This page contains instructions for deploying Aqua Enterprise in a Kubernetes cluster, using the Helm package manager.
Refer to the Aqua Enterprise product documentation for the broader context: Kubernetes with Helm Charts.
This repository includes the following charts; they can be deployed separately:
Chart | Description | Latest Chart Version |
---|---|---|
Server | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component | 2022.4.24 |
Enforcer | Deploys the Aqua Enforcer daemonset | 2022.4.21 |
Scanner | Deploys the Aqua Scanner deployment | 2022.4.7 |
KubeEnforcer | Deploys Aqua KubeEnforcer | 2022.4.46 |
Gateway | Deploys the Aqua Standalone Gateway | 2022.4.14 |
Tenant-Manager | Deploys the Aqua Tenant Manager | 2022.4.0 |
Cyber Center | Deploys Aqua CyberCenter offline for air-gap environment | 2022.4.5 |
Cloud Connector | Deploys the Aqua Cloud Connector | 2022.4.5 |
QuickStart | Not for production use (see below). Deploys the Console, Database, Gateway and KubeEnforcer components | 2022.4.1 |
Codesec-Agent | Argon Broker Deployment | 1.2.7 |
Aqua Enterprise deployments include the following components:
Follow the steps in this section for production-grade deployments. You can either clone the aqua-helm git repo or you can add our Helm private repository (https://helm.aquasec.com).
Add the Aqua Helm repository to your local Helm repos by executing the following command:
helm repo add aqua-helm https://helm.aquasec.com
helm repo update
Search for all components of the latest version in our Aqua Helm repository
helm search aqua-helm
# Examples
helm search aqua-helm --versions
helm search aqua-helm --version 2022.4
helm search repo aqua-helm
# Examples
helm search repo aqua-helm --versions
helm search repo aqua-helm --version 2022.4
Example output:
NAME CHART VERSION APP VERSION DESCRIPTION
aqua-helm/codesec-agent 1.2.7 2022.4 A Helm chart for the Argon Broker Deployment
aqua-helm/cloud-connector 2022.4.4 2022.4 A Helm chart for Aqua Cloud-Connector
aqua-helm/cyber-center 2022.4.5 2022.4 A Helm chart for Aqua CyberCenter
aqua-helm/enforcer 2022.4.21 2022.4 A Helm chart for the Aqua Enforcer
aqua-helm/kube-enforcer 2022.4.46 2022.4 A Helm chart for the Aqua KubeEnforcer Starboard
aqua-helm/gateway 2022.4.14 2022.4 A Helm chart for the Aqua Gateway
aqua-helm/scanner 2022.4.7 2022.4 A Helm chart for the Aqua Scanner CLI component
aqua-helm/server 2022.4.24 2022.4 A Helm chart for the Aqua Console components
aqua-helm/tenant-manager 2022.4.1 2022.4 A Helm chart for the Aqua Tenant Manager
Add Aqua Helm Repository
helm repo add aqua-helm https://helm.aquasec.com
helm repo update
Check for available chart versions either from Changelog or by running the below command.
helm search repo aqua-helm/enforcer --versions
Create the aqua
namespace.
kubectl create namespace aqua
Create aqua-registry
secret
kubectl create secret docker-registry aqua-registry-secret \
--docker-server=registry.aquasec.com \
--docker-username=$YOUR_REGISTRY_USER \
--docker-password=$YOUR_REGISTRY_PASSWORD \
-n aqua
helm upgrade --install --namespace aqua aqua aqua-helm/server --version $VERSION \
--set imageCredentials.create=false \
--set global.platform=$PLATFORM
helm upgrade --install --namespace aqua aqua-enforcer aqua-helm/enforcer --version $VERSION \
--set imageCredentials.create=false \
--set global.platform=$PLATFORM
helm upgrade --install --namespace aqua kube-enforcer aqua-helm/kube-enforcer --version $VERSION \
--set global.platform=$PLATFORM \
--set certsSecret.autoGenerate=true
helm upgrade --install --namespace aqua scanner aqua-helm/scanner --version $VERSION \
--set user=$AQUA_CONSOLE_USERNAME \
--set password=$AQUA_CONSOLE_PASSWORD
helm upgrade --install --namespace aqua tenant-manager aqua-helm/tenant-manager --version $VERSION \
--set platform=$PLATFORM
helm upgrade --install --namespace aqua aqua-cyber-center aqua-helm/cyber-center --version $VERSION \
--set imageCredentials.create=false
helm upgrade --install --namespace aqua aqua-cloud-connector aqua-helm/cloud-connector --version $VERSION \
--set userCreds.username=$AQUA_CONSOLE_USERNAME \
--set userCreds.password=$AQUA_CONSOLE_PASSWORD \
--set authType.tokenAuth=false \
--set authType.userCreds=true
kubectl get svc -n aqua
This section not all-inclusive. It describes some common issues that we have encountered during deployments.
Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller --upgrade
kubectl get events -n aqua
you might encounter either No persistent volumes available for this claim and no storage class is set or
PersistentVolumeClaim is not bound.db.persistence.storageClass
in the values.yaml file. A sample file using aqua-storage
is included in the repo.kubectl apply -f pv-example.yaml
Quick-start deployments are fast and easy. They are intended for deploying Aqua Enterprise for non-production purposes, such as proofs-of-concept (POCs) and environments intended for instruction, development, and test.
Use the aqua-quickstart chart to
Clone the GitHub repository
git clone https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/
Create the aqua
namespace.
kubectl create namespace aqua
Deploy aqua-quickstart chart
helm upgrade --install --namespace aqua aqua ./aqua-quickstart --set imageCredentials.username=<>,imageCredentials.password=<>
If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.