

Solution: Most managed Kubernetes deployments do NOT include all possible storage provider variations at setup time. Refer to the official Kubernetes guidance on storage classes for your platform. Three examples are shown below.

• Amazon EKS

  kind: StorageClass
  apiVersion: storage.k8s.io/v1
  metadata:
    name: aqua-console-db-data
  provisioner: kubernetes.io/aws-ebs
  parameters:
    type: gp2
  reclaimPolicy: Retain
  mountOptions:
    - debug
  volumeBindingMode: Immediate

• Azure AKS

  kind: StorageClass
  apiVersion: storage.k8s.io/v1
  metadata:
    name: slow
  provisioner: kubernetes.io/azure-disk
  parameters:
    storageaccounttype: Standard_LRS
    kind: Shared

• Google GKE

  kind: StorageClass
  apiVersion: storage.k8s.io/v1
  metadata:
    name: slow
  provisioner: kubernetes.io/gce-pd
  parameters:
    type: pd-standard
  replication-type: none

(3) Error: When executing kubectl get events -n aqua you might encounter one of the following errors: no persistent volumes available for this claim and no storage class is set or PersistentVolumeClaim is not bound.

Solution: If you encounter this error, you need to create a persistent volume prior to chart installation with a generic or existing storage class, specifying db.persistence.storageClass in the values.yaml file. A sample file using aqua-storage is included in the repo.

kubectl apply -f pv-example.yaml

Support

If you encounter any problems, or would like to give us feedback, we encourage you to raise issues here on GitHub. Please contact us at https://github.com/aquasecurity.