Overview

This page contains instructions for deploying Aqua Enterprise in a Kubernetes cluster, using the Helm package manager.

Refer to the Aqua Enterprise product documentation for the broader context: Kubernetes with Helm Charts.

Overview
- Contents
- Helm charts
Deployment instructions
- (Optional) Add the Aqua Helm repository
  - For Helm 2.x
  - For Helm 3.x
- Deploy the Helm charts
  - Error 2
  - Error 3
Quick-start deployment (not for production purposes)
Issues and feedback

Helm charts

This repository includes the following charts; they can be deployed separately:

Chart	Description	Latest Chart Version
Server	Deploys the Console, Database, and Gateway components; optionally deploys Envoy component	2022.4.24
Enforcer	Deploys the Aqua Enforcer daemonset	2022.4.21
Scanner	Deploys the Aqua Scanner deployment	2022.4.7
KubeEnforcer	Deploys Aqua KubeEnforcer	2022.4.46
Gateway	Deploys the Aqua Standalone Gateway	2022.4.14
Tenant-Manager	Deploys the Aqua Tenant Manager	2022.4.0
Cyber Center	Deploys Aqua CyberCenter offline for air-gap environment	2022.4.5
Cloud Connector	Deploys the Aqua Cloud Connector	2022.4.5
QuickStart	Not for production use (see below). Deploys the Console, Database, Gateway and KubeEnforcer components	2022.4.1
Codesec-Agent	Argon Broker Deployment	1.2.7

Deployment instructions

Aqua Enterprise deployments include the following components:

Server (Console, Database, and Gateway)
Enforcer
KubeEnforcer
Scanner (Optional)

Follow the steps in this section for production-grade deployments. You can either clone the aqua-helm git repo or you can add our Helm private repository (https://helm.aquasec.com).

(Optional) Add the Aqua Helm repository

Add the Aqua Helm repository to your local Helm repos by executing the following command:
```
helm repo add aqua-helm https://helm.aquasec.com
helm repo update
```
Search for all components of the latest version in our Aqua Helm repository

For Helm 2.x

helm search aqua-helm
# Examples
helm search aqua-helm --versions
helm search aqua-helm --version 2022.4

For Helm 3.x

helm search repo aqua-helm
# Examples
helm search repo aqua-helm --versions
helm search repo aqua-helm --version 2022.4

Example output:

NAME                            CHART VERSION   APP VERSION     DESCRIPTION
aqua-helm/codesec-agent         1.2.7           2022.4          A Helm chart for the Argon Broker Deployment
aqua-helm/cloud-connector       2022.4.4        2022.4          A Helm chart for Aqua Cloud-Connector
aqua-helm/cyber-center          2022.4.5        2022.4          A Helm chart for Aqua CyberCenter
aqua-helm/enforcer              2022.4.21       2022.4          A Helm chart for the Aqua Enforcer
aqua-helm/kube-enforcer         2022.4.46       2022.4          A Helm chart for the Aqua KubeEnforcer Starboard
aqua-helm/gateway               2022.4.14       2022.4          A Helm chart for the Aqua Gateway
aqua-helm/scanner               2022.4.7        2022.4          A Helm chart for the Aqua Scanner CLI component
aqua-helm/server                2022.4.24       2022.4          A Helm chart for the Aqua Console components
aqua-helm/tenant-manager        2022.4.1        2022.4          A Helm chart for the Aqua Tenant Manager

Deploy the Helm charts

Add Aqua Helm Repository

helm repo add aqua-helm https://helm.aquasec.com
helm repo update

Check for available chart versions either from Changelog or by running the below command.

helm search repo aqua-helm/enforcer --versions

Create the aqua namespace.

kubectl create namespace aqua

Create aqua-registry secret

kubectl create secret docker-registry aqua-registry-secret \
--docker-server=registry.aquasec.com \
--docker-username=$YOUR_REGISTRY_USER \
--docker-password=$YOUR_REGISTRY_PASSWORD \
-n aqua

Deploy the Server chart.

helm upgrade --install --namespace aqua aqua aqua-helm/server --version $VERSION \
--set imageCredentials.create=false \
--set global.platform=$PLATFORM

Deploy the Enforcer chart.

helm upgrade --install --namespace aqua aqua-enforcer aqua-helm/enforcer --version $VERSION \
--set imageCredentials.create=false \
--set global.platform=$PLATFORM

Deploy the KubeEnforcer chart.

helm upgrade --install --namespace aqua kube-enforcer aqua-helm/kube-enforcer --version $VERSION \
--set global.platform=$PLATFORM \
--set certsSecret.autoGenerate=true

(Optional) Deploy the Scanner chart.

helm upgrade --install --namespace aqua scanner aqua-helm/scanner --version $VERSION \
--set user=$AQUA_CONSOLE_USERNAME \
--set password=$AQUA_CONSOLE_PASSWORD

Gateway is Deployed by default with Server chart, advanced Gateway Deployment options can be found Here.

(Optional) Deploy the TenantManager chart.

helm upgrade --install --namespace aqua tenant-manager aqua-helm/tenant-manager --version $VERSION \
--set platform=$PLATFORM

(Optional) Deploy the Cyber-Center chart.

helm upgrade --install --namespace aqua aqua-cyber-center aqua-helm/cyber-center --version $VERSION \
--set imageCredentials.create=false

(Optional) Deploy the Cloud-Connector chart.

helm upgrade --install --namespace aqua aqua-cloud-connector aqua-helm/cloud-connector --version $VERSION \
--set userCreds.username=$AQUA_CONSOLE_USERNAME \
--set userCreds.password=$AQUA_CONSOLE_PASSWORD \
--set authType.tokenAuth=false \
--set authType.userCreds=true

Access the Aqua UI in browser with {{ .Release.Name }}-console-svc service and port, to check the service details:
```
  kubectl get svc -n aqua
```
- Example:
  - http://< Console IP/DNS >:8080* (default access without SSL) or
  - https://< Console IP/DNS >:443* (If SSL configured to console component in server chart)
    Troubleshooting

This section not all-inclusive. It describes some common issues that we have encountered during deployments.

Error 1

Error message: UPGRADE/INSTALL FAILED, configmaps is forbidden.
Example:

Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

Solution: Create a service account for Tiller to utilize.

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller --upgrade

Error 2

Error message: No persistent volumes available for this claim and no storage class is set.
Solution: Most managed Kubernetes deployments do NOT include all possible storage provider variations at setup time. Refer to the official Kubernetes guidance on storage classes for your platform. For more information see the storage documentation.

Error 3

Error message: When executing kubectl get events -n aqua you might encounter either No persistent volumes available for this claim and no storage class is set or PersistentVolumeClaim is not bound.
Solution: If you encounter either of these errors, you need to create a persistent volume prior to chart deployment with a generic or existing storage class. Specify db.persistence.storageClass in the values.yaml file. A sample file using aqua-storage is included in the repo.

kubectl apply -f pv-example.yaml

Quick-start deployment (not for production purposes)

Quick-start deployments are fast and easy. They are intended for deploying Aqua Enterprise for non-production purposes, such as proofs-of-concept (POCs) and environments intended for instruction, development, and test.

Use the aqua-quickstart chart to

Clone the GitHub repository

git clone https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/

Create the aqua namespace.
```
kubectl create namespace aqua
```

Deploy aqua-quickstart chart

helm upgrade --install --namespace aqua aqua ./aqua-quickstart --set imageCredentials.username=<>,imageCredentials.password=<>

Issues and feedback

If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.

aquasecurity / aqua-helm

readme