add features and update documentations

aquasecurity · Aug 6, 2020 · 70ae917 · 70ae917
1 parent 525c1aa
commit 70ae917
Show file tree

Hide file tree

Showing 19 changed files with 300 additions and 217 deletions.
diff --git a/README.md b/README.md
@@ -114,39 +114,52 @@ db:
     password: verysecret
 ```
 
+## Environment Variables
+
+In each charts and components we create an option to define more environment variables to each componenet with 2 ways:
+* `extraEnvironmentVars`: is a list of extra enviroment variables to set with name and value parameters.
+* `extraSecretEnvironmentVars`: is a list of extra enviroment variables to set, these variables take value from existing Secret objects.
+
+[Link to documentations](https://docs.aquasec.com/docs/environment-variables)
+
 ## Deploy the Helm charts
 
 First, clone the GitHub repository with the charts
 
 ```bash
-git clone https://github.com/aquasecurity/aqua-helm.git -b <BRANCH_NAME>
-cd aqua-helm/
+$ git clone https://github.com/aquasecurity/aqua-helm.git -b <BRANCH_NAME>
+$ cd aqua-helm/
 ```
 
 ***Optional:*** Update the Helm charts values.yaml files with your environment's custom values. This eliminates the need to pass the parameters to the helm command. Then run one of the commands below to install the relevant services.
 
+before start deploying helm charts, plese verify you create `aqua` namespace.
+```bash
+$ kubectl create namespace aqua
+```
+
 ### Server chart
 
 ```bash
-helm upgrade --install --namespace aqua aqua ./server --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
+$ helm upgrade --install --namespace aqua aqua ./server --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
 ```
 
 ### Enforcer chart
 
 ```bash
-helm upgrade --install --namespace aqua aqua-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>,enforcerToken=<aquasec-token>
+$ helm upgrade --install --namespace aqua aqua-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>,enforcerToken=<aquasec-token>
 ```
 
 ### KubeEnforcer chart
 
 ```bash
-helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>,certsSecret.serverCertificate="$(cat server.crt)",certsSecret.serverKey="$(cat server.key)",validatingWebhook.caBundle="$(cat ca.crt)"
+$ helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>,certsSecret.serverCertificate="$(cat server.crt)",certsSecret.serverKey="$(cat server.key)",validatingWebhook.caBundle="$(cat ca.crt)"
 ```
 
 ### Scanner chart (optional)
 
 ```bash
-helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
+$ helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>
 ```
 
 # Troubleshooting
@@ -155,17 +168,17 @@ helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials
 
 **(1) Error:** *UPGRADE/INSTALL FAILED*, configmaps is forbidden.
 
-  ```sh
-  Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"
-  ```
+```bash
+Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"
+```
 
 **Solution:** Create a service account for Tiller to utilize.
-  ```sh
-  kubectl create serviceaccount --namespace kube-system tiller
-  kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
-  kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
-  helm init --service-account tiller --upgrade
-  ```
+```bash
+kubectl create serviceaccount --namespace kube-system tiller
+kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
+kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
+helm init --service-account tiller --upgrade
+```
 
 **(2) Error:** No persistent volumes available for this claim and no storage class is set.
 
@@ -178,9 +191,9 @@ for more information go to storage docs, [Link](docs/storage.md)
 
 **Solution:** If you encounter this error, you need to create a persistent volume prior to chart installation with a generic or existing storage class, specifying `db.persistence.storageClass` in the values.yaml file. A sample file using `aqua-storage` is included in the repo.
 
-  ```sh
-  kubectl apply -f pv-example.yaml
-  ```
+```bash
+$ kubectl apply -f pv-example.yaml
+```
 
 ## Issues and feedback
 

diff --git a/docs/ingress.md b/docs/ingress.md
@@ -59,4 +59,10 @@ kubectl apply -f ingress-example.yaml
 
 **Alternative ingress configuration**
 
-Example: The services charts are set to create `ClusterIP' ingress types. You may tune these as appropriate for your environment.
+Example: The services charts are set to create `ClusterIP' ingress types. You may tune these as appropriate for your environment.
+
+## Cloud provider ingress documentations
+
+* Google Cloud Platform (GCP) - [Link](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress)
+* Amazon Web Services (AWS) - [Link](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html)
+* Microsoft Azure - [Link](https://docs.microsoft.com/en-us/azure/aks/ingress-basic)
diff --git a/enforcer/README.md b/enforcer/README.md
@@ -34,6 +34,10 @@ cd aqua-helm/
 helm upgrade --install --namespace aqua aqua-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,enforcerToken=<aquasec-token>
 ```
 
+## Guide how to create enforcer group in Kubernetes
+
+[Link](https://docs.aquasec.com/docs/kubernetes#section-step-4-deploy-aqua-enforcers)
+
 ## Configurable Variables
 
 ### Enforcer
@@ -46,10 +50,12 @@ Parameter | Description | Default
 `imageCredentials.registry` | set the registry url for dockerhub set `index.docker.io/v1/` | `registry.aquasec.com`
 `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `aqua-registry-secret`
 `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `unset`
+`enforcerToken` | enforcer token value | `""`
+`enforcerTokenSecretName` | enforcer token secret name if exists | `null`
+`enforcerTokenSecretKey` | enforcer token secret key if exists | `null`
+`enforcerLogicalName` | Specify the Logical Name the Aqua Enforcer will register under. if not specify the name will be `<Helm Release>-helm` | `unset`
 `privileged` | determines if any container in a pod can enable privileged mode. | `true`
 `hostRunPath` |	for changing host run path for example for pks need to change to /var/vcap/sys/run/docker	| `unset`
-`aquaNetworkControl` |	Specify false if you would like the Aqua Enforcer to be deployed without modifying the host's iptable. | `-`
-`runcInterception` | Specify the interception mode for the Enforcer: false for docker, true for runc | `-`
 `gate.host` | gateway host | `aqua-gateway-svc`
 `gate.port` | gateway port | `8443`
 `image.repository` | the docker image name to use | `enforcer`
@@ -59,6 +65,10 @@ Parameter | Description | Default
 `nodeSelector` |	Kubernetes node selector	| `{}`
 `tolerations` |	Kubernetes node tolerations	| `[]`
 `affinity` |	Kubernetes node affinity | `{}`
+`extraEnvironmentVars` | is a list of extra enviroment variables to set in the enforcer daemonset. | `{}`
+`extraSecretEnvironmentVars` | is a list of extra enviroment variables to set in the scanner daemonset, these variables take value from existing Secret objects. | `[]`
+
+> Note: that `imageCredentials.create` is false and if you need to create image pull secret please update to true. and set the username and password for the registry.
 
 ## Issues and feedback
 

diff --git a/enforcer/templates/_helpers.tpl b/enforcer/templates/_helpers.tpl
@@ -17,4 +17,31 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 
 {{- define "imagePullSecret" }}
 {{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" (required "A valid .Values.imageCredentials.registry entry required!" .Values.imageCredentials.registry) (printf "%s:%s" (required "A valid .Values.imageCredentials.username entry required!" .Values.imageCredentials.username) (required "A valid .Values.imageCredentials.password entry required!" .Values.imageCredentials.password) | b64enc) | b64enc }}
-{{- end }}
+{{- end }}
+
+{{/*
+Inject extra environment vars in the format key:value, if populated
+*/}}
+{{- define "enforcer.extraEnvironmentVars" -}}
+{{- if .extraEnvironmentVars -}}
+{{- range $key, $value := .extraEnvironmentVars }}
+- name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
+  value: {{ $value | quote }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Inject extra environment populated by secrets, if populated
+*/}}
+{{- define "enforcer.extraSecretEnvironmentVars" -}}
+{{- if .extraSecretEnvironmentVars -}}
+{{- range .extraSecretEnvironmentVars }}
+- name: {{ .envName }}
+  valueFrom:
+   secretKeyRef:
+     name: {{ .secretName }}
+     key: {{ .secretKey }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/enforcer/templates/enforcer-daemonset.yaml b/enforcer/templates/enforcer-daemonset.yaml
@@ -77,26 +77,12 @@ spec:
         - name: AQUA_LOGICAL_NAME
           value: {{ .Release.Name }}-helm
           {{- end }}
-        {{- if .Values.aquaNetworkControl }}
-        - name: AQUA_NETWORK_CONTROL
-          value: "1"
-        {{- else }}
-        - name: AQUA_NETWORK_CONTROL
-          value: "0"
-        {{- end }}
-        - name: RESTART_CONTAINERS
-          value: "no"
-        {{- if .Values.hostRunPath }}
+          {{- if .Values.hostRunPath }}
         - name: AQUA_HOST_RUN_PATH
           value: {{ .Values.hostRunPath }}
-        {{- end }}
-        {{- if .Values.runcInterception }}
-        - name: AQUA_RUNC_INTERCEPTION
-          value: "1"
-        {{- else }}
-        - name: AQUA_RUNC_INTERCEPTION
-          value: "0"
-        {{- end }}
+          {{- end }}
+        {{- include "enforcer.extraEnvironmentVars" .Values | nindent 8 }}
+        {{- include "enforcer.extraSecretEnvironmentVars" .Values | nindent 8 }}
         volumeMounts:
         - mountPath: /var/run
           name: var-run

diff --git a/enforcer/values.yaml b/enforcer/values.yaml
@@ -15,8 +15,6 @@ enforcerLogicalName:
 privileged: true
 
 hostRunPath: # pks - /var/vcap/sys/run/docker
-runcInterception: true
-aquaNetworkControl: true
 
 gate:
   host: aqua-gateway-svc # example
@@ -39,3 +37,14 @@ resources: {}
   #   memory: 1.5G
 nodeSelector: {}
 tolerations: []
+
+# extraEnvironmentVars is a list of extra enviroment variables to set in the enforcer daemonset.
+extraEnvironmentVars: {}
+  # ENV_NAME: value
+
+# extraSecretEnvironmentVars is a list of extra enviroment variables to set in the enforcer daemonset.
+# These variables take value from existing Secret objects.
+extraSecretEnvironmentVars: []
+  # - envName: ENV_NAME
+  #   secretName: name
+  #   secretKey: key
diff --git a/scanner/README.md b/scanner/README.md
@@ -30,6 +30,8 @@ git clone https://github.com/aquasecurity/aqua-helm.git
 cd aqua-helm/
 ```
 
+before installing scanner chart the recommandation is to create user with scanning permissions, [Link to documentations](https://docs.aquasec.com/docs/add-scanners#section-add-a-scanner-user)
+
 ```bash
 helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>
 ```
@@ -43,8 +45,8 @@ The following table lists the configurable parameters of the Console and Enforce
 Parameter | Description | Default
 --------- | ----------- | -------
 `repositoryUriPrefix` | repository uri prefix for dockerhub set `docker.io` | `registry.aquasec.com`
-`docker.socket.path` | docker socket path | `/var/run/docker.sock`
-`docker` | Scanning mode direct or docker [link](https://docs.aquasec.com/docs/scanning-mode#default-scanning-mode) | `-`
+`dockerSocket.mount` | boolean parameter if to mount docker socket | `unset`
+`dockerSocket.path` | docker socket path | `/var/run/docker.sock`
 `serviceAccount` | k8s service account to use | `aqua-sa`
 `server.serviceName` | service name for server to connect | `aqua-console-svc`
 `server.port` | service port for server to connect | `8080`
@@ -58,7 +60,8 @@ Parameter | Description | Default
 `nodeSelector` |	Kubernetes node selector	| `{}`
 `tolerations` |	Kubernetes node tolerations	| `[]`
 `affinity` |	Kubernetes node affinity | `{}`
-
+`extraEnvironmentVars` | is a list of extra enviroment variables to set in the scanner deployments. | `{}`
+`extraSecretEnvironmentVars` | is a list of extra enviroment variables to set in the scanner deployments, these variables take value from existing Secret objects. | `[]`
 ## Issues and feedback
 
 If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.
diff --git a/scanner/templates/_helpers.tpl b/scanner/templates/_helpers.tpl
@@ -30,3 +30,30 @@ Create chart name and version as used by the chart label.
 {{- define "scanner.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Inject extra environment vars in the format key:value, if populated
+*/}}
+{{- define "scanner.extraEnvironmentVars" -}}
+{{- if .extraEnvironmentVars -}}
+{{- range $key, $value := .extraEnvironmentVars }}
+- name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
+  value: {{ $value | quote }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Inject extra environment populated by secrets, if populated
+*/}}
+{{- define "scanner.extraSecretEnvironmentVars" -}}
+{{- if .extraSecretEnvironmentVars -}}
+{{- range .extraSecretEnvironmentVars }}
+- name: {{ .envName }}
+  valueFrom:
+   secretKeyRef:
+     name: {{ .secretName }}
+     key: {{ .secretKey }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/scanner/templates/scanner-deployment.yaml b/scanner/templates/scanner-deployment.yaml
@@ -36,7 +36,14 @@ spec:
         - "{{ required "Please specify a password for a user associated with the Scanner role!" .Values.password }}"
         - "--host"
         - "http://{{ .Values.server.serviceName }}:{{ .Values.server.port }}"
-        {{- if .Values.docker }}
+        env:
+        - name: AQUA_SCANNER_LOGICAL_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        {{- include "scanner.extraEnvironmentVars" .Values | nindent 8 }}
+        {{- include "scanner.extraSecretEnvironmentVars" .Values | nindent 8 }}
+        {{- if .Values.dockerSock.mount }}
         volumeMounts:
         - mountPath: /var/run/docker.sock
           name: docker-socket-mount
@@ -66,9 +73,9 @@ spec:
       tolerations:
 {{ toYaml .Values.tolerations | indent 6 }}
       {{- end }}
-      {{- if .Values.docker }}
+      {{- if .Values.dockerSock.mount }}
       volumes:
       - name: docker-socket-mount
         hostPath:
-          path: {{ .Values.docker.socket.path }}
+          path: {{ .Values.dockerSock.path }}
       {{- end }}
diff --git a/scanner/values.yaml b/scanner/values.yaml
@@ -1,10 +1,8 @@
 repositoryUriPrefix: "registry.aquasec.com" # for dockerhub - "docker.io"
 
-docker:
-  socket:
-    path: "/var/run/docker.sock" # pks - /var/vcap/data/sys/run/docker/docker.sock
-
-docker:
+dockerSock:
+  mount: # put true for mount docker socket.
+  path: /var/run/docker.sock # pks - /var/vcap/data/sys/run/docker/docker.sock
 
 serviceAccount: "aqua-sa"
 server:
@@ -32,3 +30,15 @@ resources: {}
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+# extraEnvironmentVars is a list of extra enviroment variables to set in the scanner deployments.
+# https://docs.aquasec.com/docs/scanner-optional-variables
+extraEnvironmentVars: {}
+  # ENV_NAME: value
+
+# extraSecretEnvironmentVars is a list of extra enviroment variables to set in the scanner deployments.
+# These variables take value from existing Secret objects.
+extraSecretEnvironmentVars: []
+  # - envName: ENV_NAME
+  #   secretName: name
+  #   secretKey: key