Skip to content

Commit

Permalink
Merge branch '2022.4' into 2022.4-gw-sc-volumes
Browse files Browse the repository at this point in the history
  • Loading branch information
@semyonmor
semyonmor authored May 9, 2024
2 parents bdda574 + c46acd8 commit 1143f51
Show file tree
Hide file tree
Showing 26 changed files with 255 additions and 121 deletions.
22 changes: 11 additions & 11 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@ This repository includes the following charts; they can be deployed separately:

| Chart | Description | Latest Chart Version |
|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
| [Server](server/) | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component | 2022.4.23 |
| [Enforcer](enforcer/) | Deploys the Aqua Enforcer daemonset | 2022.4.20 |
| [Server](server/) | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component | 2022.4.24 |
| [Enforcer](enforcer/) | Deploys the Aqua Enforcer daemonset | 2022.4.21 |
| [Scanner](scanner/) | Deploys the Aqua Scanner deployment | 2022.4.7 |
| [KubeEnforcer](kube-enforcer/) | Deploys Aqua KubeEnforcer | 2022.4.42 |
| [Gateway](gateway) | Deploys the Aqua Standalone Gateway | 2022.4.14 |
| [KubeEnforcer](kube-enforcer/) | Deploys Aqua KubeEnforcer | 2022.4.43 |
| [Gateway](gateway) | Deploys the Aqua Standalone Gateway | 2022.4.14 |
| [Tenant-Manager](tenant-manager/) | Deploys the Aqua Tenant Manager | 2022.4.0 |
| [Cyber Center](cyber-center/) | Deploys Aqua CyberCenter offline for air-gap environment | 2022.4.4 |
| [Cyber Center](cyber-center/) | Deploys Aqua CyberCenter offline for air-gap environment | 2022.4.5 |
| [Cloud Connector](cloud-connector/) | Deploys the Aqua Cloud Connector | 2022.4.5 |
| [QuickStart](aqua-quickstart/) | Not for production use (see [below](#quick-start-deployment-not-for-production-purposes)). Deploys the Console, Database, Gateway and KubeEnforcer components | 2022.4.1 |
| [Codesec-Agent](codesec-agent/) | Argon Broker Deployment | 1.2.7 |
Expand Down Expand Up @@ -79,12 +79,12 @@ Example output:
NAME CHART VERSION APP VERSION DESCRIPTION
aqua-helm/codesec-agent 1.2.7 2022.4 A Helm chart for the Argon Broker Deployment
aqua-helm/cloud-connector 2022.4.4 2022.4 A Helm chart for Aqua Cloud-Connector
aqua-helm/cyber-center 2022.4.4 2022.4 A Helm chart for Aqua CyberCenter
aqua-helm/enforcer 2022.4.20 2022.4 A Helm chart for the Aqua Enforcer
aqua-helm/kube-enforcer 2022.4.42 2022.4 A Helm chart for the Aqua KubeEnforcer Starboard
aqua-helm/gateway 2022.4.12 2022.4 A Helm chart for the Aqua Gateway
aqua-helm/scanner 2022.4.6 2022.4 A Helm chart for the Aqua Scanner CLI component
aqua-helm/server 2022.4.23 2022.4 A Helm chart for the Aqua Console components
aqua-helm/cyber-center 2022.4.5 2022.4 A Helm chart for Aqua CyberCenter
aqua-helm/enforcer 2022.4.21 2022.4 A Helm chart for the Aqua Enforcer
aqua-helm/kube-enforcer 2022.4.43 2022.4 A Helm chart for the Aqua KubeEnforcer Starboard
aqua-helm/gateway 2022.4.14 2022.4 A Helm chart for the Aqua Gateway
aqua-helm/scanner 2022.4.7 2022.4 A Helm chart for the Aqua Scanner CLI component
aqua-helm/server 2022.4.24 2022.4 A Helm chart for the Aqua Console components
aqua-helm/tenant-manager 2022.4.1 2022.4 A Helm chart for the Aqua Tenant Manager
```

Expand Down
2 changes: 1 addition & 1 deletion codesec-agent/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: codesec-agent
description: A Helm chart for Aqua supply chain security
version: "1.2.7"
version: "1.2.8"
icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4
home: https://www.aquasec.com
maintainers:
Expand Down
117 changes: 117 additions & 0 deletions codesec-agent/templates/connect/remediation-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
{{ if .Values.remediation.enabled }}
{{- $v := .Values.remediation }}
{{- $name := printf "%s-%s" (include "chart.fullname" . ) "remediation" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $name }}
labels:
app.kubernetes.io/name: {{ $name }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
replicas: {{ .Values.remediation.replicas }}
selector:
matchLabels:
app.kubernetes.io/name: {{ $name }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ $name }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{ include "common.podLabels" . | indent 8 }}
spec:
{{- with .Values.connect.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ $name }}
image: {{ $v.image }}
imagePullPolicy: {{ $v.pullPolicy }}
env:
- name: SCANNER_SERVER
value: {{ .Values.global.scanServerUrl }}
- name: CSPM_SERVER_URL
value: {{ .Values.global.cspmServerUrl }}
- name: AQUA_SERVER_URL
value: {{ .Values.global.aquaServerUrl }}
- name: PORT
value: {{ $v.port | quote }}
- name: SOURCE
value: {{ .Values.integration.source }}
- name: SCM_URL
value: {{ .Values.integration.url }}
{{- if .Values.global.brokerToken }}
- name: BROKER_TOKEN
value: {{ .Values.global.brokerToken }}
{{- end }}

{{- if .Values.ssl.enabled }}
{{- if .Values.ssl.ca }}
- name: CA_CERT # Path to file
value: /home/node/ca.pem
{{- end }}
{{- if .Values.ssl.cert }}
- name: HTTPS_CERT # Path to file
value: /home/node/cert.pem
{{- end }}
{{- if .Values.ssl.key }}
- name: HTTPS_KEY # Path to file
value: /home/node/key.pem
{{- end }}
{{- end }}

{{- range $key, $value := .Values.proxy }}
- name: {{ $key }}
value: {{ $value }}
{{- end }}

{{- range $key, $value := .Values.remediation.extraEnv }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
envFrom:
- secretRef:
name: {{ template "secretName" . }}

resources:
{{- toYaml $v.resources | indent 12 }}

{{- if .Values.ssl.enabled }}
volumeMounts:
- name: ssl-secrets
mountPath: "/home/node"
{{- end }}
{{- if .Values.ssl.enabled }}
volumes:
- name: ssl-secrets
secret:
secretName: {{ template "secretName" . }}
items:
{{- if .Values.ssl.ca }}
- key: ssl-ca-certificate
path: ca.pem
{{- end }}
{{- if .Values.ssl.cert }}
- key: ssl-certificate
path: cert.pem
{{- end }}
{{- if .Values.ssl.key }}
- key: ssl-key
path: key.pem
{{- end }}
{{- end }}
{{- with $v.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with $v.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with $v.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}
12 changes: 12 additions & 0 deletions codesec-agent/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,15 @@ scan:
tolerations: {}
hostAliases:
extraEnv: {}

remediation:
enabled: false
image: docker.io/aquasec/codesec-remediation:latest
pullPolicy: Always
replicas: 1
resources: {}
nodeSelector: {}
affinity: {}
tolerations: {}
hostAliases:
extraEnv: {}
3 changes: 3 additions & 0 deletions cyber-center/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@

All notable changes to this project will be documented in this file.

## 2022.4.5 ( Apr 3rd, 2024 )
* remove ocp scc and root user for cc
* Add non-root user in security context
## 2022.4.4 ( Mar 29th, 2024 )
* Add Openshift scc
## 2022.4.3 ( Jan 8th, 2024 )
Expand Down
2 changes: 1 addition & 1 deletion cyber-center/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v1
name: cyber-center
description: A Helm chart for Aqua CyberCenter
appVersion: "2022.4"
version: "2022.4.4"
version: "2022.4.5"
icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4
home: https://www.aquasec.com/
maintainers:
Expand Down
3 changes: 0 additions & 3 deletions cyber-center/templates/cybercenter-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,6 @@ spec:
{{- end }}
image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
securityContext:
privileged: false
runAsUser: 0
args:
{{- range $port := .Values.service.ports }}
- --address=:{{ $port.targetPort }}
Expand Down
39 changes: 0 additions & 39 deletions cyber-center/templates/cybercenter-openshift-scc.yaml
View file

This file was deleted.

9 changes: 5 additions & 4 deletions cyber-center/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,6 @@ imageCredentials:
username: ""
password: ""

# For Openshift platforms use platform: openshift
platform: ""

serviceaccount:
# make it to true to create service-account
create: false
Expand Down Expand Up @@ -47,8 +44,12 @@ resources: {}
# cpu: 2000m
# memory: 2Gi

securityContext:
runAsUser: 11431
runAsGroup: 11433
fsGroup: 11433

tolerations: []
securityContext: {}
container_securityContext: {}
deploymentAnnotations: {}
# my-annotation-key: my value; more value
Expand Down
4 changes: 4 additions & 0 deletions enforcer/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Changelog
All notable changes to this project will be documented in this file.
## 2022.4.22 ( Apr 30th, 2024 )
* SLK-79144 - Support gke-autopilot platform
## 2022.4.21 ( Apr 3rd, 2024 )
* SLK-77315 - Support AKS 1.28
## 2022.4.20 ( Jan 8th, 2024 )
* SLK-73499 - Add robustness to removal of windows-enforcer
## 2022.4.19 ( Jan 3rd, 2024 )
Expand Down
2 changes: 1 addition & 1 deletion enforcer/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v1
appVersion: "2022.4"
description: A Helm chart for the Aqua Enforcer
name: enforcer
version: "2022.4.20"
version: "2022.4.22"
icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4
home: https://www.aquasec.com/
maintainers:
Expand Down
2 changes: 1 addition & 1 deletion enforcer/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ Parameter | Description | Default| Mandatory
`serviceAccount.create` | enable to create serviceaccount | `false`| `YES - New cluster`
`serviceAccount.name` | service acccount name | `aqua-sa`| `NO`
`clusterRole.roleRef` | cluster role reference name for cluster rolebinding| `unset`| `NO`
`platform` | Orchestration platform name (Allowed values are aks, eks, gke, openshift, tkg, tkgi, k8s, rancher, gs, k3s) | `unset`| `YES`
`platform` | Orchestration platform name (Allowed values are aks, eks, gke, gke-autopilot, openshift, tkg, tkgi, k8s, rancher, gs, k3s) | `unset`| `YES`
`vaultSecret.enable` | Enable to true once you have secrets in vault and annotations are enabled to load enforcer token from hashicorp vault | `false`| `No` |
`vaultSecret.vaultFilepath` | Change the path to "/vault/secrets/<filename>" as per the setup | ` ` | `NO`
`enforcerToken` | enforcer token value | `enforcer-token` | `YES` if `enforcerTokenSecretName` is set to null
Expand Down
12 changes: 12 additions & 0 deletions enforcer/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,4 +147,16 @@ Create chart name and version as used by the chart label.
*/}}
{{- define "aqua.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Set /var/lib path
For gke-autopilot should be /var/autopilot/addon
*/}}
{{- define "varLibPrefix" -}}
{{- if eq .Values.global.platform "gke-autopilot" -}}
{{- printf "%s" "/var/autopilot/addon" -}}
{{- else -}}
{{- printf "%s" "/var/lib" -}}
{{- end -}}
{{- end -}}
5 changes: 5 additions & 0 deletions enforcer/templates/enforcer-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,12 @@ data:
{{- else }}
AQUA_SERVER: {{ .Values.global.gateway.address | default "aqua-gateway-svc" }}:{{ .Values.global.gateway.port | default "8443" }}
{{- end }}
{{- if eq .Values.global.platform "gke-autopilot" }}
AQUA_INSTALL_PATH: "/var/autopilot/addon/aquasec"
AQUA_PRODUCT_PATH: "/var/autopilot/addon/aquasec"
{{- else }}
AQUA_INSTALL_PATH: "/var/lib/aquasec"
{{- end }}
{{- if .Values.hostRunPath }}
AQUA_HOST_RUN_PATH: {{ .Values.hostRunPath | quote }}
{{- end }}
Expand Down
12 changes: 6 additions & 6 deletions enforcer/templates/enforcer-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ spec:
name: aquasec-audit
- mountPath: /data
name: aquasec-data
- mountPath: /var/lib/containers
- mountPath: {{ template "varLibPrefix" . }}/containers
name: containers
{{- if .Values.healthMonitor.enabled }}
{{- with .Values.livenessProbe }}
Expand Down Expand Up @@ -220,22 +220,22 @@ spec:
type: ""
- name: aquasec
hostPath:
path: /var/lib/aquasec
path: {{ template "varLibPrefix" . }}/aquasec
type: ""
- name: aquasec-tmp
hostPath:
path: /var/lib/aquasec/tmp
path: {{ template "varLibPrefix" . }}/aquasec/tmp
type: ""
- name: aquasec-audit
hostPath:
path: /var/lib/aquasec/audit
path: {{ template "varLibPrefix" . }}/aquasec/audit
- name: aquasec-data
hostPath:
path: /var/lib/aquasec/data
path: {{ template "varLibPrefix" . }}/aquasec/data
type: ""
- name: containers
hostPath:
path: /var/lib/containers
path: {{ template "varLibPrefix" . }}/containers
type: ""

{{- if .Values.hostRunPath }}
Expand Down
Loading

0 comments on commit 1143f51

Please sign in to comment.