Aqua Security Helm Charts

This topic contains Helm charts and instructions for the deployment and maintenance of Aqua Cloud Native Security (CSP).

CSP deployments include the following components:

• Server (Console, Database, and Gateway)
• Enforcer
• Scanner (optional)

Contents

• Aqua Security Helm Charts
  • Contents
  • Helm charts
• Deployment instructions
  • Add Aqua Helm repository
  • Container registry credentials
  • PostgreSQL database
  • Customize your configuration
    • Server
    • Enforcer
    • Scanner
  • Deploy the Helm charts
    • Server chart
    • Enforcer chart
    • Scanner chart (optional)
• Additional deployment items
  • High-volume scanner installation
  • Non-public cloud provider deployments (examples)
• Troubleshooting
• Support

Helm charts

This repository includes three charts that may be deployed separately:

• Server - deploys the Console, Database, and Gateway components; and (optionally) the Scanner component
• Enforcer - deploys the Enforcer daemonset
• Scanner - deploys the Scanner deployment

Deployment instructions

Follow the steps in this section.

Add Aqua Helm Repository

First, you need to add the Aqua Helm repository to your local Helm repos, instead of cloning this aqua-helm source code repository, by executing the following command:

helm repo add aqua-helm https://helm.aquasec.com

• Search for all components of the latest version in our Aqua Helm repository

helm search aqua-helm

for helm 3.x

helm search repo aqua-helm

Example output:

NAME                  CHART VERSION		    APP VERSION		      DESCRIPTION
aqua-helm/enforcer    4.6.0        			  4.6        				  A Helm chart for the Aqua Enforcer
aqua-helm/scanner 	  4.6.0        			  4.6        				  A Helm chart for the aqua scanner cli component
aqua-helm/server  	  4.6.0        			  4.6        				  A Helm chart for the Aqua Console Componants

• Search for all components of a specific version in our Aqua Helm repository

Example: for Version 4.6

helm search aqua-helm -v 4.6

for helm 3.x

helm search repo aqua-helm --version 4.6

• Search for all components:

for helm 3.x

helm search repo aqua-helm --versions

Container registry credentials

The Aqua Server (Console and Gateway) components are available in our private repository, which requires authentication. By default, the charts create a secret based on the values.yaml file.

1. Create a new namespace named "aqua":

kubectl create namespace aqua

2. Optional: Create the secret:

kubectl create secret docker-registry csp-registry-secret  --docker-server="registry.aquasec.com" --namespace aqua --docker-username="[email protected]" --docker-password="Truckin" --docker-email="[email protected]"

PostgreSQL database

Aqua Security recommends implementing a highly-available PostgreSQL database for production use of Aqua CSP.

By default, the console chart will install a PostgreSQL database and attach it to persistent storage; this is recommended only for POC usage and testing.

For production use, you can override this default behavior and specify an existing PostgreSQL database by setting the following variables in values.yaml:

db:
  external:
    enabled: true
    name: example-aquasec
    host: aquasec-db
    port: 5432
    user: aquasec-db-username
    password: verysecret

Customize your configuration

The following tables list the configurable parameters for the Server, Enforcer, and Scanner charts.

Change some or all of these parameters per the requirements of your deployment, if the default values are not appropriate.

Server

Enforcer

Scanner

Deploy the Helm charts

First, clone the GitHub repository with the charts

git clone https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/

Optional: Update the Helm charts values.yaml files with your environment's custom values. This eliminates the need to pass the parameters to the helm command. Then run one of the commands below to install the relevant services.

Server chart

helm upgrade --install --namespace aqua csp ./server --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>

Enforcer chart

helm upgrade --install --namespace aqua csp-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>,enforcerToken=<aquasec-token>

Scanner chart (optional)

helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>

Additional deployment items

High-volume scanner installation

Aqua CSP can deploy a scanner pod that is external to the Aqua Server. This dedicated scanner pod allows the Server to run unprivileged, and provides a high-throughput scan queue anywhere you choose. To install the Scanner alongside the Server components, set the following variables in values.yaml:

scanner:
  enabled: true
scanner.replicas: "Set quantity"

Non-public cloud provider deployments (examples)

Creating an ingress to access the Aqua Server

Example: IBM Cloud Private includes a bundled ingress controller. A sample ingress yaml file is included in the repo.

kubectl apply -f ingress-example.yaml

Alternative ingress configuration

Example: The services charts are set to create `ClusterIP' ingress types. You may tune these as appropriate for your environment.

Troubleshooting

This section not all-inclusive. It describes common issues that Aqua Security has encountered during deployments.

(1) Error: UPGRADE/INSTALL FAILED, configmaps is forbidden.

Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

Solution: Create a service account for Tiller to utilize.

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller --upgrade

(2) Error: No persistent volumes available for this claim and no storage class is set.

Solution: Most managed Kubernetes deployments do NOT include all possible storage provider variations at setup time. Refer to the official Kubernetes guidance on storage classes for your platform. Three examples are shown below.

• Amazon EKS

  kind: StorageClass
  apiVersion: storage.k8s.io/v1
  metadata:
    name: aqua-console-db-data
  provisioner: kubernetes.io/aws-ebs
  parameters:
    type: gp2
  reclaimPolicy: Retain
  mountOptions:
    - debug
  volumeBindingMode: Immediate

• Azure AKS

  kind: StorageClass
  apiVersion: storage.k8s.io/v1
  metadata:
    name: slow
  provisioner: kubernetes.io/azure-disk
  parameters:
    storageaccounttype: Standard_LRS
    kind: Shared

• Google GKE

  kind: StorageClass
  apiVersion: storage.k8s.io/v1
  metadata:
    name: slow
  provisioner: kubernetes.io/gce-pd
  parameters:
    type: pd-standard
  replication-type: none

(3) Error: When executing kubectl get events -n aqua you might encounter one of the following errors: no persistent volumes available for this claim and no storage class is set or PersistentVolumeClaim is not bound.

Solution: If you encounter this error, you need to create a persistent volume prior to chart installation with a generic or existing storage class, specifying db.persistence.storageClass in the values.yaml file. A sample file using aqua-storage is included in the repo.

kubectl apply -f pv-example.yaml

Support

If you encounter any problems, or would like to give us feedback, we encourage you to raise issues here on GitHub. Please contact us at https://github.com/aquasecurity.