Update kube-enforcer helm chart docs

kube-enforcer/README.md

@@ -26,29 +26,39 @@ These are Helm charts for installation and maintenance of Aqua Container Securit
 
 You need to enable TLS authentication from the API Server to the Kube-Enforcer. Perform these steps:
 
-1. Run these commands to create TLS certificates which is signed by the local CA certificate. We will pass these certificates with helm command to enbale TLS authentication between kube-enforcer & API-Server to receive events from validatingwebhookconfiguration for image assurance functionality.
-
-```shell
-openssl genrsa -out ca.key 2048
-openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca"
-
-cat >server.conf <<EOF
-[req]
-req_extensions = v3_req
-distinguished_name = req_distinguished_name
-[req_distinguished_name]
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = clientAuth, serverAuth
-EOF
-
-openssl genrsa -out server.key 2048
-openssl req -new -key server.key -out server.csr -subj "/CN=aqua-kube-enforcer.aqua.svc" -config server.conf
-openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions v3_req -extfile server.conf
+Create TLS certificates which is signed by the local CA certificate. We will pass these certificates with helm command to enbale TLS authentication between kube-enforcer & API-Server to receive events from validatingwebhookconfiguration for image assurance functionality.
+
+You can generate these certificates by executing the script:
+
+```
+./gen-certs.sh
+```
+
+You can also use your own certificates without generating new ones for TLS authentication all we need is root CA certificate, certificate signed by CA and certificate key.
+
+Optionally you can configure the certificates generated from the above script in ```values.yaml``` file
+
+You need to encode the certificates into based64 for ```ca.crt```, ```server.crt``` and ```server.key``` using the below cmd
+
 ```
+cat <file-name> | base64 | tr -d '\n'
+```
+
+Provide the above obtained certificates in the below fields of ```values.yaml``` file.
+
+```
+certsSecret:
+  name: aqua-kube-enforcer-certs
+  serverCertificate: "<server.crt>"
+  serverKey: "<server.key>"
+
+validatingWebhook:
+  name: kube-enforcer-admission-hook-config
+  caBundle: "<ca.crt>"
+```
+
+ or you can provide these certificates while installing the kube-enforcer by providing them in flags.
 
-You also also use your own certificates without generating new ones for TLS authentication all we need is root CA certificate, certificate signed by CA and certificate key.
 
 ## Installing the Chart
 
@@ -61,7 +71,7 @@ git clone https://github.com/aquasecurity/kube-enforcer-helm.git
 ***Optional*** Update the Helm charts values.yaml file with your environment's custom values, registry secret, aqua console credentials & TLS certificates. This eliminates the need to pass the parameters to the helm command. Then run one of the commands below to install the relevant services.
 
 ```bash
-helm install <release_name> kube-enforcer --set imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>,certsSecret.serverCertificate="$(cat server.crt)",certsSecret.serverKey="$(cat server.key)",validatingWebhook.caBundle="$(cat ca.crt)"
+helm upgrade --install <RELEASE_NAME> --namespace aqua kube-enforcer --set imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>,certsSecret.serverCertificate="$(cat server.crt)",certsSecret.serverKey="$(cat server.key)",validatingWebhook.caBundle="$(cat ca.crt)"
 ```
 
 Optional flags:
@@ -71,21 +81,25 @@ Optional flags:
 --aquaSecret.kubeEnforcerToken           default to "" you can find the KubeEnforcer token from aqua csp under enforcers tab in default/custom KubeEnforcer group or you can manually approve KubeEnforcer authentication from aqua CSP under default/custom KubeEnforcer group in enforcers tab.
 ```
 
+## ClusterRole
+
+KubeEnforcer needs a dedicated clusterrole with **get, list, watch** permissions on **pods, secrets, nodes, namespaces, deployments, replicasets, replicationcontrollers, statefulsets, daemonsets, jobs, cronjobs, clusterroles, clusterrolebindings, componentstatuses** to perform discovery on the cluster.  
+
 ## Configurable Variables
 
 ### KubeEnforcer
 
 | Parameter                         | Description                          | Default                                                                      |
 | --------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------- |
 | `imageCredentials.create`               | Set if to create new pull image secret    | `true`                                                                 |
-| `imageCredentials.name`               | Your Docker pull image secret name    | `aqua-image-pull-secret`                                                                   |
+| `imageCredentials.name`               | Your Docker pull image secret name    | `aqua-registry-secret`                                                                   |
 | `imageCredentials.username`               | Your Docker registry (DockerHub, etc.) username    | `N/A`                                                                   |
 | `imageCredentials.password`               | Your Docker registry (DockerHub, etc.) password    | `N/A`
 | `aquaSecret.kubeEnforcerToken`                           | Aqua KubeEnforcer token    | `N/A`
 | `certsSecret.serverCertificate`                           | Certificate for TLS authentication with Kubernetes api-server    | `N/A`
 | `certsSecret.serverKey`                           | Certificate key for TLS authentication with Kubernetes api-server    | `N/A`
 | `validatingWebhook.caBundle`                           | Root Certificate for TLS authentication with Kubernetes api-server   | `N/A`                                                 |
-| `envs.gatewayAddress`                          | Gateway host Address    | `aqua-gateway:8443`                                                     |
+| `envs.gatewayAddress`                          | Gateway host Address    | `aqua-gateway-svc:8443`                                                     |
 
 
 ## Issues and feedback

kube-enforcer/gen-certs.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+openssl genrsa -out ca.key 2048
+openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca"
+
+cat >server.conf <<EOF
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+EOF
+
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -out server.csr -subj "/CN=aqua-kube-enforcer.aqua.svc" -config server.conf
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions v3_req -extfile server.conf

kube-enforcer/values.yaml

@@ -2,7 +2,7 @@
 imageCredentials:
   # If aqua-registry already exists in the cluster. Make create to false. So it won't attempt to create a new registry secret. 
   create: true
-  name: csp-registry-secret # example
+  name: aqua-registry-secret # example
   repositoryUriPrefix: "registry.aquasec.com" # for dockerhub - "docker.io"
   registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/"
   username: ""
@@ -35,7 +35,7 @@ aquaSecret:
   kubeEnforcerToken: ""
 
 envs:
-  gatewayAddress: csp-gateway-svc:8443 
+  gatewayAddress: aqua-gateway-svc:8443 
 
 
 serviceAccount: