diff --git a/enforcer/README.md b/enforcer/README.md index 3d0b2dab..4f08f92a 100644 --- a/enforcer/README.md +++ b/enforcer/README.md @@ -24,13 +24,23 @@ These are Helm charts for installation and maintenance of Aqua Container Securit ## Installing the Chart Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repo or you can add our helm private repository ([https://helm.aquasec.com](https://helm.aquasec.com)) +### Installing Aqua Enforcer from Github Repo + * Clone the GitHub repository with the charts ```bash -git clone https://github.com/aquasecurity/aqua-helm.git +git clone -b 6.0 https://github.com/aquasecurity/aqua-helm.git cd aqua-helm/ ``` +* Install Aqua Enforcer + +```bash +helm upgrade --install --namespace aqua aqua-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,enforcerToken= +``` + +### Installing Aqua Enforcer from Helm Private Repository + * Add Aqua Helm Repository ```bash $ helm repo add aqua-helm https://helm.aquasec.com @@ -39,9 +49,10 @@ $ helm repo add aqua-helm https://helm.aquasec.com * Install Aqua Enforcer ```bash -helm upgrade --install --namespace aqua aqua-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,enforcerToken= +helm upgrade --install --namespace aqua aqua-enforcer aqua-helm/enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,enforcerToken= --version <> ``` + ## Advanced Configuration In order to support L7 / gRPC communication between enforcer and envoy it is recommended to follow the detailed steps to enable and deploy a enforcer. diff --git a/kube-enforcer/README.md b/kube-enforcer/README.md index aba3c79a..ac8c46a5 100644 --- a/kube-enforcer/README.md +++ b/kube-enforcer/README.md @@ -71,10 +71,12 @@ Optionally, you can provide these certificates in base64 encoded format as flags ## Deploying the HELM chart +### Installing Aqua Kube-Enforcer from Github Repo + 1. Clone the GitHub repository with the charts: ```bash - git clone https://github.com/aquasecurity/kube-enforcer-helm.git + git clone -b 6.0 https://github.com/aquasecurity/kube-enforcer-helm.git ``` 2. (Optional) Update the Helm charts `values.yaml` file with your environment's custom values, registry secret, Aqua Server (console) credentials, and TLS certificates. This eliminates the need to pass the parameters to the HELM command. Then run one of the following commands to deploy the relevant services. @@ -96,7 +98,37 @@ Optionally, you can provide these certificates in base64 encoded format as flags Next, run the following command: ```shell - helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set evs.gatewayAddress="",imageCredentials.username=,imageCredentials.password= + helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set envs.gatewayAddress="",imageCredentials.username=,imageCredentials.password= + ``` + +### Installing Aqua Kube-Enforcer from Helm Private Repository + +1. Add Aqua Helm Repository + + ```bash + $ helm repo add aqua-helm https://helm.aquasec.com + ``` + +2. (Optional) Update the Helm charts `values.yaml` file with your environment's custom values, registry secret, Aqua Server (console) credentials, and TLS certificates. This eliminates the need to pass the parameters to the HELM command. Then run one of the following commands to deploy the relevant services. + +3. Choose **either** 3a **or** 3b: + + 3a. To deploy the KubeEnforcer on the same cluster as the Aqua Server (console), run this command on that cluster: + + ```shell + helm upgrade --install --namespace aqua kube-enforcer aqua-helm/kube-enforcer + ``` + + 3b. Multi-cluster: To deploy the KubeEnforcer in a different cluster: + + First, create a namespace on that cluster named `aqua`: + ```bash + kubectl create namespace aqua + ``` + Next, copy the values.yaml content from [Values.yaml](./values.yaml) and make the respective changes then run the following command: + + ```shell + helm upgrade --install --namespace aqua kube-enforcer aqua-helm/kube-enforcer --values values.yaml --version <> ``` Optional flags: @@ -118,22 +150,22 @@ To perform kube-bench scans in the cluster, the KubeEnforcer needs: ## Configurable parameters -| Parameter | Description | Default | Mandatory | -| --------------------------------- | --------------------------------------------------------------------------- | ----------------------- | ----------------------- | -| `imageCredentials.create` | Set to create new pull image secret | `true` | `YES - New cluster` | -| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | `YES - New cluster` | -| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` | `YES - New cluster` | -| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` | `YES - New cluster` | -| `aquaSecret.kubeEnforcerToken` | Aqua KubeEnforcer token | `N/A` | `YES` | -| `certsSecret.serverCertificate` | Certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` | -| `certsSecret.serverKey` | Certificate key for TLS authentication with the Kubernetes api-server | `N/A` | `YES` | -| `webhooks.caBundle` | Root certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` | -| `envs.gatewayAddress` | Gateway host address | `aqua-gateway-svc:8443` | `YES` | -| `existing_secret.enable` | To use existing secret for KE certs | `false` | `NO` | -| `existing_secret.secretName` | existing secret name for KE certs | `N/A` | `NO` | -| `kubeEnforcerAdvance.enable` | Advance Kube Enforcer Deployment | `false` | `NO` | -| `clusterName` | Cluster name of the advance KE deployment | `k8s` | `NO` | -| `clusterID` | Cluster name of the advance KE deployment | `N/A` | `NO` | +| Parameter | Description | Default | Mandatory | +| --------------------------------- | --------------------------------------------------------------------------- | ------------------------- | ----------------------- | +| `imageCredentials.create` | Set to create new pull image secret | `true` | `YES - New cluster` | +| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | `YES - New cluster` | +| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` | `YES - New cluster` | +| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` | `YES - New cluster` | +| `aquaSecret.kubeEnforcerToken` | Aqua KubeEnforcer token | `N/A` | `YES` | +| `certsSecret.create` | Set to create new secret for KE certs | `true` | `YES` | +| `certsSecret.name` | Secret name for KE certs | `aqua-kube-enforcer-certs`| `YES` | +| `certsSecret.serverCertificate` | Certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` | +| `certsSecret.serverKey` | Certificate key for TLS authentication with the Kubernetes api-server | `N/A` | `YES` | +| `webhooks.caBundle` | Root certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` | +| `envs.gatewayAddress` | Gateway host address | `aqua-gateway-svc:8443` | `YES` | +| `kubeEnforcerAdvance.enable` | Advance Kube Enforcer Deployment | `false` | `NO` | +| `kubeEnforcerAdvance.clusterName` | Cluster name of the advance KE deployment | `k8s` | `NO` | +| `kubeEnforcerAdvance.clusterID` | Cluster name of the advance KE deployment | `N/A` | `NO` | ## Issues and feedback diff --git a/kube-enforcer/templates/_helpers.tpl b/kube-enforcer/templates/_helpers.tpl index d145a698..0a233a20 100644 --- a/kube-enforcer/templates/_helpers.tpl +++ b/kube-enforcer/templates/_helpers.tpl @@ -47,6 +47,6 @@ Create chart name and version as used by the chart label. {{- printf "%s" (required "A valid .Values.webhooks.caBundle entry required" .Values.webhooks.caBundle) | replace "\n" "" }} {{- end }} -{{- define "existing_secret" }} -{{- printf "%s" (required "A valid .Values.existing_secret.secretName required" .Values.existing_secret.secretName ) }} +{{- define "certsSecret_name" }} +{{- printf "%s" (required "A valid .Values.certsSecret.name required" .Values.certsSecret.name ) }} {{- end }} diff --git a/kube-enforcer/templates/kube-enforcer-certs.yaml b/kube-enforcer/templates/kube-enforcer-certs.yaml index 43d4cc76..2d8b6831 100644 --- a/kube-enforcer/templates/kube-enforcer-certs.yaml +++ b/kube-enforcer/templates/kube-enforcer-certs.yaml @@ -1,4 +1,7 @@ -{{- if not .Values.existing_secret.enable }} +{{- if not .Values.certsSecret.name}} +{{ template "certsSecret_name" . }} +{{- end }} +{{- if .Values.certsSecret.create }} apiVersion: v1 kind: Secret metadata: @@ -7,6 +10,4 @@ metadata: data: server.crt: {{ template "serverCertificate" . }} # place server cert server.key: {{ template "serverKey" . }} # place server key -{{- else if not .Values.existing_secret.secretName }} -{{ template "existing_secret" . }} {{- end }} diff --git a/kube-enforcer/templates/kube-enforcer-deployment.yaml b/kube-enforcer/templates/kube-enforcer-deployment.yaml index 6ad0b7fc..66634559 100644 --- a/kube-enforcer/templates/kube-enforcer-deployment.yaml +++ b/kube-enforcer/templates/kube-enforcer-deployment.yaml @@ -116,11 +116,7 @@ spec: volumes: - name: "certs" secret: -{{- if .Values.existing_secret.enable }} - secretName: {{ .Values.existing_secret.secretName }} -{{- else }} secretName: {{ .Values.certsSecret.name }} -{{- end }} {{- if .Values.kubeEnforcerAdvance.enable }} - name: "envoy-config" configMap: diff --git a/kube-enforcer/values.yaml b/kube-enforcer/values.yaml index d9fb5271..b2b3b6fd 100644 --- a/kube-enforcer/values.yaml +++ b/kube-enforcer/values.yaml @@ -27,13 +27,10 @@ namespace: "aqua" logLevel: "" -#enable to true if you want to use existing secret for the cluster -existing_secret: - enable: false - secretName: "" - +# Set create to false if you want to use an existing secret for the kube-enforcer certs certsSecret: - name: aqua-kube-enforcer-certs + create: true + name: aqua-kube-enforcer-certs # If you're using existing certs change the name to existing secret name serverCertificate: "" serverKey: "" diff --git a/scanner/README.md b/scanner/README.md index 3afaae3c..cc7258a2 100644 --- a/scanner/README.md +++ b/scanner/README.md @@ -24,24 +24,36 @@ These are Helm charts for installation and maintenance of Aqua Container Securit ## Installing the Chart Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repo or you can add our helm private repository ([https://helm.aquasec.com](https://helm.aquasec.com)) +### Installing Aqua Scanner from Github Repo + * Clone the GitHub repository with the charts ```bash -git clone https://github.com/aquasecurity/aqua-helm.git +git clone -b 6.0 https://github.com/aquasecurity/aqua-helm.git cd aqua-helm/ ``` + +* Install Aqua + +```bash +helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<> +``` + +### Installing Aqua Scanner from Helm Private Repository + * Add Aqua Helm Repository ```bash $ helm repo add aqua-helm https://helm.aquasec.com ``` -* Install Aqua Scanner +* Install Aqua ```bash -helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,user=<>,password=<> +helm upgrade --install --namespace aqua scanner aqua-helm/scanner --set imageCredentials.username=<>,imageCredentials.password=<> --version <> ``` + Before installing scanner chart the recommendation is to create user with scanning permissions, [Link to documentations](https://docs.aquasec.com/docs/add-scanners#section-add-a-scanner-user) ## Configurable Variables diff --git a/server/README.md b/server/README.md index 20286ff9..2f4aae51 100644 --- a/server/README.md +++ b/server/README.md @@ -37,13 +37,24 @@ db: ## Installing the Chart Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repo or you can add our helm private repository ([https://helm.aquasec.com](https://helm.aquasec.com)) +### Installing Aqua Web from Github Repo + * Clone the GitHub repository with the charts ```bash -git clone https://github.com/aquasecurity/aqua-helm.git +git clone -b 6.0 https://github.com/aquasecurity/aqua-helm.git cd aqua-helm/ ``` + +* Install Aqua + +```bash +helm upgrade --install --namespace aqua aqua ./server --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> +``` + +### Installing Aqua Web from Helm Private Repository + * Add Aqua Helm Repository ```bash $ helm repo add aqua-helm https://helm.aquasec.com @@ -52,8 +63,9 @@ $ helm repo add aqua-helm https://helm.aquasec.com * Install Aqua ```bash -helm upgrade --install --namespace aqua aqua ./server --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> +helm upgrade --install --namespace aqua aqua aqua-helm/server --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> --version <> ``` + ## Advanced Configuration 1. Envoy diff --git a/server/templates/gate-service.yaml b/server/templates/gate-service.yaml index d96815ec..f604e377 100644 --- a/server/templates/gate-service.yaml +++ b/server/templates/gate-service.yaml @@ -1,5 +1,4 @@ --- - apiVersion: v1 kind: Service metadata: @@ -28,4 +27,4 @@ spec: {{- if $port.protocol }} protocol: {{ $port.protocol }} {{- end }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/server/values.yaml b/server/values.yaml index 0608dad1..516f1a53 100644 --- a/server/values.yaml +++ b/server/values.yaml @@ -135,7 +135,7 @@ gate: tag: "6.0" pullPolicy: IfNotPresent service: - type: ClusterIP + type: ClusterIP #for OCP/OSD environments Can enable gateway to external by changing type to "LoadBalancer" annotations: {} ports: - name: aqua-gate diff --git a/tenant-manager/README.md b/tenant-manager/README.md index 83868b97..7b9387aa 100644 --- a/tenant-manager/README.md +++ b/tenant-manager/README.md @@ -36,34 +36,33 @@ db: user: aquasec-db-username password: verysecret ``` -## Installing the Chart -Follow the steps in this section for production-grade deployments. You can either clone the aqua-helm GitHub repo or you can add our private Helm repository ([https://helm.aquasec.com](https://helm.aquasec.com)). +### Installing Aqua Tenant Manager from Github Repo -* Using the GitHub repo +* Clone the GitHub repository with the charts: - a. Clone the GitHub repository with the charts: +```bash +git clone -b 6.0 https://github.com/aquasecurity/aqua-helm.git +cd aqua-helm/ +``` - ```bash - git clone https://github.com/aquasecurity/aqua-helm.git - cd aqua-helm/ - ``` - b. Deploy the Aqua Tenant Manager +* Deploy the Aqua Tenant Manager - ```bash - helm upgrade --install --namespace aqua aqua ./tenant-manger --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> - ``` +```bash +helm upgrade --install --namespace aqua tenant-manager ./tenant-manger --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> +``` -* Using the Helm Repo +### Installing Aqua Tenant Manager from Helm Private Repository - a. Add the Aqua Helm repository +* Add the Aqua Helm repository - ```bash - $ helm repo add aqua-helm https://helm.aquasec.com - ``` - b. Deploy the Aqua Tenant Manager +```bash +$ helm repo add aqua-helm https://helm.aquasec.com +``` +* Deploy the Aqua Tenant Manager - ```bash - helm upgrade --install --namespace aqua aqua-helm/tenant-manager --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> +```bash + helm upgrade --install --namespace aqua tenant-manager aqua-helm/tenant-manager --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> --version <> +``` ## Database