Overview

This page contains instructions for deploying Aqua Enterprise in a Kubernetes cluster, using the Helm package manager.

Refer to the Aqua Enterprise product documentation for the broader context: Kubernetes with Helm Charts.

Helm charts

This repository includes the following charts; they can be deployed separately:

Chart	Description
Server	Deploys the Console, Database, and Gateway components; optionally deploys the Scanner and Envoy components
Enforcer	Deploys the Aqua Enforcer daemonset
Scanner	Deploys the Aqua Scanner deployment
KubeEnforcer	Deploys the Aqua KubeEnforcer
QuickStart	Not for production use (see below). Deploys the Console, Database, Gateway, and KubeEnforcer components

Deployment instructions

Aqua Enterprise deployments include the following components:

Server (Console, Database, and Gateway)
Enforcer
KubeEnforcer
Scanner

Follow the steps in this section for production-grade deployments. You can either clone the aqua-helm git repo or you can add our Helm private repository (https://helm.aquasec.com).

(Optional) Add the Aqua Helm repository

Add the Aqua Helm repository to your local Helm repos by executing the following command:

$ helm repo add aqua-helm https://helm.aquasec.com

Search for all components of the latest version in our Aqua Helm repository

For Helm 2.x

$ helm search aqua-helm
# Examples
$ helm search aqua-helm --versions
$ helm search aqua-helm --version 5.3.0

For Helm 3.x

$ helm search repo aqua-helm
# Examples
$ helm search repo aqua-helm --versions
$ helm search repo aqua-helm --version 5.3.0

Example output:

NAME                      CHART VERSION       APP VERSION         DESCRIPTION
aqua-helm/enforcer        5.3.0               5.3                 A Helm chart for the Aqua Enforcer
aqua-helm/scanner         5.3.0               5.3                 A Helm chart for the Aqua Scanner CLI component
aqua-helm/server          5.3.0               5.3                 A Helm chart for the Aqua Console components
aqua-helm/kube-enforcer   5.3.0               5.3                 A Helm chart for the Aqua KubeEnforcer

Deploy the Helm charts

Create the aqua namespace.

$ kubectl create namespace aqua

Deploy the Server chart.
Deploy the Enforcer chart.
Deploy the KubeEnforcer chart.
(Optional) Deploy the Scanner chart.
(For multi-cluster) Deploy the Gateway chart.

Troubleshooting

This section not all-inclusive. It describes some common issues that we have encountered during deployments.

Error 1

Error message: UPGRADE/INSTALL FAILED, configmaps is forbidden.
Example:

Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

Solution: Create a service account for Tiller to utilize.

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller --upgrade

Error 2

Error message: No persistent volumes available for this claim and no storage class is set.
Solution: Most managed Kubernetes deployments do NOT include all possible storage provider variations at setup time. Refer to the official Kubernetes guidance on storage classes for your platform. For more information see the storage documentation.

Error 3

Error message: When executing kubectl get events -n aqua you might encounter either No persistent volumes available for this claim and no storage class is set or PersistentVolumeClaim is not bound.
Solution: If you encounter either of these errors, you need to create a persistent volume prior to chart deployment with a generic or existing storage class. Specify db.persistence.storageClass in the values.yaml file. A sample file using aqua-storage is included in the repo.

$ kubectl apply -f pv-example.yaml

Quick-start deployment (not for production purposes)

Quick-start deployments are fast and easy. They are intended for deploying Aqua Enterprise for non-production purposes, such as proofs-of-concept (POCs) and environments intended for instruction, development, and test.

Use the aqua-quickstart chart to

Clone the GitHub repository

$ git clone https://github.com/aquasecurity/aqua-helm.git
$ cd aqua-helm/

Create the aqua namespace.

$ kubectl create namespace aqua

Deploy aqua-quickstart chart

$ helm upgrade --install --namespace aqua aqua ./aqua-quickstart --set imageCredentials.username=<>,imageCredentials.password=<>

Issues and feedback

If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.

Project Name	Stars	Packages Using This	Most Recent Commit	Total Releases	Latest Release	Open Issues	License	Language
Helm	23,989	577	a day ago	289	September 12, 2022	620	apache-2.0	Go
The Kubernetes Package Manager
Lens	20,834		a day ago			885	other	TypeScript
Lens - The way the world runs Kubernetes
Charts	15,483		a year ago			1	apache-2.0	Go
⚠️(OBSOLETE) Curated applications for Kubernetes
Charts	6,919		a day ago			160	apache-2.0	Mustache
Bitnami Helm Charts
Helm Charts	3,695		a day ago			131	apache-2.0	Mustache
Prometheus community Helm charts
Arkade	3,385	2	14 hours ago	31	April 24, 2021	76	mit	Go
Open Source Marketplace For Developer Tools
Chartmuseum	3,134	2	a day ago	42	June 30, 2022	101	apache-2.0	Go
Host your own Helm Chart Repository
Awesome Apache Airflow	3,060		7 months ago			2		Shell
Curated list of resources about Apache Airflow
Spark On K8s Operator	2,293	21	2 days ago	18	April 24, 2021	454	apache-2.0	Go
Kubernetes operator for managing the lifecycle of Apache Spark applications on Kubernetes.
Kube Linter	2,247	1	3 days ago	14	June 29, 2022	70	apache-2.0	Go
KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

Aqua Helm