adding aqua home volume

README.md

@@ -27,7 +27,7 @@ This repository includes the following charts; they can be deployed separately:
 
 | Chart                               | Description                                                                                                                                                   | Latest Chart Version |
 |-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
-| [Server](server/)                   | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component                                                                     | 2022.4.26            |
+| [Server](server/)                   | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component                                                                     | 2022.4.27            |
 | [Enforcer](enforcer/)               | Deploys the Aqua Enforcer daemonset                                                                                                                           | 2022.4.21            |
 | [Scanner](scanner/)                 | Deploys the Aqua Scanner deployment                                                                                                                           | 2022.4.8             |
 | [KubeEnforcer](kube-enforcer/)      | Deploys Aqua KubeEnforcer                                                                                                                                     | 2022.4.47            |
@@ -82,9 +82,9 @@ aqua-helm/cloud-connector       2022.4.4        2022.4          A Helm chart for
 aqua-helm/cyber-center          2022.4.6        2022.4          A Helm chart for Aqua CyberCenter
 aqua-helm/enforcer              2022.4.23       2022.4          A Helm chart for the Aqua Enforcer
 aqua-helm/kube-enforcer         2022.4.48       2022.4          A Helm chart for the Aqua KubeEnforcer Starboard
-aqua-helm/gateway               2022.4.14       2022.4          A Helm chart for the Aqua Gateway
+aqua-helm/gateway               2022.4.15       2022.4          A Helm chart for the Aqua Gateway
 aqua-helm/scanner               2022.4.8        2022.4          A Helm chart for the Aqua Scanner CLI component
-aqua-helm/server                2022.4.26       2022.4          A Helm chart for the Aqua Console components
+aqua-helm/server                2022.4.27       2022.4          A Helm chart for the Aqua Console components
 aqua-helm/tenant-manager        2022.4.1        2022.4          A Helm chart for the Aqua Tenant Manager
 ```
 

gateway/CHANGELOG.md

@@ -1,10 +1,16 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 2022.4.15 (Oct 8th, 2024)
+* add configurable allowPrivilegeEscalation, allowPrivilegedContainer, readOnlyRootFilesystem
+* defaults stayed the same
+
+## 2022.4.14 (Mar 20th, 2024)
+* Added extra volume mounts
+
 ## 2022.4.13 (Dec 26th, 2023)
 * Added the ability to specify the API version for the PodDisruptionBudget
 
-
 ## 2022.4.12 (Apr 10th, 2023)
 * Change standard name for gateway serviceaccount - PR[#725](https://github.com/aquasecurity/aqua-helm/pull/725)
 

gateway/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "2022.4"
 description: A Helm chart for the Aqua Gateway
 name: gateway
-version: "2022.4.14"
+version: "2022.4.15"
 icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4
 home: https://www.aquasec.com/
 maintainers:

gateway/templates/gate-deployment.yaml

@@ -123,6 +123,11 @@ spec:
 {{ toYaml . | indent 10 }}
 {{- end }}
         volumeMounts:
+        {{- if .Values.rbac.readOnlyRootFilesystem }}
+        - name: aqua-home
+          mountPath: /home/aqua/data/
+          readOnly: false
+        {{- end }}
 {{- with .Values.extraVolumeMounts }}
   {{- toYaml . | nindent 10 }}
 {{- end }}
@@ -151,6 +156,11 @@ spec:
 {{ toYaml .Values.tolerations | indent 6 }}
       {{- end }}
       volumes:
+      {{- if .Values.rbac.readOnlyRootFilesystem }}
+      - name: aqua-home
+        emptyDir: {}
+      {{- end }}
+
 {{- with .Values.extraVolumes }}
   {{- toYaml . | nindent 6 }}
 {{- end }}

gateway/values.yaml

@@ -8,6 +8,10 @@ imageCredentials:
   password: ""
 
 rbac:
+  enabled: false
+  allowPrivilegeEscalation: false
+  allowPrivilegedContainer: false
+  readOnlyRootFilesystem: true # Use volume mount to set R/O filesystem
   create: false # Enable to create RBAC for gateway chart, when deploying Gateway only
 
 clusterRole:

server/CHANGELOG.md

@@ -1,6 +1,11 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 2022.4.27 (Oct 8st, 2024)
+* add configurable allowPrivilegeEscalation, allowPrivilegedContainer, readOnlyRootFilesystem
+* defaults stayed the same
+* Changed gateway chart version
+
 ## 2022.4.26 (Jul 29th, 2024)
 * Fix 'volumes' & 'volumeMounts' indentation in job-check-db-upgrade job (SLK-83783)
 * Add AQUA_PUBSUB_DBPASSWORD env variable in job-check-db-upgrade job (SLK-84299)

server/Chart.yaml

@@ -2,10 +2,10 @@ apiVersion: v2
 appVersion: "2022.4"
 description: A Helm chart for the Aqua Console components
 name: server
-version: "2022.4.26"
+version: "2022.4.27"
 dependencies:
   - name: gateway
-    version: "2022.4.13"
+    version: "2022.4.14"
     repository: "https://helm.aquasec.com"
     condition: gateway.enabled
 icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4

server/templates/openshift-scc.yaml

@@ -19,8 +19,8 @@ allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
-allowPrivilegeEscalation: false
-allowPrivilegedContainer: false
+allowPrivilegeEscalation: {{ .Values.gateway.rbac.allowPrivilegeEscalation | default false }}
+allowPrivilegedContainer: {{ .Values.gateway.rbac.allowPrivilegedContainer | default false }}
 apiVersion: security.openshift.io/v1
 defaultAddCapabilities: null
 fsGroup:
@@ -36,7 +36,7 @@ metadata:
     release.openshift.io/create-only: "true"
   name: {{ .Release.Name }}-scc
 priority: null
-readOnlyRootFilesystem: false
+readOnlyRootFilesystem: {{ .Values.gateway.rbac.readOnlyRootFilesystem | default false }}
 requiredDropCapabilities: null
 runAsUser:
   type: MustRunAsNonRoot

server/templates/web-deployment.yaml

@@ -171,6 +171,11 @@ spec:
           mountPath: /etc/ext_db_certs/
           readOnly: true
         {{- end }}
+        {{- if .Values.gateway.rbac.readOnlyRootFilesystem }}
+        - name: aqua-home
+          mountPath: /home/aqua/data
+          readOnly: false
+        {{- end }}
         {{- include "server.additionalCertVolumeMounts" .Values | nindent 8 }}
         resources:
 {{ toYaml .Values.web.resources | indent 12 }}
@@ -202,6 +207,10 @@ spec:
         hostPath:
           path: {{ .Values.dockerSock.path }}
       {{- end }}
+      {{- if .Values.gateway.rbac.readOnlyRootFilesystem }}
+      - name: aqua-home
+        emptyDir: {}
+      {{- end }}
       {{- if .Values.web.TLS.enabled }}
       - name: certs
         secret:

server/values.yaml

@@ -39,7 +39,6 @@ activeactive: ""
 vaultSecret:
   enabled: false          # Enable to true once you have secrets in vault and annotations are enabled to load admin and db passwords from vault
   vaultFilepath: ""       # Change the path to "/vault/secrets/<filename>" as per the setup
-
 # Add hashicorp Vault annotations to enable sidecar/init-container vault agent to load admin and db passwords
 # example annotations for self-hosted vault server:
 vaultAnnotations:
@@ -225,6 +224,9 @@ gateway:
     registry: "registry.aquasec.com"
   rbac:
     enabled: false
+    allowPrivilegeEscalation: false
+    allowPrivilegedContainer: false
+    readOnlyRootFilesystem: true # Use volume mount to set R/O filesystem
   clusterRole:
     roleRef: ""
   platform: