Aqua Security Helm Charts
This topic contains Helm charts and instructions for the deployment and maintenance of Aqua Cloud Native Security (CSP).
CSP deployments include the following components:
- Server (Console, Database, and Gateway)
- Enforcer
- Scanner (optional)
Contents
- Aqua Security Helm Charts
- Deployment instructions
- Additional deployment items
- Troubleshooting
- Support
Helm charts
This repository includes three charts that may be deployed separately:
- Server - deploys the Console, Database, and Gateway components; and (optionally) the Scanner component
- Enforcer - deploys the Enforcer daemonset
- Scanner - deploys the Scanner deployment
Deployment instructions
Follow the steps in this section.
Add Aqua Helm Repository
First, you need to add the Aqua Helm repository to your local Helm repos, instead of cloning this aqua-helm source code repository, by executing the following command:
helm repo add aqua-helm https://helm.aquasec.com
- Search for all components of the latest version in our Aqua Helm repository
helm search aqua-helm
for helm 3.x
helm search repo aqua-helm
Example output:
NAME CHART VERSION APP VERSION DESCRIPTION
aqua-helm/enforcer 4.6.0 4.6 A Helm chart for the Aqua Enforcer
aqua-helm/scanner 4.6.0 4.6 A Helm chart for the aqua scanner cli component
aqua-helm/server 4.6.0 4.6 A Helm chart for the Aqua Console Componants
- Search for all components of a specific version in our Aqua Helm repository
Example: for Version 4.6
helm search aqua-helm -v 4.6
for helm 3.x
helm search repo aqua-helm --version 4.6
- Search for all components:
for helm 3.x
helm search repo aqua-helm --versions
Container registry credentials
The Aqua Server (Console and Gateway) components are available in our private repository, which requires authentication. By default, the charts create a secret based on the values.yaml file.
- Create a new namespace named "aqua":
kubectl create namespace aqua
- Optional: Create the secret:
kubectl create secret docker-registry csp-registry-secret --docker-server="registry.aquasec.com" --namespace aqua --docker-username="[email protected]" --docker-password="Truckin" --docker-email="[email protected]"
PostgreSQL database
Aqua Security recommends implementing a highly-available PostgreSQL database for production use of Aqua CSP.
By default, the console chart will install a PostgreSQL database and attach it to persistent storage; this is recommended only for POC usage and testing.
For production use, you can override this default behavior and specify an existing PostgreSQL database by setting the following variables in values.yaml:
db:
external:
enabled: true
name: example-aquasec
host: aquasec-db
port: 5432
user: aquasec-db-username
password: verysecret
Customize your configuration
The following tables list the configurable parameters for the Server, Enforcer, and Scanner charts.
Change some or all of these parameters per the requirements of your deployment, if the default values are not appropriate.
Server
Parameter | Description | Default |
---|---|---|
imageCredentials.create |
Set if to create new pull image secret | true |
imageCredentials.name |
Your Docker pull image secret name | csp-registry-secret |
imageCredentials.username |
Your Docker registry (DockerHub, etc.) username | N/A |
imageCredentials.password |
Your Docker registry (DockerHub, etc.) password | N/A |
rbac.enabled |
Create a service account and a ClusterRole | false |
rbac.roleRef |
Use an existing ClusterRole | `` |
admin.token |
Use this Aqua license token | N/A |
admin.password |
Use this Aqua admin password | N/A |
activeactive |
change to true to enable active active mode | false |
db.external.enabled |
Use an external database (instead of deploying a Postgres container) | false |
db.external.name |
PostgreSQL DB name | N/A |
db.external.host |
PostgreSQL DB hostname | N/A |
db.external.port |
PostgreSQL DB port | N/A |
db.external.user |
PostgreSQL DB username | N/A |
db.external.password |
PostgreSQL DB password | N/A |
db.image.repository |
Default PostgreSQL Docker image repository | database |
db.image.tag |
Default PostgreSQL Docker image tag | 4.6 |
db.service.type |
Default PostgreSQL service type | ClusterIP |
db.persistence.enabled |
Enable a use of a PostgreSQL PVC | true |
db.persistence.storageClass |
PostgreSQL PVC StorageClass | default |
db.persistence.size |
PostgreSQL PVC volume size | 30Gi |
db.persistence.accessMode |
PostgreSQL PVC volume AccessMode | ReadWriteOnce |
db.resources |
PostgreSQL pod resources | {} |
web.service.type |
Web service type | ClusterIP |
web.ingress.enabled |
Install ingress for the web component | false |
web.image.repository |
Default Web Docker image repository | server |
web.image.tag |
Default Web Docker image tag | 4.6 |
web.ingress.annotations |
Web ingress annotations | {} |
web.ingress.hosts |
Web ingress hosts definition | [] |
web.ingress.tls |
Web ingress TLS | [] |
web.persistence.enabled |
Enable persistent volume for fast scanning cache | true |
web.persistence.storageClass |
Define the storage class if you don't want to use the default storage class | `` |
web.persistence.size |
Size of the persistent volume in Gi | 4 |
web.persistence.accessMode |
Access mode of the persistent volume | ReadWriteOnce |
gate.service.type |
Gateway service type | ClusterIP |
gate.image.repository |
Default Gateway Docker image repository | gate |
gate.image.tag |
Default Gateway Docker image tag | 4.6 |
gate.publicIP |
Default Gateway service public IP | `` |
scanner.enabled |
Enable the Scanner component | false |
scanner.replicaCount |
Number of Scanner replicas to run | 1 |
scanner.user |
Username of the Scanner user assigned to the Scanner role | N/A |
scanner.password |
Password of the Scanner user | N/A |
Enforcer
Parameter | Description | Default |
---|---|---|
imageCredentials.create |
Set if to create new pull image secret | false |
imageCredentials.name |
Your Docker pull image secret name | aqua-image-pull-secret |
imageCredentials.username |
Your Docker registry (DockerHub, etc.) username | N/A |
imageCredentials.password |
Your Docker registry (DockerHub, etc.) password | N/A |
enforcerToken |
Aqua Enforcer token | N/A |
server |
Gateway host name | aqua-gateway |
port |
Gateway port | 3622 |
Scanner
Parameter | Description | Default |
---|---|---|
rbac.enabled |
Create a service account and a ClusterRole | false |
rbac.roleRef |
Use an existing ClusterRole | `` |
admin.token |
Use this Aqua license token | N/A |
admin.password |
Use this Aqua admin password | N/A |
docker.socket.path |
Docker Socket Path | /var/run/docker.sock |
serviceAccount |
Service account to use | csp-sa |
server.serviceName |
Service name of the Aqua Server (console) UI | csp-consul-svc |
server.port |
Service svc port | 8080 |
docker.socket.path |
Docker socket path | /var/run/docker.sock |
docker.socket.path |
Docker socket path | /var/run/docker.sock |
enabled |
Enable the Scanner component | false |
replicaCount |
Number of Scanner replicas to run | 1 |
user |
Username of the Scanner user assigned to the Scanner role | N/A |
password |
Password of the Scanner user | N/A |
Deploy the Helm charts
First, clone the GitHub repository with the charts
git clone https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/
Optional: Update the Helm charts values.yaml files with your environment's custom values. This eliminates the need to pass the parameters to the helm command. Then run one of the commands below to install the relevant services.
Server chart
helm upgrade --install --namespace aqua csp ./server --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
Enforcer chart
helm upgrade --install --namespace aqua csp-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>,enforcerToken=<aquasec-token>
Scanner chart (optional)
helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
Additional deployment items
High-volume scanner installation
Aqua CSP can deploy a scanner pod that is external to the Aqua Server. This dedicated scanner pod allows the Server to run unprivileged, and provides a high-throughput scan queue anywhere you choose. To install the Scanner alongside the Server components, set the following variables in values.yaml:
scanner:
enabled: true
scanner.replicas: "Set quantity"
Non-public cloud provider deployments (examples)
Creating an ingress to access the Aqua Server
Example: IBM Cloud Private includes a bundled ingress controller. A sample ingress yaml file is included in the repo.
kubectl apply -f ingress-example.yaml
Alternative ingress configuration
Example: The services charts are set to create `ClusterIP' ingress types. You may tune these as appropriate for your environment.
Troubleshooting
This section not all-inclusive. It describes common issues that Aqua Security has encountered during deployments.
(1) Error: UPGRADE/INSTALL FAILED, configmaps is forbidden.
Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"
Solution: Create a service account for Tiller to utilize.
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller --upgrade
(2) Error: No persistent volumes available for this claim and no storage class is set.
Solution: Most managed Kubernetes deployments do NOT include all possible storage provider variations at setup time. Refer to the official Kubernetes guidance on storage classes for your platform. Three examples are shown below.
-
Amazon EKS
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: aqua-console-db-data provisioner: kubernetes.io/aws-ebs parameters: type: gp2 reclaimPolicy: Retain mountOptions: - debug volumeBindingMode: Immediate
-
Azure AKS
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: slow provisioner: kubernetes.io/azure-disk parameters: storageaccounttype: Standard_LRS kind: Shared
-
Google GKE
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: slow provisioner: kubernetes.io/gce-pd parameters: type: pd-standard replication-type: none
(3) Error: When executing kubectl get events -n aqua
you might encounter one of the following errors:
no persistent volumes available for this claim and no storage class is set or PersistentVolumeClaim is not bound.
Solution: If you encounter this error, you need to create a persistent volume prior to chart installation with a generic or existing storage class, specifying db.persistence.storageClass
in the values.yaml file. A sample file using aqua-storage
is included in the repo.
kubectl apply -f pv-example.yaml
Support
If you encounter any problems, or would like to give us feedback, we encourage you to raise issues here on GitHub. Please contact us at https://github.com/aquasecurity.