These are Helm charts for the deployment and maintenance of the Aqua Tenant Manager.
See Container registry credentials.
Aqua Security recommends implementing a highly-available PostgreSQL database. By default, the Tenant Manager chart will install a PostgreSQL database and attach it to persistent storage for POC usage and testing. For production use, you can override this default behavior and specify an existing PostgreSQL database by setting the following variables in values.yaml:
db:
external:
enabled: true
name: example-aquasec
host: aquasec-db
port: 5432
user: aquasec-db-username
password: verysecret
Follow the steps in this section for production-grade deployments. You can either clone the aqua-helm GitHub repo or you can add our private Helm repository (https://helm.aquasec.com).
- Clone the GitHub repository with the charts:
$ git clone -b 5.3 https://github.com/aquasecurity/aqua-helm.git
$ cd aqua-helm/
- Deploy the Aqua Tenant Manager
$ helm upgrade --install --namespace aqua tenant-manager ./tenant-manager --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<>
- Add the Aqua Helm repository
$ helm repo add aqua-helm https://helm.aquasec.com
- Check for the available chart versions either from Changelog or by running the below command
$ helm search repo aqua-helm/tenant-manager --versions
- Deploy the Aqua Tenant Manager
$ helm upgrade --install --namespace aqua tenant-manager aqua-helm/tenant-manager --set imageCredentials.username=<>,imageCredentials.password=<>,platform=<> --version <>
-
By default, the Aqua Helm chart will deploy a database container. If you wish to use an external database, set
db.external.enabled
to true and the following with appropriate values:1. db.external.name 2. db.external.host 3. db.external.port 4. db.external.user 5. db.external.password
-
By default, the same database (Packaged DB Container | Managed DB like AWS RDS) will be used to host both the main DB and the audit DB. If you want to use a different database for the audit DB, set the following variables in the values.yaml file:
1. db.external.auditName 2. db.external.auditHost 3. db.external.auditPort 4. db.external.auditUser 5. db.external.auditPassword
-
If you are using the Aqua packaged DB container then:
- The
AQUA_ENV_SIZE
variable can be used to define the size of your DB container in terms of the number of connections and optimized configuration (but not the PV size). Choose the appropriate PV size as per your requirements. - By default,
AQUA_ENV_SIZE
is set to"S"
; other allowed values are"M"
and"L"
.
- The
By default, Aqua will generate a self-signed cert and will use the same for HTTPS communication. If you wish to use your own SSL/TLS certs, you can do this in two different ways:
e.g., LoadBalancer(Default): Use the AQUA_PUBLIC_KEY
, AQUA_PRIVATE_KEY
, and AQUA_ROOT_CA
environment variables to specify the TLS cert path. Make sure to mount the TLS cert into the container.
Parameter | Description | Default | Mandatory |
---|---|---|---|
imageCredentials.create |
Whether to create a new pull image secret | true |
YES |
imageCredentials.name |
Your Docker pull image secret name | aqua-registry-secret |
YES |
imageCredentials.repositoryUriPrefix |
Repository URI prefix for Docker Hub set docker.io |
registry.aquasec.com |
YES |
imageCredentials.registry |
Registry URL for Docker Hub index.docker.io/v1/ |
registry.aquasec.com |
YES |
imageCredentials.username |
Your Docker registry (Docker Hub, etc.) username | aqua-registry-secret |
YES |
imageCredentials.password |
Your Docker registry (Docker Hub, etc.) password | unset |
YES |
platform |
Orchestration platform (allowed values are aks, eks, gke, openshift, tkg, tkgi, k8s) | unset |
YES |
rbac.enabled |
Whether to create RBAC configuration for aqua | true |
YES |
rbac.privileged |
WHether any container in a pod can enable privileged mode. | true |
NO |
rbac.roleRef |
Name of RBAC role to set in not create by Helm | unset |
NO |
admin.token |
Use this Aqua license token | unset |
NO |
admin.password |
Use this Aqua admin password | unset |
NO |
db.external.enabled |
Avoid installing the packaged DB (Postgres container); use an external database instead | false |
YES |
db.external.name |
PostgreSQL DB name | unset |
YES if db.external.enabled is set to true |
db.external.host |
PostgreSQL DB hostname | unset |
YES if db.external.enabled is set to true |
db.external.port |
PostgreSQL DB port | unset |
YES if db.external.enabled is set to true |
db.external.user |
PostgreSQL DB username | unset |
YES if db.external.enabled is set to true |
db.external.password |
PostgreSQL DB password | unset |
YES if db.external.enabled is set to true |
db.external.auditName |
PostgreSQL DB audit name | unset |
NO |
db.external.auditHost |
PostgreSQL DB audit hostname | unset |
NO |
db.external.auditPort |
PostgreSQL DB audit port | unset |
NO |
db.external.auditUser |
PostgreSQL DB audit username | unset |
NO |
db.external.auditPassword |
PostgreSQL DB audit password | unset |
NO |
db.passwordFromSecret.enabled |
Enable to load DB passwords from ecrets | false |
YES |
db.passwordFromSecret.dbPasswordName |
Password secret name | null |
NO |
db.passwordFromSecret.dbPasswordKey |
Password secret key | null |
NO |
db.passwordFromSecret.dbAuditPasswordName |
Audit password secret name | null |
NO |
db.passwordFromSecret.dbAuditPasswordKey |
Audit password secret key | null |
NO |
db.persistence.enabled |
If true, a PVC (persistent volume claim) will be created | true |
NO |
db.persistence.accessModes |
Persistent volume access mode | ReadWriteOnce |
NO |
db.persistence.size |
Persistent volume size | 30Gi |
NO |
db.persistence.storageClass |
Persistent volume storage class | unset |
NO |
db.image.repository |
Docker image name to use | database |
NO |
db.image.tag |
Image tag to use | 5.3 |
NO |
db.image.pullPolicy |
Kubernetes image pull policy | IfNotPresent |
NO |
db.service.type |
Kubernetes service type | ClusterIP |
NO |
db.resources |
Resource requests and limits | {} |
NO |
db.nodeSelector |
Kubernetes node selector | {} |
NO |
db.tolerations |
Kubernetes node tolerations | [] |
NO |
db.affinity |
Kubernetes node affinity | {} |
NO |
db.securityContext |
Set of security context for the container | nil |
NO |
db.extraEnvironmentVars |
List of extra environment variables to set in the database deployments | {} |
NO |
db.extraSecretEnvironmentVars |
List of extra environment variables to set in the database deployments; these variables take values from existing Secret objects | [] |
NO |
tenantmanager.image.repository |
Docker image name to use | tenantmanager |
NO |
tenantmanager.image.tag |
Image tag to use | 5.3 |
NO |
tenantmanager.image.pullPolicy |
Kubernetes image pull policy | IfNotPresent |
NO |
tenantmanager.service.type |
Kubernetes service type | LoadBalancer |
NO |
tenantmanager.service.annotations |
Service annotations | {} |
NO |
tenantmanager.service.ports |
Array of port settings | array |
NO |
tenantmanager.replicaCount |
Replica count | 1 |
NO |
tenantmanager.resources |
Resource requests and limits | {} |
NO |
tenantmanager.nodeSelector |
Kubernetes node selector | {} |
NO |
tenantmanager.tolerations |
Kubernetes node tolerations | [] |
NO |
tenantmanager.affinity |
Kubernetes node affinity | {} |
NO |
tenantmanager.ingress.enabled |
If true, Ingress will be created | false |
NO |
tenantmanager.ingress.annotations |
Ingress annotations | [] |
NO |
tenantmanager.ingress.hosts |
Ingress hostnames | [] |
NO |
tenantmanager.ingress.tls |
Ingress TLS configuration (YAML) | [] |
NO |
tenantmanager.securityContext |
Set of security context for the container | nil |
NO |
tenantmanager.TLS.enabled |
Whether to require secure channel communication | false |
NO |
tenantmanager.TLS.secretName |
Certificates secret name | nil |
NO |
tenantmanager.maintenance_db.name |
If Conifgured to use custom maintanance DB specify the DB name | unset |
NO |
tenantmanager.extraEnvironmentVars |
List of extra environment variables to set in the Tenant Manager deployments | {} |
NO |
tenantmanager.extraSecretEnvironmentVars |
List of extra environment variables to set in the Tenant Manager deployments; these variables take values from existing Secret objects. | [] |
NO |
If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.