This topic contains Helm charts and instructions for the deployment and maintenance of Aqua Cloud Native Security (CSP).
CSP deployments include the following components:
- Server (Console, Database, and Gateway)
- Enforcer
- Scanner (optional)
- Aqua Security Helm Charts
- Deployment instructions
- Additional deployment items
- Troubleshooting
- Support
This repository includes three charts that may be deployed separately:
- Server - deploys the Console, Database, and Gateway components; and (optionally) the Scanner component
- Enforcer - deploys the Enforcer daemonset
- Scanner - deploys the Scanner deployment
Follow the steps in this section.
First, you need to add the Aqua Helm repository to your local Helm repos, instead of cloning this aqua-helm source code repository, by executing the following command:
helm repo add aqua-helm https://helm.aquasec.com
- Search for all components of the latest version in our Aqua Helm repository
helm search aqua-helm
for helm 3.x
helm search repo aqua-helm
Example output:
NAME CHART VERSION APP VERSION DESCRIPTION
aqua-helm/enforcer 4.6.0 4.6 A Helm chart for the Aqua Enforcer
aqua-helm/scanner 4.6.0 4.6 A Helm chart for the aqua scanner cli component
aqua-helm/server 4.6.0 4.6 A Helm chart for the Aqua Console Componants
- Search for all components of a specific version in our Aqua Helm repository
Example: for Version 4.6
helm search aqua-helm -v 4.6
for helm 3.x
helm search repo aqua-helm --version 4.6
- Search for all components:
for helm 3.x
helm search repo aqua-helm --versions
The Aqua Server (Console and Gateway) components are available in our private repository, which requires authentication. By default, the charts create a secret based on the values.yaml file.
- Create a new namespace named "aqua":
kubectl create namespace aqua
- Optional: Create the secret:
kubectl create secret docker-registry csp-registry-secret --docker-server="registry.aquasec.com" --namespace aqua --docker-username="jg@example.com" --docker-password="Truckin" --docker-email="jg@example.com"
Aqua Security recommends implementing a highly-available PostgreSQL database for production use of Aqua CSP.
By default, the console chart will install a PostgreSQL database and attach it to persistent storage; this is recommended only for POC usage and testing.
For production use, you can override this default behavior and specify an existing PostgreSQL database by setting the following variables in values.yaml:
db:
external:
enabled: true
name: example-aquasec
host: aquasec-db
port: 5432
user: aquasec-db-username
password: verysecret
The following tables list the configurable parameters for the Server, Enforcer, and Scanner charts.
Change some or all of these parameters per the requirements of your deployment, if the default values are not appropriate.
Parameter | Description | Default |
---|---|---|
imageCredentials.create |
Set if to create new pull image secret | true |
imageCredentials.name |
Your Docker pull image secret name | csp-registry-secret |
imageCredentials.username |
Your Docker registry (DockerHub, etc.) username | N/A |
imageCredentials.password |
Your Docker registry (DockerHub, etc.) password | N/A |
rbac.enabled |
Create a service account and a ClusterRole | false |
rbac.roleRef |
Use an existing ClusterRole | `` |
admin.token |
Use this Aqua license token | N/A |
admin.password |
Use this Aqua admin password | N/A |
db.external.enabled |
Use an external database (instead of deploying a Postgres container) | false |
db.external.name |
PostgreSQL DB name | N/A |
db.external.host |
PostgreSQL DB hostname | N/A |
db.external.port |
PostgreSQL DB port | N/A |
db.external.user |
PostgreSQL DB username | N/A |
db.external.password |
PostgreSQL DB password | N/A |
db.image.repository |
Default PostgreSQL Docker image repository | database |
db.image.tag |
Default PostgreSQL Docker image tag | 4.6 |
db.service.type |
Default PostgreSQL service type | ClusterIP |
db.persistence.enabled |
Enable a use of a PostgreSQL PVC | true |
db.persistence.storageClass |
PostgreSQL PVC StorageClass | default |
db.persistence.size |
PostgreSQL PVC volume size | 30Gi |
db.persistence.accessMode |
PostgreSQL PVC volume AccessMode | ReadWriteOnce |
db.resources |
PostgreSQL pod resources | {} |
web.service.type |
Web service type | ClusterIP |
web.ingress.enabled |
Install ingress for the web component | false |
web.image.repository |
Default Web Docker image repository | server |
web.image.tag |
Default Web Docker image tag | 4.6 |
web.ingress.annotations |
Web ingress annotations | {} |
web.ingress.hosts |
Web ingress hosts definition | [] |
web.ingress.tls |
Web ingress TLS | [] |
web.persistence.enabled |
Enable persistent volume for fast scanning cache | true |
web.persistence.storageClass |
Define the storage class if you don't want to use the default storage class | `` |
web.persistence.size |
Size of the persistent volume in Gi | 4 |
web.persistence.accessMode |
Access mode of the persistent volume | ReadWriteOnce |
gate.service.type |
Gateway service type | ClusterIP |
gate.image.repository |
Default Gateway Docker image repository | gate |
gate.image.tag |
Default Gateway Docker image tag | 4.6 |
gate.publicIP |
Default Gateway service public IP | `` |
scanner.enabled |
Enable the Scanner component | false |
scanner.replicaCount |
Number of Scanner replicas to run | 1 |
scanner.user |
Username of the Scanner user assigned to the Scanner role | N/A |
scanner.password |
Password of the Scanner user | N/A |
Parameter | Description | Default |
---|---|---|
imageCredentials.create |
Set if to create new pull image secret | false |
imageCredentials.name |
Your Docker pull image secret name | aqua-image-pull-secret |
imageCredentials.username |
Your Docker registry (DockerHub, etc.) username | N/A |
imageCredentials.password |
Your Docker registry (DockerHub, etc.) password | N/A |
enforcerToken |
Aqua Enforcer token | N/A |
server |
Gateway host name | aqua-gateway |
port |
Gateway port | 3622 |
Parameter | Description | Default |
---|---|---|
rbac.enabled |
Create a service account and a ClusterRole | false |
rbac.roleRef |
Use an existing ClusterRole | `` |
admin.token |
Use this Aqua license token | N/A |
admin.password |
Use this Aqua admin password | N/A |
docker.socket.path |
Docker Socket Path | /var/run/docker.sock |
serviceAccount |
Service account to use | csp-sa |
server.serviceName |
Service name of the Aqua Server (console) UI | csp-consul-svc |
server.port |
Service svc port | 8080 |
docker.socket.path |
Docker socket path | /var/run/docker.sock |
docker.socket.path |
Docker socket path | /var/run/docker.sock |
enabled |
Enable the Scanner component | false |
replicaCount |
Number of Scanner replicas to run | 1 |
user |
Username of the Scanner user assigned to the Scanner role | N/A |
password |
Password of the Scanner user | N/A |
First, clone the GitHub repository with the charts
git clone https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/
Optional: Update the Helm charts values.yaml files with your environment's custom values. This eliminates the need to pass the parameters to the helm command. Then run one of the commands below to install the relevant services.
helm upgrade --install --namespace aqua csp ./server --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
helm upgrade --install --namespace aqua csp-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>,enforcerToken=<aquasec-token>
helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
Aqua CSP can deploy a scanner pod that is external to the Aqua Server. This dedicated scanner pod allows the Server to run unprivileged, and provides a high-throughput scan queue anywhere you choose. To install the Scanner alongside the Server components, set the following variables in values.yaml:
scanner:
enabled: true
scanner.replicas: "Set quantity"
Creating an ingress to access the Aqua Server
Example: IBM Cloud Private includes a bundled ingress controller. A sample ingress yaml file is included in the repo.
kubectl apply -f ingress-example.yaml
Alternative ingress configuration
Example: The services charts are set to create `ClusterIP' ingress types. You may tune these as appropriate for your environment.
This section not all-inclusive. It describes common issues that Aqua Security has encountered during deployments.
(1) Error: UPGRADE/INSTALL FAILED, configmaps is forbidden.
Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"
Solution: Create a service account for Tiller to utilize.
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller --upgrade
(2) Error: No persistent volumes available for this claim and no storage class is set.
Solution: Most managed Kubernetes deployments do NOT include all possible storage provider variations at setup time. Refer to the official Kubernetes guidance on storage classes for your platform. Three examples are shown below.
-
Amazon EKS
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: aqua-console-db-data provisioner: kubernetes.io/aws-ebs parameters: type: gp2 reclaimPolicy: Retain mountOptions: - debug volumeBindingMode: Immediate
-
Azure AKS
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: slow provisioner: kubernetes.io/azure-disk parameters: storageaccounttype: Standard_LRS kind: Shared
-
Google GKE
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: slow provisioner: kubernetes.io/gce-pd parameters: type: pd-standard replication-type: none
(3) Error: When executing kubectl get events -n aqua
you might encounter one of the following errors:
no persistent volumes available for this claim and no storage class is set or PersistentVolumeClaim is not bound.
Solution: If you encounter this error, you need to create a persistent volume prior to chart installation with a generic or existing storage class, specifying db.persistence.storageClass
in the values.yaml file. A sample file using aqua-storage
is included in the repo.
kubectl apply -f pv-example.yaml
If you encounter any problems, or would like to give us feedback, we encourage you to raise issues here on GitHub. Please contact us at https://github.com/aquasecurity.