values.yaml

# Specifies the secret data for imagePullSecrets needed to fetch the private docker images
imageCredentials:
  # If imageCredentials.create=false and imageCredentials.name not defined
  # then will be used secret aqua-registry-secret which created by aqua-server helm chart
  #####################
  # If imageCredentials.create=false and imageCredentials.name defined then will be used secret with defined name
  # but in this case secret should be created manually before chart deploying
  #####################
  # If imageCredentials.create=create and imageCredentials.name not defined
  # then will be created a secret with name <Chart ReleaseName>-registry-secret
  #####################
  # If imageCredentials.create=create and imageCredentials.name defined
  # then will be created a secret with name provided name
  create: false
  name:
  repositoryUriPrefix: "registry.aquasec.com" # for dockerhub - "docker.io"
  registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/"
  username: ""
  password: ""

# Specify the Kubernetes (k8s) platform acronym.
# Allowed values are:
# - aks: Azure Kubernetes Service
# - eks: Amazon Elastic Kubernetes Service
# - gke: Google Kubernetes Engine
# - openshift: Red Hat OpenShift/OCP
# - tkg: VMware Tanzu Kubernetes Grid
# - tkgi: VMware Tanzu Kubernetes Grid Integrated Edition
# - k8s: Plain/on-prem Vanilla Kubernetes
# - rancher: Rancher Kubernetes Platform
# - gs: Giant Swarm platform
# - k3s: k3s Kubernetes platform
# - mke: Mirantis Kubernetes Engine
platform: ""

clusterRole:
  roleRef: ""

# Create default cluster-role and cluster-role bindings according to the platform
rbac:
  create: true

dockerSock:
  mount: # put true for mount docker socket.
  path: /var/run/docker.sock # pks - /var/vcap/data/sys/run/docker/docker.sock

directCC:
  enabled: true     # Change it to false if the scanners don't connect directly to CyberCenter but only console does

  # If serviceAccount.create=false and serviceAccount.name not defined
  # then will be used serviceAccount aqua-sa which created by aqua-server helm chart
  #####################
  # If serviceAccount.create=false and serviceAccount.name defined then will be used serviceAccount with defined name
  # but in this case serviceAccount should be created manually before chart deploying
  #####################
  # If serviceAccount.create=create and serviceAccount.name not defined
  # then will be created a serviceAccount with name <Chart ReleaseName>-sa
  #####################
  # If serviceAccount.create=create and serviceAccount.name defined
  # then will be created a serviceAccount with name provided name
serviceAccount:
  create: false
  name:

server:
  scheme: "http" #specify the schema for the server host URL, default it is http
  serviceName: "aqua-console-svc" # example
  port: 8080

# Additional certificates that the server should trust, such as a network proxy
# The certificates should be bundled into a single file inside a configmap
additionalCerts: []
  # - createSecret: true                # Change to false if you're using existing server certificate secret
  #   secretName: "proxy-server-certs"  # Change secret name if already exists with server/web public certificate
  #   certFile:                         # If additionalCerts createSecret enable to true, add unencoded value of the certificate to be added
  # Multi-cert Usage Example
  # - createSecret: true
  #   secretName: "proxy-server-certs"
  #   certFile: |
  #     -----BEGIN CERTIFICATE-----
  #     CERT
  #     -----END CERTIFICATE-----
  # - createSecret: true
  #   secretName: "another-cert"
  #   certFile: "UNECODED_CERT_DATA"


serverSSL:
  enable: false                   # Enable to true to establish secure connection with server
  createSecret: true              # Change to false if you're using existing server certificate secret
  secretName: "scanner-web-cert"  # Change secret name if already exists with server/web public certificate
  certFile:                       # If serverSSL createSecret enable to true, add base64 value of the server public certificate or add filename of certificate if loading from custom secret

cyberCenter:
  mtls:
    enabled: false                # enable to true for mTLS communication with cyber center
    secretName: ""                # provide certificates secret name created to enable tls/mtls communication between scanner and cyberCenter
    publicKey_fileName: ""        # provide filename of the public key eg: aqua_scanner.crt
    privateKey_fileName: ""       # provide filename of the private key eg: aqua_scanner.key
    rootCA_fileName: ""           # provide filename of the rootCA, if using self-signed certificates eg: rootCA.crt

image:
  repository: scanner
  tag: "2022.4"
  pullPolicy: Always

logLevel:

#The scanners will be registered with the random name
#Working only for single scanner instance. If you need to deploy a several replicas keep it empty
nameOverride: ""

user: ""            # username for the scanner created in the console
password: ""        # password for the scanner user you can also use "passwordSecret" below for loading password from secrets
scannerToken: ""    # token used for deploying USE scanners

scannerTokenSecret:
  enable: false   # change it to true for loading the scanner token from secrets
  secretName: ""  # secret name for the scanner token secret
  tokenKey: ""    # scanner token key name

# Loading scanner user & password from secret
scannerUserSecret:
  enable: false   # change it to true for loading password from secrets
  secretName: ""  # secret name for the scanner password secret
  userKey: ""   # secret key of the scanner user
  passwordKey: "" # secret key of the scanner password

replicaCount: 1
# set this value to true for enabiling the livenessProbe
enableLivenessProbe: false
livenessProbe:
  httpGet:
    path: /healthz
    port: 8081
    scheme: HTTP
  initialDelaySeconds: 15
  periodSeconds: 60
  successThreshold: 1
  failureThreshold: 3
  timeoutSeconds: 1
readinessProbe: {}
resources: {}
  # Note: For recommendations please check the official sizing guide.
  # requests:
  #   cpu: 500m
  #   memory: 1Gi
  # limits:
  #   cpu: 3000m
  #   memory: 5Gi
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
#  my-annotation-key: my value; more value
podLabels: {}

# Annotations for Scanner deployment
annotations: {}

securityContext:
  runAsUser: 11431
  runAsGroup: 11433
  fsGroup: 11433
container_securityContext: {}

# extraEnvironmentVars is a list of extra environment variables to set in the scanner deployments.
# https://docs.aquasec.com/docs/scanner-optional-variables
# The variables could be provided via values.yaml file as shown below
# or using cli command, for example:  --set extraEnvironmentVars.http_proxy="1.1.1.1",extraEnvironmentVars.https_proxy="2.2.2.2"
extraEnvironmentVars: {}
  # ENV_NAME: value

# extraSecretEnvironmentVars is a list of extra environment variables to set in the scanner deployments.
# These variables take value from existing Secret objects.
extraSecretEnvironmentVars: []
  # - envName: ENV_NAME
  #   secretName: name
  #   secretKey: key

# extraVolumeMounts is a list of extra volumes to mount into the container's filesystem of the KubeEnforcer deployment
extraVolumeMounts: []

# extraVolumes is a list of volumes that can be mounted inside the KubeEnforcer deployment
extraVolumes: []

# A list of specific registries this scanner will be used for
# If none are passed, the scanner will be used for all registries
registries: []
# registries:
# - registry1
# - registry2

# Enable persistence for scanner
# Warning: enabling this feature on an already-deployed scanner will delete the existing deployment and redeploy using a StatefulSets
persistence:
  enabled: false
  accessMode: ReadWriteOnce
  size: 30Gi    # Change to required size
  storageClass: # Optional