Skip to content

Commit

Permalink
Enhancement kube-enforcer Certs Secret creation
Browse files Browse the repository at this point in the history
  • Loading branch information
Andrea Zorzetto committed Apr 1, 2021
1 parent dca2299 commit a2e5a5f
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 28 deletions.
28 changes: 14 additions & 14 deletions kube-enforcer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ Optionally, you can provide these certificates in base64 encoded format as flags
Next, run the following command:

```shell
helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set evs.gatewayAddress="<Aqua_Remote_Gateway_IP/URL>",imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>
helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set envs.gatewayAddress="<Aqua_Remote_Gateway_IP/URL>",imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>
```

Optional flags:
Expand All @@ -118,19 +118,19 @@ To perform kube-bench scans in the cluster, the KubeEnforcer needs:

## Configurable parameters

| Parameter | Description | Default | Mandatory |
| --------------------------------- | --------------------------------------------------------------------------- | ----------------------- | ----------------------- |
| `imageCredentials.create` | Set to create new pull image secret | `true` | `YES - New cluster` |
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | `YES - New cluster` |
| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` | `YES - New cluster` |
| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` | `YES - New cluster` |
| `aquaSecret.kubeEnforcerToken` | Aqua KubeEnforcer token | `N/A` | `YES` |
| `certsSecret.serverCertificate` | Certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `certsSecret.serverKey` | Certificate key for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `webhooks.caBundle` | Root certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `envs.gatewayAddress` | Gateway host address | `aqua-gateway-svc:8443` | `YES` |
| `existing_secret.enable` | To use existing secret for KE certs | `false` | `NO` |
| `existing_secret.secretName` | existing secret name for KE certs | `N/A` | `NO` |
| Parameter | Description | Default | Mandatory |
| --------------------------------- | --------------------------------------------------------------------------- | ------------------------- | ----------------------- |
| `imageCredentials.create` | Set to create new pull image secret | `true` | `YES - New cluster` |
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | `YES - New cluster` |
| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` | `YES - New cluster` |
| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` | `YES - New cluster` |
| `aquaSecret.kubeEnforcerToken` | Aqua KubeEnforcer token | `N/A` | `YES` |
| `certsSecret.create` | Set to create new secret for KE certs | `true` | `YES` |
| `certsSecret.name` | Secret name for KE certs | `aqua-kube-enforcer-certs`| `YES` |
| `certsSecret.serverCertificate` | Certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `certsSecret.serverKey` | Certificate key for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `webhooks.caBundle` | Root certificate for TLS authentication with the Kubernetes api-server | `N/A` | `YES` |
| `envs.gatewayAddress` | Gateway host address | `aqua-gateway-svc:8443` | `YES` |

## Issues and feedback

Expand Down
4 changes: 2 additions & 2 deletions kube-enforcer/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,6 @@ Create chart name and version as used by the chart label.
{{- printf "%s" (required "A valid .Values.webhooks.caBundle entry required" .Values.webhooks.caBundle) | replace "\n" "" }}
{{- end }}

{{- define "existing_secret" }}
{{- printf "%s" (required "A valid .Values.existing_secret.secretName required" .Values.existing_secret.secretName ) }}
{{- define "certsSecret_name" }}
{{- printf "%s" (required "A valid .Values.certsSecret.name required" .Values.certsSecret.name) }}
{{- end }}
7 changes: 4 additions & 3 deletions kube-enforcer/templates/kube-enforcer-certs.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
{{- if not .Values.existing_secret.enable }}
{{- if not .Values.certsSecret.name}}
{{ template "certsSecret_name" . }}
{{- end }}
{{- if .Values.certsSecret.create }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -7,6 +10,4 @@ metadata:
data:
server.crt: {{ template "serverCertificate" . }} # place server cert
server.key: {{ template "serverKey" . }} # place server key
{{- else if not .Values.existing_secret.secretName }}
{{ template "existing_secret" . }}
{{- end }}
4 changes: 0 additions & 4 deletions kube-enforcer/templates/kube-enforcer-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,7 @@ spec:
volumes:
- name: "certs"
secret:
{{- if .Values.existing_secret.enable }}
secretName: {{ .Values.existing_secret.secretName }}
{{- else }}
secretName: {{ .Values.certsSecret.name }}
{{- end }}
imagePullSecrets:
- name: {{ .Values.imageCredentials.name }}
selector:
Expand Down
7 changes: 2 additions & 5 deletions kube-enforcer/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,9 @@ namespace: "aqua"

logLevel:

#enable to true if you want to use existing secret for the cluster
existing_secret:
enable: false
secretName: ""

# Set create to false if you want to use an existing secret for the kube-enforcer certs
certsSecret:
create: true
name: aqua-kube-enforcer-certs
serverCertificate: ""
serverKey: ""
Expand Down

0 comments on commit a2e5a5f

Please sign in to comment.