cyber-center

Aqua Security CyberCenter Helm Chart

These are Helm charts for installing and maintaining the Aqua Security CyberCenter.

Contents

• Aqua Security CyberCenter Helm Chart
  • Contents
  • Prerequisites
    • Container Registry Credentials
  • Installing the Chart
    • Installing Aqua CyberCenter from Helm Private Repository
  • Configuring mTLS/TLS
  • How to connect to the offline CyberCenter from the Aqua console
  • Configurable Variables for the CyberCenter
  • Issues and feedback

Prerequisites

Container Registry Credentials

Link

Installing the Chart

Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repo or you can add our helm private repository (https://helm.aquasec.com)

Installing Aqua CyberCenter from Helm Private Repository

• Add Aqua Helm Repository

helm repo add aqua-helm https://helm.aquasec.com
helm repo update

• Check for available chart versions either from Changelog or by running the following command:

helm search repo aqua-helm/cyber-center --versions

• Install Aqua CyberCenter

helm upgrade --install --namespace aqua aqua-cyber-center aqua-helm/cyber-center --set imageCredentials.username=<>,imageCredentials.password=<>

Configuring mTLS/TLS

In order to support L7 / gRPC communication between the CyberCenter and the Server, or between the CyberCenter and scanners, it is recommended to follow the detailed steps to deploy and enable the CyberCenter.

1. The CyberCenter should connect to the Envoy/Gateway service and verify its certificate. If Envoy/Gateway certificate is signed by a public provider (e.g., Let’s Encrypt), the CyberCenter will be able to verify the certificate without being given a root certificate. Otherwise, the Envoy/Gateway root certificate should be accessible to the CyberCenter from an environment variable path that is mounted at /opt/aquasec/ssl/.

   # Self-Signed Root CA (Optional)
   #####################################################################################
   # Create Root Key
   # If you want a non password protected key just remove the -des3 option
   openssl genrsa -des3 -out rootCA.key 4096
   # Create and self sign the Root Certificate
   openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
   #####################################################################################
   # Create a certificate
   #####################################################################################
   # Create the certificate key
   openssl genrsa -out aqua_cc_mydomain.com.key 2048
   # Create the signing (csr)
   openssl req -new -key aqua_cc_mydomain.com.key -out aqua_cc_mydomain.com.csr
   # Verify the csr content
   openssl req -in aqua_cc_mydomain.com.csr -noout -text
   #####################################################################################
   # Generate the certificate using the aqua_cc_mydomain csr and key along with the CA Root key
   #####################################################################################
   openssl x509 -req -in aqua_cc_mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out aqua_cc_mydomain.com.crt -days 500 -sha256
   #####################################################################################
   
   # If you wish to use a Public CA like GoDaddy or Let’s Encrypt please
   # submit the aqua_cc_mydomain csr to the respective CA to generate aqua_cc_mydomain crt

2. Create CyberCenter agent cert secret

   ## Example: 
   ## Change < certificate filenames > respectively
   kubectl create secret generic aqua-cc-certs --from-file <aqua_cyber-center_private.key> --from-file <aqua_cyber-center_public.crt> --from-file <rootCA.crt> -n aqua

3. Enable TLS.enable to true in values.yaml

4. Add the certificate's secret name TLS.secretName in values.yaml

5. Add the respective certificate file names to TLS.publicKey_fileName, TLS.privateKey_fileName and TLS.rootCA_fileName(Add rootCA if certs are self-signed) in values.yaml

How to connect to the offline CyberCenter from the Aqua console

Log in into the Aqua web UI then go to the Aqua CyberCenter section under the Settings tab to connect to a new offline CyberCenter.

1. Change the address to the offline CyberCenter address, e.g., http://aqua-cc:443.
2. Test the connection; once it is successful, save the changes.
3. Disable Fast Scanning under the Scanning section in the Settings tab.

For more information, refer to Link

Configurable Variables for the CyberCenter

Parameter	Description	Default	Mandatory
imageCredentials.create	Enable to create new pull image secret	false	YES - New cluster
imageCredentials.name	Your Docker pull image secret name	aqua-registry-secret	YES - New cluster
imageCredentials.repositoryUriPrefix	Repository URI prefix for Docker Hub set docker.io	registry.aquasec.com	YES - New cluster
imageCredentials.registry	Set the registry URL for Docker Hub set index.docker.io/v1/	registry.aquasec.com	YES - New cluster
imageCredentials.username	Your Docker registry (Docker Hub, etc.) username	aqua-registry-secret	YES - New cluster
imageCredentials.password	Your Docker registry (Docker Hub, etc.) password	unset	YES - New cluster
serviceAccount.name	Service account name	aqua-sa	NO
serviceAccount.create	Enable to create aqua-sa serviceAccount if it is missing in the environment	false	YES - New cluster
platform	Platform name (for Openshift)	``	NO
image.repository	Docker image name to use	cc-standard	YES
image.tag	Image tag to use	2022.4	YES
image.pullPolicy	Kubernetes image pull policy	Always	NO
service.type	Kubernetes service type	ClusterIP	NO
service.annotations	Service annotations	{}	NO
service.ports	Array of ports settings	array	NO
tolerations	Kubernetes node tolerations	[]	NO
deploymentAnnotations	Kubernetes deployment annotations	{}	NO
podAnnotations	Kubernetes pod annotations	{}	NO
resources	Resource requests and limits	{}	NO
nodeSelector	Kubernetes node selector	{}	NO
affinity	Kubernetes node affinity	{}	NO
TLS.enabled	If secure channel communication is required	false	NO
TLS.secretName	Certificates secret name	nil	YES if TLS.enabled is set to true
TLS.publicKey_fileName	Filename of the public key, e.g., aqua_cyber-center.crt	nil	YES if TLS.enabled is set to true
TLS.privateKey_fileName	Filename of the private key, e.g., aqua_cyber-center.key	nil	YES if TLS.enabled is set to true
TLS.rootCA_fileName	Filename of the rootCA, if using self-signed certificates, e.g., rootCA.crt	nil	NO if TLS.enabled is set to true and using self-signed certificates for TLS/mTLS
----------------------------------------	-----------------------------------------------------------------------------	------------------------	-----------------------------------------------------------------------------------------------

Note: imageCredentials.create is false; if you need to create an image pull secret, update this to true, set the username and password for the registry, and set serviceAccount.create to false. If your environment is new or not having aqua-sa serviceAccount, update it to true.

Issues and feedback

If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.