This repository has been archived by the owner on Apr 16, 2024. It is now read-only.
forked from aquasecurity/aqua-helm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalues.yaml
539 lines (469 loc) · 18.2 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
global:
# Please specify k8s platform acronym. Allowed values are aks, eks, gke, openshift, tkg, tkgi, k8s
# aks = Azure Kubernetes Service
# gke = Google kubernetes Engine
# openshift = RedHat Openshift/OCP
# tkg = VMware Tanzu kubernetes Grid
# tkgi = VMware Tanzu kubernetes Grid Integrated Edition
# k8s = Plain/on-prem Vanilla Kubernetes
# rancher = Rancher Kubernetes Platform
# gs = GaintSwarm platform
# k3s = k3s kubernetes platform
# mke = Mirantis Kubernetes Engine
platform: ""
enforcer:
enabled: false
gateway:
# change address to gateway endpoint. For Saas use the hostname containing `-gw`
# from your onboarding email and switch port to 443
address: aqua-gateway-svc.aqua
port: 8443
# Specifies the secret data for imagePullSecrets needed to fetch the private docker images
imageCredentials:
# If imageCredentials.create=false and imageCredentials.name not defined
# then will be used secret aqua-registry-secret which created by aqua-server helm chart
#####################
# If imageCredentials.create=false and imageCredentials.name defined then will be used secret with defined name
# but in this case secret should be created manually before chart deploying
#####################
# If imageCredentials.create=create and imageCredentials.name not defined
# then will be created a secret with name <Chart ReleaseName>-registry-secret
#####################
# If imageCredentials.create=create and imageCredentials.name defined
# then will be created a secret with name provided name
create: false
name: "aqua-registry"
repositoryUriPrefix: "registry.aquasec.com" # for dockerhub - "docker.io"
registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/"
username: ""
password: ""
# If serviceAccount.create=false and serviceAccount.name not defined then will be used serviceAccount aqua-kube-enforcer-sa
# but in this case serviceAccount should be created manually before chart deploying
#####################
# If serviceAccount.create=false and serviceAccount.name defined then will be used serviceAccount with defined name
# but in this case serviceAccount should be created manually before chart deploying
#####################
# If serviceAccount.create=create and serviceAccount.name not defined
# then will be created a serviceAccount with name <Chart ReleaseName>-sa
#####################
# If serviceAccount.create=create and serviceAccount.name defined
# then will be created a serviceAccount with name provided name
serviceAccount:
create: true
name: ""
# Replica count
ke_ReplicaCount: "1"
# Specify whether to enable/disable the cache by using "yes", "true", "no", "false" values.
aqua_enable_cache: "yes"
# default value is 60
aqua_cache_expiration_period: "60"
# Kube-Enforcer Image
image:
repository: "kube-enforcer"
tag: "2022.4"
pullPolicy: Always
# MicroEnforcer & KubeBench custom image registry
# Default is KE image registry and KE image pull secrets
me_ke_custom_registry:
enable: false # Enable to true to pull microenforcer and kubebench images from custom registry
registry: "" # Custom registry name of microenforcer and kubebench
imagePullSecretName: "" # Custom registry image pull secret name to pull microenforcer and kubebench
# Micro Enforcer Image
microEnforcerImage:
repository: "microenforcer" # Default aqua registry MicroEnforcer repository name
tag: "2022.4"
# Kubebench Image
kubebenchImage:
repository: "aquasec/kube-bench" # Default aqua registry KubeBench repository name
tag: "v0.6.15"
# Enable/Disable KB scanning on tainted nodes
kubeBench:
scanTainted: "true"
nameOverride: "aqua-kube-enforcer"
fullnameOverride: "aqua-kube-enforcer"
# Display a custom cluster name in the infrastructure tab of Aqua Enterprise
# Follow https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names for naming conventions”
clusterName: "Default-cluster-name"
logicalName: ""
logLevel: ""
# Comma-separated node-labels for nodes on which Kube-Bench is to be skipped. key1=val1,key2=val2,...
skipNodes: ""
dnsNdots:
# Set create to false if you want to use an existing secret for the kube-enforcer certs
# If certsSecret.create and certsSecret.name defined then need provide certsSecret.serverCertificate and
# certsSecret.serverKey and webhooks.caBundle encrypted with base64 and secret for TLS connectivity with kube-api will be created
# If you want to use auto generated self-signed certificates use option certsSecret.autoGenerated=true and all required self-signed
# certificates will be created and added to secret with name certsSecret.name
# Please be aware that if you already has TLS secret created in cluster and decided to use option certsSecret.autoGenerate
# It will fail with following error. To solve it delete previously create secret kubectl delete secret aqua-kube-enforcer-certs -n aqua
# Error: UPGRADE FAILED: error validating "": error validating data: unknown object type "nil" in Secret.data.ca.crt
certsSecret:
autoGenerate: false
create: true
annotations: {}
# If you're using existing certs change the name to existing secret name
name: "aqua-kube-enforcer-certs"
serverCertificate: ""
serverKey: ""
# Hashicorp Vault is a secrets management tool
# Below vaultSecret and vaultAnnotations section helps setting vault sidecar/initcontainer agents to load enforcer-token securely
vaultSecret:
enabled: false # Enable to true once you have secrets in vault and annotations are enabled to load enforcer token from hashicorp vault
vaultFilepath: "" # Change the path to "/vault/secrets/<filename>" as per the setup
# Add hashicorp Vault annotations to enable sidecar/init-container vault agent to load enforcer token
# example annotations for self-hosted vault server:
vaultAnnotations:
####
# vault.hashicorp.com/agent-inject: "true"
# vault.hashicorp.com/agent-inject-status: update
# vault.hashicorp.com/agent-pre-populate-only: 'false' # Enable to true to add vault agent as init-container without sidecar
# vault.hashicorp.com/role: "kube-enforcer" # Specify your role used by vault agent auto-auth
# vault.hashicorp.com/agent-inject-secret-kube-enforcer-token: "" # Specify your vault secrets path eg: `aqua-path/data/aqua-enforcer/token`
# vault.hashicorp.com/agent-inject-template-kube-enforcer-token: |
# {{- with secret "aqua-path/data/kube-enforcer/token" -}}
# export AQUA_TOKEN="{{ .Data.data.token}}"
# {{- end -}}
####
# Change aqua secret path as per the setup
# Add the secrets in Key Value pair as environment variable
aquaSecret:
create: true
name: "aqua-kube-enforcer-token"
# Enter the enforcer token in "clear-text" format without quotes generated from the Console UI, if `aquaSecret.create: true`
kubeEnforcerToken: ke-token
clusterRole:
name: "aqua-kube-enforcer"
usingPodEnforcer: true
clusterRoleBinding:
name: "aqua-kube-enforcer"
role:
name: "aqua-kube-enforcer"
roleBinding:
name: "aqua-kube-enforcer"
webhooks:
# set this field true if you're using cert-manager and don't need to pass a caBundle
certManager: false
# Add base64 value of the CA cert/Ca Bundle/RootCA Cert if certificates are not generated from cert-manager to webhooks.caBundle
caBundle: ""
failurePolicy: Ignore
validatingWebhook:
name: "kube-enforcer-admission-hook-config"
timeout: 2
annotations: {}
mutatingWebhook:
name: "kube-enforcer-me-injection-hook-config"
timeout: 2
annotations: {}
# cert-manager.io/inject-ca-from: < namespace >/< certsSecret.name >
# If you are using webhooks.certManager=true, so need to add cert-manager annotations
securityContext:
runAsUser: 11431
runAsGroup: 11433
fsGroup: 11433
container_securityContext: {}
readinessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: 60
periodSeconds: 30
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 60
periodSeconds: 30
## Please use the below probes for KubeEnforcer version < 6.5.22052 or version != latest
## livenessProbe:
## httpGet:
## tcpSocket:
## port: 8080
## initialDelaySeconds: 60
## periodSeconds: 30
##
## readinessProbe:
## httpGet:
## tcpSocket:
## port: 8080
## initialDelaySeconds: 60
## periodSeconds: 30
resources: {}
# Note: For recommendations please check the official sizing guide.
# requests:
# cpu: 250m
# memory: 0.2Gi
# limits:
# cpu: 500m
# memory: 1.5Gi
nodeSelector: {}
tolerations: []
podAnnotations: {}
podLabels: {}
affinity: {}
podDisruptionBudget:
minAvailable: 1
priorityClass:
create: false
name: ""
preemptionPolicy: "PreemptLowerPriority"
value: 1000000
TLS:
# enable to true for secure communication
enabled: false
# provide certificates secret name created to enable tls/mtls communication between enforcer and gateway/envoy
secretName: ""
# provide filename of the public key eg: aqua_web.crt
publicKey_fileName: ""
# provide filename of the private key eg: aqua_web.key
privateKey_fileName: ""
# provide filename of the rootCA, if using self-signed certificates eg: rootCA.crt
rootCA_fileName: ""
# change it to true for enabling mTLS between enforcer and gateway/envoy
tls_verify: false
# extraEnvironmentVars is a list of extra environment variables to set in the kube-enforcer deployment
# https://docs.aquasec.com/docs/kubeenforcer-variables
# The variables could be provided via values.yaml file as shown below
# or using cli command, for example: --set extraEnvironmentVars.http_proxy="1.1.1.1",extraEnvironmentVars.https_proxy="2.2.2.2"
extraEnvironmentVars: {}
# http_proxy: < >
# https_proxy: < >
# no_proxy: < >
# ENV_NAME: value
# extraSecretEnvironmentVars is a list of extra environment variables to set in the enforcer daemonset.
# These variables take value from existing Secret objects.
extraSecretEnvironmentVars: []
# - envName: ENV_NAME
# secretName: name
# secretKey: key
# extraVolumeMounts is a list of extra volumes to mount into the container's filesystem of the KubeEnforcer deployment
extraVolumeMounts: []
# extraVolumes is a list of volumes that can be mounted inside the KubeEnforcer deployment
extraVolumes: []
starboard:
enabled: true
replicaCount: "1"
appName: "starboard-operator"
serviceAccount:
create: true
name: "starboard-operator"
clusterRoleBinding:
name: "starboard-operator"
clusterRole:
name: "starboard-operator"
automountServiceAccountToken: "true"
securityContext: {}
image:
repositoryUriPrefix: "docker.io/aquasec"
repository: "starboard-operator"
tag: "0.15.13"
pullPolicy: Always
container_securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
OPERATOR_NAMESPACE: ""
OPERATOR_TARGET_NAMESPACES: ""
OPERATOR_LOG_DEV_MODE: "false"
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "10"
OPERATOR_SCAN_JOB_RETRY_AFTER: "30s"
OPERATOR_METRICS_BIND_ADDRESS: ":8080"
OPERATOR_HEALTH_PROBE_BIND_ADDRESS: ":9090"
OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED: "false"
OPERATOR_VULNERABILITY_SCANNER_ENABLED: "false"
OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true"
OPERATOR_BATCH_DELETE_LIMIT: "10"
OPERATOR_BATCH_DELETE_DELAY: "10s"
OPERATOR_CLUSTER_COMPLIANCE_ENABLED: false
ports:
metricContainerPort: 8080
probeCntainerPort: 9090
resources: {}
readinessProbe:
httpGet:
path: /readyz/
port: probes
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
livenessProbe:
httpGet:
path: /healthz/
port: probes
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
podLabels: {}
nodeSelector: {}
tolerations: []
podAnnotations: {}
affinity: {}
##Kube Enforcer advance deployment options
### Advanced Deployment (for Pod Enforcer injection)
### When using KubeEnforcers for Pod Enforcer injection, it is recommended that you deploy the KubeEnforcers in a special Advanced configuration.
### This will cause Pod Enforcer traffic to be routed to the KubeEnforcers via a local envoy, which then forwards the traffic to an Aqua Gateway.
### This configuration improves performance and reduces remote network connections between pods and Gateways.
kubeEnforcerAdvance:
enable: false
nodeID: "envoy"
envoy:
image:
repository: "envoy"
tag: "2022.4"
pullPolicy: Always
# Enabling Envoy requires the use of TLS certificates for the cluster section, while the cluster TLS section is optional and to be enabled if TLS is in use for kube-enforcer and gateway.
# Find the instructions in the readme for help with generating the required certificates.
TLS:
listener:
# true to enable secure communication between Aqua Envoy and Gateways
enabled: false
# provide secret name containing the certificates
secretName: "envoy-mtls-certs"
# provide filename of the public key in the secret eg: aqua-lb.crt
publicKey_fileName: ""
# provide filename of the private key in the secret eg: aqua-lb.key
privateKey_fileName: ""
# optional: use this field if using a custom CA or chain
rootCA_fileName: ""
readinessProbe:
exec:
command:
- cat
- /etc/aquasec/envoy/configured
initialDelaySeconds: 30
periodSeconds: 10
livenessProbe: {}
resources: {}
## Enabling this will replace any templated envoy configuration with the list of files passed below
custom_envoy_files: {}
enforcer:
serviceAccount:
create: true
name: ""
clusterRole:
roleRef: ""
# Hashicorp Vault is a secrets management tool
# Below vaultSecret and vaultAnnotations section helps setting vault sidecar/initcontainer agents to load enforcer-token securely
vaultSecret:
enabled: false # Enable to true once you have secrets in vault and annotations are enabled to load enforcer token from hashicorp vault
vaultFilepath: "" # Change the path to "/vault/secrets/<filename>" as per the setup
# Add hashicorp Vault annotations to enable sidecar/init-container vault agent to load enforcer token
# example annotations for self-hosted vault server:
vaultAnnotations:
####
# vault.hashicorp.com/agent-inject: "true"
# vault.hashicorp.com/agent-inject-status: update
# vault.hashicorp.com/agent-pre-populate-only: 'false' # Enable to true to add vault agent as init-container without sidecar
# vault.hashicorp.com/role: "aqua-enforcer" # Specify your role used by vault agent auto-auth
# vault.hashicorp.com/agent-inject-secret-enforcer-token: "" # Specify your vault secrets path eg: `aqua-path/data/aqua-enforcer/token`
# vault.hashicorp.com/agent-inject-template-enforcer-token: |
# {{- with secret "aqua-path/data/aqua-enforcer/token" -}}
# export AQUA_TOKEN="{{ .Data.data.token}}"
# {{- end -}}
####
# Change aqua secret path as per the setup
# Add the secrets in Key Value pair as environment variable
# Enter the enforcer token in "clear-text" format without quotes generated from the Console UI
enforcerToken: enforcer-token
expressMode: false
enforcerTokenSecretName: null
enforcerTokenSecretKey: null
logicalName:
nodeName:
nameOverride:
securityContext:
privileged: false
capabilities:
add:
- SYS_ADMIN
- NET_ADMIN
- NET_RAW
- SYS_PTRACE
- KILL
- MKNOD
- SETGID
- SETUID
- SYS_MODULE
- AUDIT_CONTROL
- SYSLOG
- SYS_CHROOT
- SYS_RESOURCE
- IPC_LOCK
hostRunPath: # pks - /var/vcap/sys/run/docker
# enable this to connect enforcer with multiple gateways
multiple_gateway:
enabled: false
# use the below hosts to add multiple gateways as required to enforcer. Format is <hostname>:<port_number>
multi_gates:
- aqua-gateway1-svc:8443 #example gateway 1
- aqua-gateway2-svc:8443 #example gateway 2
image:
repository: enforcer
tag: "2022.4"
pullPolicy: Always
restartPolicy: Always
healthMonitor:
enabled: "true"
livenessProbe:
httpGet:
path: /healthz
port: 8096
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
httpGet:
path: /readinessz
port: 8096
initialDelaySeconds: 60
periodSeconds: 30
resources: {}
# Note: For recommendations please check the official sizing guide.
# requests:
# cpu: 350m
# memory: 0.512Gi
# limits:
# cpu: 1500m
# memory: 1.5Gi
nodeSelector: {}
tolerations: []
podAnnotations: {}
affinity: {}
# my-annotation-key: my value; more value
podLabels: {}
dnsPolicy: "ClusterFirst"
hostPID: "true"
schedulerName: "default-scheduler"
terminationGracePeriodSeconds: "30"
TLS:
enabled: false
# provide certificates secret name created to enable tls/mtls communication between enforcer and gateway/envoy
secretName: ""
#provide filename of the public key eg: aqua_enforcer.crt
publicKey_fileName: ""
#provide filename of the private key eg: aqua_enforcer.key
privateKey_fileName: ""
#provide filename of the rootCA, if using self-signed certificates eg: rootCA.crt
rootCA_fileName: ""
# change it to true for enabling mTLS between enforcer and gateway/envoy
tls_verify: false
# extraEnvironmentVars is a list of extra environment variables to set in the enforcer daemonset.
# https://docs.aquasec.com/docs/enforcer-optional-variables
# The variables could be provided via values.yaml file as shown below
# or using cli command, for example: --set extraEnvironmentVars.http_proxy="1.1.1.1",extraEnvironmentVars.https_proxy="2.2.2.2"
extraEnvironmentVars: {}
# http_proxy: < >
# https_proxy: < >
# no_proxy: < >
# ENV_NAME: value
# extraSecretEnvironmentVars is a list of extra environment variables to set in the enforcer daemonset.
# These variables take value from existing Secret objects.
extraSecretEnvironmentVars: []
# - envName: ENV_NAME
# secretName: name
# secretKey: key
# AquaEnforcer DaemonSet name for KubEnforcer config map
enforcer_ds_name: ""