Skip to content

Commit

Permalink
Merge pull request #259 from KoppulaRajender/6.0
Browse files Browse the repository at this point in the history 
6.0 | correcting readme | fixing ke secrets bug
  • Loading branch information
@rshmiel
rshmiel authored May 4, 2021
2 parents a2b4bbe + 98b8bbb commit b582902
Show file tree
Hide file tree
Showing 11 changed files with 122 additions and 63 deletions.
15 changes: 13 additions & 2 deletions enforcer/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,23 @@ These are Helm charts for installation and maintenance of Aqua Container Securit
## Installing the Chart
Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repo or you can add our helm private repository ([https://helm.aquasec.com](https://helm.aquasec.com))

### Installing Aqua Enforcer from Github Repo

* Clone the GitHub repository with the charts

```bash
git clone https://github.com/aquasecurity/aqua-helm.git
git clone -b 6.0 https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/
```

* Install Aqua Enforcer

```bash
helm upgrade --install --namespace aqua aqua-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,enforcerToken=<aquasec-token>
```

### Installing Aqua Enforcer from Helm Private Repository

* Add Aqua Helm Repository
```bash
$ helm repo add aqua-helm https://helm.aquasec.com
Expand All @@ -39,9 +49,10 @@ $ helm repo add aqua-helm https://helm.aquasec.com
* Install Aqua Enforcer

```bash
helm upgrade --install --namespace aqua aqua-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,enforcerToken=<aquasec-token>
helm upgrade --install --namespace aqua aqua-enforcer aqua-helm/enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,enforcerToken=<aquasec-token> --version <>
```


## Advanced Configuration

In order to support L7 / gRPC communication between enforcer and envoy it is recommended to follow the detailed steps to enable and deploy a enforcer.
Expand Down
68 changes: 50 additions & 18 deletions kube-enforcer/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,10 +71,12 @@ Optionally, you can provide these certificates in base64 encoded format as flags

## Deploying the HELM chart

### Installing Aqua Kube-Enforcer from Github Repo

1. Clone the GitHub repository with the charts:

```bash
git clone https://github.com/aquasecurity/kube-enforcer-helm.git
git clone -b 6.0 https://github.com/aquasecurity/kube-enforcer-helm.git
```

2. (Optional) Update the Helm charts `values.yaml` file with your environment's custom values, registry secret, Aqua Server (console) credentials, and TLS certificates. This eliminates the need to pass the parameters to the HELM command. Then run one of the following commands to deploy the relevant services.
Expand All @@ -96,7 +98,37 @@ Optionally, you can provide these certificates in base64 encoded format as flags
Next, run the following command:
```shell
helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set evs.gatewayAddress="<Aqua_Remote_Gateway_IP/URL>",imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>
helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set envs.gatewayAddress="<Aqua_Remote_Gateway_IP/URL>",imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>
```
### Installing Aqua Kube-Enforcer from Helm Private Repository
1. Add Aqua Helm Repository
```bash
$ helm repo add aqua-helm https://helm.aquasec.com
```
2. (Optional) Update the Helm charts `values.yaml` file with your environment's custom values, registry secret, Aqua Server (console) credentials, and TLS certificates. This eliminates the need to pass the parameters to the HELM command. Then run one of the following commands to deploy the relevant services.

3. Choose **either** 3a **or** 3b:

3a. To deploy the KubeEnforcer on the same cluster as the Aqua Server (console), run this command on that cluster:

```shell
helm upgrade --install --namespace aqua kube-enforcer aqua-helm/kube-enforcer
```

3b. Multi-cluster: To deploy the KubeEnforcer in a different cluster:

First, create a namespace on that cluster named `aqua`:
```bash
kubectl create namespace aqua
```
Next, copy the values.yaml content from [Values.yaml](./values.yaml) and make the respective changes then run the following command:

```shell
helm upgrade --install --namespace aqua kube-enforcer aqua-helm/kube-enforcer --values values.yaml --version <>
```

Optional flags:
Expand All @@ -118,22 +150,22 @@ To perform kube-bench scans in the cluster, the KubeEnforcer needs:
## Configurable parameters
| Parameter | Description | Default | Mandatory |
| --------------------------------- | --------------------------------------------------------------------------- | ----------------------- | ----------------------- |
| `imageCredentials.create` | Set to create new pull image secret | `true` | `YES - New cluster` |
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | `YES - New cluster` |
| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` | `YES - New cluster` |
| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` | `YES - New cluster` |
| `aquaSecret.kubeEnforcerToken` | Aqua KubeEnforcer token | `N/A` | `YES` |
| `certsSecret.serverCertificate` | Certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `certsSecret.serverKey` | Certificate key for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `webhooks.caBundle` | Root certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `envs.gatewayAddress` | Gateway host address | `aqua-gateway-svc:8443` | `YES` |
| `existing_secret.enable` | To use existing secret for KE certs | `false` | `NO` |
| `existing_secret.secretName` | existing secret name for KE certs | `N/A` | `NO` |
| `kubeEnforcerAdvance.enable` | Advance Kube Enforcer Deployment | `false` | `NO` |
| `clusterName` | Cluster name of the advance KE deployment | `k8s` | `NO` |
| `clusterID` | Cluster name of the advance KE deployment | `N/A` | `NO` |
| Parameter | Description | Default | Mandatory |
| --------------------------------- | --------------------------------------------------------------------------- | ------------------------- | ----------------------- |
| `imageCredentials.create` | Set to create new pull image secret | `true` | `YES - New cluster` |
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | `YES - New cluster` |
| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` | `YES - New cluster` |
| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` | `YES - New cluster` |
| `aquaSecret.kubeEnforcerToken` | Aqua KubeEnforcer token | `N/A` | `YES` |
| `certsSecret.create` | Set to create new secret for KE certs | `true` | `YES` |
| `certsSecret.name` | Secret name for KE certs | `aqua-kube-enforcer-certs`| `YES` |
| `certsSecret.serverCertificate` | Certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `certsSecret.serverKey` | Certificate key for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `webhooks.caBundle` | Root certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `envs.gatewayAddress` | Gateway host address | `aqua-gateway-svc:8443` | `YES` |
| `kubeEnforcerAdvance.enable` | Advance Kube Enforcer Deployment | `false` | `NO` |
| `kubeEnforcerAdvance.clusterName` | Cluster name of the advance KE deployment | `k8s` | `NO` |
| `kubeEnforcerAdvance.clusterID` | Cluster name of the advance KE deployment | `N/A` | `NO` |
## Issues and feedback
Expand Down
4 changes: 2 additions & 2 deletions kube-enforcer/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,6 @@ Create chart name and version as used by the chart label.
{{- printf "%s" (required "A valid .Values.webhooks.caBundle entry required" .Values.webhooks.caBundle) | replace "\n" "" }}
{{- end }}

{{- define "existing_secret" }}
{{- printf "%s" (required "A valid .Values.existing_secret.secretName required" .Values.existing_secret.secretName ) }}
{{- define "certsSecret_name" }}
{{- printf "%s" (required "A valid .Values.certsSecret.name required" .Values.certsSecret.name ) }}
{{- end }}
7 changes: 4 additions & 3 deletions kube-enforcer/templates/kube-enforcer-certs.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
{{- if not .Values.existing_secret.enable }}
{{- if not .Values.certsSecret.name}}
{{ template "certsSecret_name" . }}
{{- end }}
{{- if .Values.certsSecret.create }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -7,6 +10,4 @@ metadata:
data:
server.crt: {{ template "serverCertificate" . }} # place server cert
server.key: {{ template "serverKey" . }} # place server key
{{- else if not .Values.existing_secret.secretName }}
{{ template "existing_secret" . }}
{{- end }}
4 changes: 0 additions & 4 deletions kube-enforcer/templates/kube-enforcer-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,11 +116,7 @@ spec:
volumes:
- name: "certs"
secret:
{{- if .Values.existing_secret.enable }}
secretName: {{ .Values.existing_secret.secretName }}
{{- else }}
secretName: {{ .Values.certsSecret.name }}
{{- end }}
{{- if .Values.kubeEnforcerAdvance.enable }}
- name: "envoy-config"
configMap:
Expand Down
9 changes: 3 additions & 6 deletions kube-enforcer/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,10 @@ namespace: "aqua"

logLevel: ""

#enable to true if you want to use existing secret for the cluster
existing_secret:
enable: false
secretName: ""

# Set create to false if you want to use an existing secret for the kube-enforcer certs
certsSecret:
name: aqua-kube-enforcer-certs
create: true
name: aqua-kube-enforcer-certs # If you're using existing certs change the name to existing secret name
serverCertificate: ""
serverKey: ""

Expand Down
18 changes: 15 additions & 3 deletions scanner/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,24 +24,36 @@ These are Helm charts for installation and maintenance of Aqua Container Securit
## Installing the Chart
Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repo or you can add our helm private repository ([https://helm.aquasec.com](https://helm.aquasec.com))

### Installing Aqua Scanner from Github Repo

* Clone the GitHub repository with the charts

```bash
git clone https://github.com/aquasecurity/aqua-helm.git
git clone -b 6.0 https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/
```


* Install Aqua

```bash
helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>
```

### Installing Aqua Scanner from Helm Private Repository

* Add Aqua Helm Repository
```bash
$ helm repo add aqua-helm https://helm.aquasec.com
```

* Install Aqua Scanner
* Install Aqua

```bash
helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,user=<>,password=<>
helm upgrade --install --namespace aqua scanner aqua-helm/scanner --set imageCredentials.username=<>,imageCredentials.password=<> --version <>
```


Before installing scanner chart the recommendation is to create user with scanning permissions, [Link to documentations](https://docs.aquasec.com/docs/add-scanners#section-add-a-scanner-user)

## Configurable Variables
Expand Down
16 changes: 14 additions & 2 deletions server/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,24 @@ db:
## Installing the Chart
Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repo or you can add our helm private repository ([https://helm.aquasec.com](https://helm.aquasec.com))
### Installing Aqua Web from Github Repo
* Clone the GitHub repository with the charts
```bash
git clone https://github.com/aquasecurity/aqua-helm.git
git clone -b 6.0 https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/
```


* Install Aqua

```bash
helm upgrade --install --namespace aqua aqua ./server --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<>
```

### Installing Aqua Web from Helm Private Repository

* Add Aqua Helm Repository
```bash
$ helm repo add aqua-helm https://helm.aquasec.com
Expand All @@ -52,8 +63,9 @@ $ helm repo add aqua-helm https://helm.aquasec.com
* Install Aqua

```bash
helm upgrade --install --namespace aqua aqua ./server --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<>
helm upgrade --install --namespace aqua aqua aqua-helm/server --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> --version <>
```

## Advanced Configuration

1. Envoy
Expand Down
3 changes: 1 addition & 2 deletions server/templates/gate-service.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
---

apiVersion: v1
kind: Service
metadata:
Expand Down Expand Up @@ -28,4 +27,4 @@ spec:
{{- if $port.protocol }}
protocol: {{ $port.protocol }}
{{- end }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion server/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ gate:
tag: "6.0"
pullPolicy: IfNotPresent
service:
type: ClusterIP
type: ClusterIP #for OCP/OSD environments Can enable gateway to external by changing type to "LoadBalancer"
annotations: {}
ports:
- name: aqua-gate
Expand Down
39 changes: 19 additions & 20 deletions tenant-manager/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,34 +36,33 @@ db:
user: aquasec-db-username
password: verysecret
```
## Installing the Chart
Follow the steps in this section for production-grade deployments. You can either clone the aqua-helm GitHub repo or you can add our private Helm repository ([https://helm.aquasec.com](https://helm.aquasec.com)).
### Installing Aqua Tenant Manager from Github Repo
* Using the GitHub repo
* Clone the GitHub repository with the charts:
a. Clone the GitHub repository with the charts:
```bash
git clone -b 6.0 https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/
```

```bash
git clone https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/
```
b. Deploy the Aqua Tenant Manager
* Deploy the Aqua Tenant Manager

```bash
helm upgrade --install --namespace aqua aqua ./tenant-manger --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<>
```
```bash
helm upgrade --install --namespace aqua tenant-manager ./tenant-manger --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<>
```

* Using the Helm Repo
### Installing Aqua Tenant Manager from Helm Private Repository

a. Add the Aqua Helm repository
* Add the Aqua Helm repository

```bash
$ helm repo add aqua-helm https://helm.aquasec.com
```
b. Deploy the Aqua Tenant Manager
```bash
$ helm repo add aqua-helm https://helm.aquasec.com
```
* Deploy the Aqua Tenant Manager

```bash
helm upgrade --install --namespace aqua <release_name> aqua-helm/tenant-manager --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<>
```bash
helm upgrade --install --namespace aqua tenant-manager aqua-helm/tenant-manager --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> --version <>
```

## Database

Expand Down

0 comments on commit b582902

Please sign in to comment.