This topic contains Helm charts and instructions for the deployment and maintenance of Aqua Cloud Native Security (CSP).
CSP deployments include the following components:
- Server (Console, Database, and Gateway)
- Enforcer
- KubeEnforcer
- Scanner
This repository includes three charts that may be deployed separately:
- Server - deploys the Console, Database, and Gateway components; and (optionally) the Scanner component
- Enforcer - deploys the Enforcer daemonset
- Scanner - deploys the Scanner deployment
- KubeEnforcer - deploys the KubeEnforcer deployment
Follow the steps in this section.
First, you need to add the Aqua Helm repository to your local Helm repos, instead of cloning this aqua-helm source code repository, by executing the following command:
$ helm repo add aqua-helm https://helm.aquasec.com
- Search for all components of the latest version in our Aqua Helm repository
$ helm search aqua-helm
# Examples
$ helm search aqua-helm --versions
$ helm search aqua-helm --version 4.6.0
for helm 3.x
$ helm search repo aqua-helm
Example output:
NAME CHART VERSION APP VERSION DESCRIPTION
aqua-helm/enforcer 5.0.0 5.0 A Helm chart for the Aqua Enforcer
aqua-helm/scanner 5.0.0 5.0 A Helm chart for the Aqua Scanner CLI component
aqua-helm/server 5.0.0 5.0 A Helm chart for the Aqua Console components
aqua-helm/kube-enforcer 5.0.0 5.0 A Helm chart for the Aqua KubeEnforcer
- Search for all components of a specific version in our Aqua Helm repository
Example: for Version 5.0
$ helm search aqua-helm -v 5.0
for helm 3.x
$ helm search repo aqua-helm --version 5.0
- Search for all components:
for helm 3.x
$ helm search repo aqua-helm --versions
Aqua Security recommends implementing a highly-available PostgreSQL database for production use of Aqua CSP.
By default, the console chart will install a PostgreSQL database and attach it to persistent storage; this is recommended only for POC usage and testing.
For production use, you can override this default behavior and specify an existing PostgreSQL database by setting the following variables in values.yaml:
db:
external:
enabled: true
name: example-aquasec
host: aquasec-db
port: 5432
user: aquasec-db-username
password: verysecret
In each charts and components we create an option to define more environment variables to each componenet with 2 ways:
extraEnvironmentVars
: is a list of extra enviroment variables to set with name and value parameters.extraSecretEnvironmentVars
: is a list of extra enviroment variables to set, these variables take value from existing Secret objects.
First, clone the GitHub repository with the charts
$ git clone https://github.com/aquasecurity/aqua-helm.git -b <BRANCH_NAME>
$ cd aqua-helm/
Optional: Update the Helm charts values.yaml files with your environment's custom values. This eliminates the need to pass the parameters to the helm command. Then run one of the commands below to install the relevant services.
before start deploying helm charts, plese verify you create aqua
namespace.
$ kubectl create namespace aqua
$ helm upgrade --install --namespace aqua aqua ./server --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
$ helm upgrade --install --namespace aqua aqua-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>,enforcerToken=<aquasec-token>
$ helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>,certsSecret.serverCertificate="$(cat server.crt)",certsSecret.serverKey="$(cat server.key)",validatingWebhook.caBundle="$(cat ca.crt)"
$ helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
This section not all-inclusive. It describes common issues that Aqua Security has encountered during deployments.
(1) Error: UPGRADE/INSTALL FAILED, configmaps is forbidden.
Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"
Solution: Create a service account for Tiller to utilize.
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller --upgrade
(2) Error: No persistent volumes available for this claim and no storage class is set.
Solution: Most managed Kubernetes deployments do NOT include all possible storage provider variations at setup time. Refer to the official Kubernetes guidance on storage classes for your platform. Three examples are shown below.
for more information go to storage docs, Link
(3) Error: When executing kubectl get events -n aqua
you might encounter one of the following errors:
no persistent volumes available for this claim and no storage class is set or PersistentVolumeClaim is not bound.
Solution: If you encounter this error, you need to create a persistent volume prior to chart installation with a generic or existing storage class, specifying db.persistence.storageClass
in the values.yaml file. A sample file using aqua-storage
is included in the repo.
$ kubectl apply -f pv-example.yaml
If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.