Helm chart for installation and maintenance of Aqua Container Security Platform Gateway component to support multi-cluster use-case.
Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repo or you can add our helm private repository (https://helm.aquasec.com)
- Clone the GitHub repository with the charts
$ git clone -b 6.2 https://github.com/aquasecurity/aqua-helm.git $ cd aqua-helm/
1. db.external.name - External database name
2. db.external.host - External database public IP or endpoint URL
3. db.external.port - External database port
4. db.external.user - External database username
5. db.external.password - External database password
6. db.external.auditName - External audit database name
7. db.external.auditHost - External audit database public IP or endpoint URL
8. db.external.auditPort - External audit database port
9. db.external.auditUser - External audit database username
10. db.external.auditPassword - External audit database password
11. console.publicIP - Aqua CSP console public IP or endpoint URL
12. console.publicPort - Aqua CSP console public port
// To load DB passswords from secrets:
// change passwordFromSecret.enable to true
// for loading DB password from secret edit passwordFromSecret.dbPasswordName passwordFromSecret.dbPasswordName with secret name and secret key
// for loading Audit-DB password from secret edit passwordFromSecret.dbAuditPasswordName passwordFromSecret.dbAuditPasswordName with secret name and secret key
// for loading PubSub DB password from secret edit passwordFromSecret.dbPubsubPasswordName passwordFromSecret.dbPubsubPasswordName with secret name and secret key-
Create
aquanamespace if gateway is being deployed to a new cluster.$ kubectl create namespace aqua
-
Install Aqua
$ helm upgrade --install --namespace aqua gateway ./gateway --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<>
-
Add Aqua Helm Repository
$ helm repo add aqua-helm https://helm.aquasec.com
-
Check for available chart versions either from Changelog or by running the below command
$ helm search repo aqua-helm/gateway --versions
-
Create
aquanamespace if gateway is being deployed to a new cluster.$ kubectl create namespace aqua
-
copy the values.yaml content from Values.yaml to a file and make the respective changes values then run the following command:
$ helm upgrade --install --namespace aqua gateway aqua-helm/gateway --values values.yaml --version <>
| Parameter | Description | Default | Mandatory |
|---|---|---|---|
imageCredentials.create |
Set if to create new pull image secret | true |
YES |
imageCredentials.name |
Your Docker pull image secret name | aqua-registry-secret |
YES |
imageCredentials.repositoryUriPrefix |
repository uri prefix for dockerhub set docker.io |
registry.aquasec.com |
YES |
imageCredentials.registry |
set the registry url for dockerhub set index.docker.io/v1/ |
registry.aquasec.com |
YES |
imageCredentials.username |
Your Docker registry (DockerHub, etc.) username | aqua-registry-secret |
YES |
imageCredentials.password |
Your Docker registry (DockerHub, etc.) password | unset |
YES |
rbac.enabled |
if to create rbac configuration for aqua | true |
YES |
rbac.privileged |
determines if any container in a pod can enable privileged mode. | true |
YES |
rbac.roleRef |
name of rbac role to set in not create by helm | unset |
NO |
console.publicIP |
Address of the server | unset |
YES |
console.publicPort |
Server endpoint Port value | unset |
YES |
serviceAccount.name |
nams of the ServiceAccount | aqua-sa |
YES |
db.external.enabled |
Avoid installing a Postgres container and use an external database instead | false |
YES |
db.external.name |
PostgreSQL DB name | unset |
YESif db.external.enabled is set to true |
db.external.host |
PostgreSQL DB hostname | unset |
YESif db.external.enabled is set to true |
db.external.port |
PostgreSQL DB port | unset |
YESif db.external.enabled is set to true |
db.external.user |
PostgreSQL DB username | unset |
YESif db.external.enabled is set to true |
db.external.password |
PostgreSQL DB password | unset |
YESif db.external.enabled is set to true |
db.external.auditName |
PostgreSQL DB audit name | unset |
NO |
db.external.auditHost |
PostgreSQL DB audit hostname | unset |
NO |
db.external.auditPort |
PostgreSQL DB audit port | unset |
NO |
db.external.auditUser |
PostgreSQL DB audit username | unset |
NO |
db.external.auditPassword |
PostgreSQL DB audit password | unset |
NO |
db.external.pubsubName |
PostgreSQL DB pubsub name | unset |
NO |
db.external.pubsubHost |
PostgreSQL DB pubsub hostname | unset |
NO |
db.external.pubsubPort |
PostgreSQL DB pubsub port | unset |
NO |
db.external.pubsubUser |
PostgreSQL DB pubsub username | unset |
NO |
db.external.pubsubPassword |
PostgreSQL DB pubsub password | unset |
NO |
db.passwordFromSecret.enabled |
Enable to load DB passwords from Secrets | false |
YES |
db.passwordFromSecret.dbPasswordName |
password secret name | null |
NO |
db.passwordFromSecret.dbPasswordKey |
password secret key | null |
NO |
db.passwordFromSecret.dbAuditPasswordName |
Audit password secret name | null |
NO |
db.passwordFromSecret.dbAuditPasswordKey |
Audit password secret key | null |
NO |
db.passwordFromSecret.dbPubsubPasswordName |
Pubsub password secret name | null |
NO |
db.passwordFromSecret.dbPubsubPasswordKey |
Pubsub password secret key | null |
NO |
db.ssl |
If require an SSL-encrypted connection to the Postgres configuration database. | false |
NO |
db.auditssl |
If require an SSL-encrypted connection to the Postgres configuration audit database. | false |
NO |
db.pubsubssl |
If require an SSL-encrypted connection to the Postgres configuration pubsub database. | false |
NO |
gate.image.repository |
the docker image name to use | gateway |
NO |
gate.image.tag |
The image tag to use. | 6.2 |
NO |
gate.image.pullPolicy |
The kubernetes image pull policy. | IfNotPresent |
NO |
gate.service.type |
k8s service type | ClusterIP |
NO |
gate.service.loadbalancerIP |
can specify loadBalancerIP address for aqua-gateway in AKS platform | null |
NO |
gate.service.annotations |
service annotations | {} |
NO |
gate.service.ports |
array of ports settings | array |
NO |
gate.publicIP |
gateway public ip | aqua-gateway |
NO |
gate.replicaCount |
replica count | 1 |
NO |
gate.resources |
Resource requests and limits | {} |
NO |
gate.nodeSelector |
Kubernetes node selector | {} |
NO |
gate.tolerations |
Kubernetes node tolerations | [] |
NO |
gate.affinity |
Kubernetes node affinity | {} |
NO |
gate.podAnnotations |
Kubernetes pod annotations | {} |
NO |
gate.securityContext |
Set of security context for the container | nil |
NO |
gate.TLS.enabled |
If require secure channel communication | false |
NO |
gate.TLS.secretName |
certificates secret name | nil |
YES if gate.TLS.enabled is set to true |
gate.TLS.publicKey_fileName |
filename of the public key eg: aqua_gateway.crt | nil |
YES if gate.TLS.enabled is set to true |
gate.TLS.privateKey_fileName |
filename of the private key eg: aqua_gateway.key | nil |
YES if gate.TLS.enabled is set to true |
gate.TLS.rootCA_fileName |
filename of the rootCA, if using self-signed certificates eg: rootCA.crt | nil |
NO if gate.TLS.enabled is set to true and using self-signed certificates for TLS/mTLS |
gate.TLS.aqua_verify_enforcer |
change it to "1" or "0" for enabling/disabling mTLS between enforcer and gateway/envoy | 0 |
YES if gate.TLS.enabled is set to true |
gate.extraEnvironmentVars |
is a list of extra environment variables to set in the gateway deployments. | {} |
NO |
gate.extraSecretEnvironmentVars |
is a list of extra environment variables to set in the gateway deployments, these variables take value from existing Secret objects. | [] |
NO |