Skip to content

Commit

Permalink
Update Helm to 4.0 and to support pks and unprivileged and more
Browse files Browse the repository at this point in the history
  • Loading branch information
nissim committed Feb 21, 2019
1 parent 34ea9a2 commit 130f39a
Show file tree
Hide file tree
Showing 18 changed files with 343 additions and 63 deletions.
72 changes: 52 additions & 20 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,34 @@

These are Helm charts for installation and maintenance of Aqua Container Security Platform Console, Database, Gateway, Scanner, and Enforcer components.

## Contents

- [Aqua Security Helm Charts](#aqua-security-helm-charts)
- [Contents](#contents)
- [Chart Details](#chart-details)
- [Prerequisites](#prerequisites)
- [Container Registry Credentials](#container-registry-credentials)
- [PostgreSQL database](#postgresql-database)
- [High-Volume Scanner Installation](#high-volume-scanner-installation)
- [Helm Customizations / Troubleshooting](#helm-customizations--troubleshooting)
- [Non-public cloud provider deployments](#non-public-cloud-provider-deployments)
- [Installing the Charts](#installing-the-charts)
- [Server (console)](#server-console)
- [Enforcer](#enforcer)
- [Scanner](#scanner)
- [Configurable Variables](#configurable-variables)
- [Console](#console)
- [Enforcer](#enforcer-1)
- [Scanner](#scanner-1)
- [Issues and feedback](#issues-and-feedback)

## Chart Details

This repository includes two charts that may be deployed separately:

* [**Server**](server/) - deploys the Console, Gateway, and Database components, and optionally the Scanner component
* [**Enforcer**](enforcer/) - deploys the Enforcer daemonset
* [**Scanner**](scanner/) - deploys the aqua scanner cli deployment

## Prerequisites

Expand All @@ -23,7 +45,7 @@ First, create a new namespace named "aqua":
kubectl create namespace aqua
```

Next, create the secret:
Next, **(Optional)** create the secret:

```bash
kubectl create secret docker-registry csp-registry-secret --docker-server="registry.aquasec.com" --namespace aqua --docker-username="[email protected]" --docker-password="Truckin" --docker-email="[email protected]"
Expand Down Expand Up @@ -159,6 +181,12 @@ helm upgrade --install --namespace aqua csp ./server --set imageCredentials.user
helm upgrade --install --namespace aqua csp-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>,enforcerToken=<aquasec-token>
```

### Scanner

```bash
helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
```

## Configurable Variables

The following table lists the configurable parameters of the Console and Enforcer charts with their default values.
Expand All @@ -169,21 +197,21 @@ The following table lists the configurable parameters of the Console and Enforce
| --------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------- |
| `imageCredentials.create` | Set if to create new pull image secret | `true` |
| `imageCredentials.name` | Your Docker pull image secret name | `csp-registry-secret` |
| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | N/A |
| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | N/A |
| `imageCredentials.email` | Your Docker registry (DockerHub, etc.) email | N/A |
| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` |
| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` |
| `imageCredentials.email` | Your Docker registry (DockerHub, etc.) email | `N/A` |
| `rbac.enabled` | Create a service account and a ClusterRole | `false` |
| `rbac.roleRef` | Use an existing ClusterRole | `` |
| `admin.token` | Use this Aqua license token | N/A |
| `admin.password` | Use this Aqua admin password | N/A |
| `admin.token` | Use this Aqua license token | `N/A` |
| `admin.password` | Use this Aqua admin password | `N/A` |
| `db.external.enabled` | Avoid installing a Postgres container and use an external database instead | `false` |
| `db.external.name` | PostgreSQL DB name | N/A |
| `db.external.host` | PostgreSQL DB hostname | N/A |
| `db.external.port` | PostgreSQL DB port | N/A |
| `db.external.user` | PostgreSQL DB username | N/A |
| `db.external.password` | PostgreSQL DB password | N/A |
| `db.external.name` | PostgreSQL DB name | ``N/A`` |
| `db.external.host` | PostgreSQL DB hostname | ``N/A`` |
| `db.external.port` | PostgreSQL DB port | `N/A` |
| `db.external.user` | PostgreSQL DB username | `N/A` |
| `db.external.password` | PostgreSQL DB password | `N/A` |
| `db.image.repository` | Default PostgreSQL Docker image repository | `database` |
| `db.image.tag` | Default PostgreSQL Docker image tag | `3.5` |
| `db.image.tag` | Default PostgreSQL Docker image tag | `4.0` |
| `db.service.type` | Default PostgreSQL service type | `ClusterIP` |
| `db.persistence.enabled` | Enable a use of a PostgreSQL PVC | `true` |
| `db.persistence.storageClass` | PostgreSQL PVC StorageClass | `default` |
Expand All @@ -193,18 +221,18 @@ The following table lists the configurable parameters of the Console and Enforce
| `web.service.type` | Web service type | `ClusterIP` |
| `web.ingress.enabled` | Install ingress for the web component | `false` |
| `web.image.repository` | Default Web Docker image repository | `server` |
| `web.image.tag` | Default Web Docker image tag | `3.5` |
| `web.image.tag` | Default Web Docker image tag | `4.0` |
| `web.ingress.annotations` | Web ingress annotations | `{}` |
| `web.ingress.hosts` | Web ingress hosts definition | `[]` |
| `web.ingress.tls` | Web ingress tls | `[]` |
| `gate.service.type` | Gate service type | `ClusterIP` |
| `gate.image.repository` | Default Gate Docker image repository | `gate` |
| `gate.image.tag` | Default Gate Docker image tag | `3.5` |
| `gate.image.tag` | Default Gate Docker image tag | `4.0` |
| `gate.publicIP` | Default Gate service public IP | `` |
| `scanner.enabled` | Enable the Scanner-CLI component | `false` |
| `scanner.replicas` | Number of Scanner-CLI replicas to run | `1` |
| `scanner.user` | Username for the scanner user assigned to the Scanner role | N/A |
| `scanner.password` | Password for scanner user | N/A |
| `scanner.user` | Username for the scanner user assigned to the Scanner role | `N/A` |
| `scanner.password` | Password for scanner user | `N/A` |


### Enforcer
Expand All @@ -213,13 +241,17 @@ The following table lists the configurable parameters of the Console and Enforce
| --------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------- |
| `imageCredentials.create` | Set if to create new pull image secret | `false` |
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-image-pull-secret` |
| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | N/A |
| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | N/A |
| `imageCredentials.email` | Your Docker registry (DockerHub, etc.) email | N/A |
| `enforcerToken` | Aqua Enforcer token | N/A |
| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` |
| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` |
| `imageCredentials.email` | Your Docker registry (DockerHub, etc.) email | `N/A` |
| `enforcerToken` | Aqua Enforcer token | `N/A` |
| `server` | Gateway host name | `aqua-gateway` |
| `port` | Gateway port | `3622` |


### Scanner


## Issues and feedback

If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.
27 changes: 27 additions & 0 deletions enforcer/templates/enforcer-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ metadata:
spec:
template:
metadata:
annotations:
{{- if and (.Values.tolerations) (semverCompare "<1.6-0" .Capabilities.KubeVersion.GitVersion) }}
scheduler.alpha.kubernetes.io/tolerations: '{{ toJson .Values.tolerations }}'
{{- end }}
labels:
app: {{ .Release.Name }}-ds
name: {{ .Release.Name }}-ds
Expand All @@ -21,8 +25,27 @@ spec:
- name: enforcer
image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
{{- if .Values.privileged }}
securityContext:
privileged: true
{{- else }}
securityContext:
privileged: false
capabilities:
add:
- SYS_ADMIN
- NET_ADMIN
- NET_RAW
- SYS_PTRACE
- KILL
- MKNOD
- SETGID
- SETUID
- SYS_MODULE
- AUDIT_CONTROL
- SYSLOG
- SYS_CHROOT
{{- end }}
env:
- name: AQUA_TOKEN
valueFrom:
Expand Down Expand Up @@ -91,3 +114,7 @@ spec:
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if and (.Values.tolerations) (semverCompare "^1.6-0" .Capabilities.KubeVersion.GitVersion) }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
2 changes: 1 addition & 1 deletion enforcer/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ metadata:
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
privileged: true
privileged: {{ .Values.privileged }}
hostPID: true
allowedCapabilities:
- '*'
Expand Down
6 changes: 4 additions & 2 deletions enforcer/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,10 @@ imageCredentials:
registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/"
username: ""
password: ""
email:
email: "[email protected]"

enforcerToken: ""
privileged: true

rbac:
enabled: false
Expand All @@ -19,12 +20,13 @@ gate:

image:
repository: enforcer
tag: 3.5
tag: 4.0
pullPolicy: IfNotPresent

livenessProbe: {}
readinessProbe: {}
nodeSelector: {}
tolerations: []

resources:
requests:
Expand Down
21 changes: 21 additions & 0 deletions scanner/.helmignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
5 changes: 5 additions & 0 deletions scanner/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for the aqua scanner cli component
name: scanner
version: 0.1.0
32 changes: 32 additions & 0 deletions scanner/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "scanner.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "scanner.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "scanner.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
67 changes: 67 additions & 0 deletions scanner/templates/scanner-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ .Release.Name }}-scanner
labels:
app: {{ .Release.Name }}-scanner
chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
annotations:
{{- if and (.Values.tolerations) (semverCompare "<1.6-0" .Capabilities.KubeVersion.GitVersion) }}
scheduler.alpha.kubernetes.io/tolerations: '{{ toJson .Values.tolerations }}'
{{- end }}
labels:
app: {{ .Release.Name }}-scanner
name: {{ .Release.Name }}-scanner
spec:
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: scanner
image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
args:
- "daemon"
- "--user"
- "{{ required "Please specify a username associated with the Scanner role!" .Values.user }}"
- "--password"
- "{{ required "Please specify a password for a user associated with the Scanner role!" .Values.password }}"
- "--host"
- "http://{{ .Values.server.serviceName }}:{{ .Values.server.port }}"
volumeMounts:
- mountPath: /var/run/docker.sock
name: docker-socket-mount
ports:
- containerPort: 8080
protocol: TCP
{{- with .Values.livenessProbe }}
livenessProbe:
{{ toYaml . | indent 10 }}
{{- end }}
{{- with .Values.readinessProbe }}
readinessProbe:
{{ toYaml . | indent 10 }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if and (.Values.tolerations) (semverCompare "^1.6-0" .Capabilities.KubeVersion.GitVersion) }}
tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
volumes:
- name: docker-socket-mount
hostPath:
path: {{ .Values.docker.socket.path }}
43 changes: 43 additions & 0 deletions scanner/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
imageCredentials:
create: false
name: csp-registry-secret # When create is false please specify
repositoryUriPrefix: "registry.aquasec.com" # for dockerhub - "docker.io"
registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/"
username: ""
password: ""
email: "[email protected]"

docker:
socket:
path: /var/run/docker.sock # pks - /var/vcap/data/sys/run/docker/docker.sock

enabled: false
serviceAccount: aqua-sa
server:
serviceName: aqua-console-svc
port: 8080

image:
repository: scanner
tag: 4.0
pullPolicy: IfNotPresent

user:
password:
replicaCount: 1
livenessProbe: {}
readinessProbe: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
Loading

0 comments on commit 130f39a

Please sign in to comment.