Add pks deployment

Author: Nissim Bitan

automation/aquactl/aquasec.cfg

@@ -55,6 +55,7 @@ common:
   initEnforcer: {{ .Values.Common.InitEnforcer }}
   enforcerSecretName: {{ .Values.Common.EnforcerSecretName }}
   enforcerSecretKey: {{ .Values.Common.EnforcerSecretKey }}
+  cybercenterAddress: {{ .Values.Common.CybercenterAddress }}
 {{- else }}
 # Aqua Common variables for all installation process
 # common:

orchestrators/pivotal-pks/README.md

@@ -0,0 +1,9 @@
+# Kubernetes
+
+## Deployments
+* [**Helm Charts**](https://github.com/aquasecurity/aqua-helm) - Helm charts for installing Aqua server components and Aqua enforcers.
+* [**Kubernetes Templates**](templates/) - Deploy the Aqua Server and Enforcer components on a Kubernetes cluster.
+
+## Open Source Tools
+* [**kube-bench**](https://github.com/aquasecurity/kube-bench) - The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices.
+* [**kube-hunter**](https://github.com/aquasecurity/kube-hunter) - Hunt for security weaknesses in Kubernetes clusters.

orchestrators/pivotal-pks/templates/README.md

@@ -0,0 +1,3 @@
+# PKS CSP Deployment
+
+For full guide enter this [**link**](https://docs.aquasec.com/docs/)

orchestrators/pivotal-pks/templates/enforcer/enforcer-daemonset.yaml

@@ -0,0 +1,91 @@
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: aqua-agent
+  namespace: 
+spec:
+  template:
+    metadata:
+      labels:
+        app: aqua-agent
+      name: aqua-agent
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/aqua-agent: unconfined
+    spec:
+      serviceAccount: aqua-sa
+      hostPID: true
+      containers:
+      - name: aqua-agent
+        image: registry.aquasec.com/enforcer:4.0
+        securityContext:
+          privileged: false
+          capabilities:
+              add:
+                - SYS_ADMIN
+                - NET_ADMIN
+                - NET_RAW
+                - SYS_PTRACE
+                - KILL
+                - MKNOD
+                - SETGID
+                - SETUID
+                - SYS_MODULE
+                - AUDIT_CONTROL
+                - SYSLOG
+                - SYS_CHROOT
+        env:
+        - name: AQUA_TOKEN
+          value: "token"
+        - name: AQUA_SERVER
+          value: aqua-gateway:3622
+        - name: RESTART_CONTAINERS
+          value: "no"
+        - name: AQUA_HOST_RUN_PATH
+          value: /var/vcap/sys/run/docker
+        volumeMounts:
+        - mountPath: /var/run
+          name: var-run
+        - mountPath: /dev
+          name: dev
+        - mountPath: /host/sys
+          name: sys
+          readOnly: true
+        - mountPath: /host/proc
+          name: proc
+          readOnly: true
+        - mountPath: /host/etc
+          name: etc
+          readOnly: true
+        - mountPath: /host/opt/aquasec
+          name: aquasec
+          readOnly: true
+        - mountPath: /opt/aquasec/tmp
+          name: aquasec-tmp
+        - mountPath: /opt/aquasec/audit
+          name: aquasec-audit
+      volumes:
+      - name: var-run
+        hostPath:
+          path: /var/vcap/sys/run/docker
+      - name: dev
+        hostPath:
+          path: /dev
+      - name: sys
+        hostPath:
+          path: /sys
+      - name: proc
+        hostPath:
+          path: /proc
+      - name: etc
+        hostPath:
+          path: /etc
+      - name: aquasec
+        hostPath:
+          path: /opt/aquasec
+      - name: aquasec-tmp
+        hostPath:
+          path: /opt/aquasec/tmp
+      - name: aquasec-audit
+        hostPath:
+          path: /opt/aquasec/audit

orchestrators/pivotal-pks/templates/scanner/scanner-deployment.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: aqua-scanner
+spec:
+  template:
+    metadata:
+      labels:
+        app: aqua-scanner
+      name: aqua-scanner
+    spec:
+      serviceAccount: aqua-sa
+      containers:
+      - name: aqua-scanner
+        image: registry.aquasec.com/scanner:4.0
+        imagePullPolicy: Always
+        args: ["daemon", "--direct-cc", "--user", "administrator", "--password", "Password1", "--host", "http://aqua-web:8080"]
+        volumeMounts:
+          - mountPath: /var/run/docker.sock
+            name: docker-socket-mount
+        ports:
+        - containerPort: 8080
+      volumes:
+        - name: docker-socket-mount
+          hostPath:
+            path: /var/run/docker.sock

orchestrators/pivotal-pks/templates/server/db-deployment.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: aqua-db
+  labels:
+    app: aqua-db
+spec:
+  template:
+    metadata:
+      labels:
+        app: aqua-db
+      name: aqua-db
+    spec:
+      serviceAccount: aqua-sa
+      containers:
+      - name: aqua-db
+        image: registry.aquasec.com/database:4.0
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          privileged: false
+        env:
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: aqua-db
+                key: password
+        volumeMounts:
+          - mountPath: /var/lib/postgresql/data
+            name: postgres-db
+        ports:
+        - containerPort: 5432
+          protocol: TCP
+      volumes:
+        - name: postgres-db
+          hostPath:
+            path: /var/lib/aqua/db

orchestrators/pivotal-pks/templates/server/db-service.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: aqua-db
+  labels:
+    app: aqua-db
+spec:
+  type: ClusterIP
+  selector:
+    app: aqua-db
+  ports:
+    - port: 5432

orchestrators/pivotal-pks/templates/server/gateway-deployment.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: aqua-gateway
+spec:
+  template:
+    metadata:
+      labels:
+        app: aqua-gateway
+      name: aqua-gateway
+    spec:
+      serviceAccount: aqua-sa      
+      containers:
+      - name: aqua-gateway
+        image: registry.aquasec.com/gateway:4.0
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          privileged: false
+        env:
+          - name: SCALOCK_GATEWAY_PUBLIC_IP
+            value: aqua-gateway
+          - name: SCALOCK_DBUSER
+            value: "postgres"
+          - name: SCALOCK_DBPASSWORD
+            valueFrom: 
+              secretKeyRef:
+                name: aqua-db
+                key: password
+          - name: SCALOCK_DBNAME
+            value: "scalock"
+          - name: SCALOCK_DBHOST
+            value: aqua-db
+          - name: SCALOCK_DBPORT
+            value: "5432"
+          - name: SCALOCK_AUDIT_DBUSER
+            value: "postgres"
+          - name: SCALOCK_AUDIT_DBPASSWORD
+            valueFrom: 
+              secretKeyRef:
+                name: aqua-db
+                key: password
+          - name: SCALOCK_AUDIT_DBNAME
+            value: "slk_audit"
+          - name: SCALOCK_AUDIT_DBHOST
+            value: aqua-db
+          - name: SCALOCK_AUDIT_DBPORT
+            value: "5432"
+        ports:
+        - containerPort: 3622

orchestrators/pivotal-pks/templates/server/gateway-service.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: aqua-gateway
+  labels:
+    app: aqua-gateway
+spec:
+  type: ClusterIP
+  ports:
+    - port: 3622
+  selector:
+    app: aqua-gateway

orchestrators/pivotal-pks/templates/server/server-deployment.yaml

@@ -0,0 +1,65 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: aqua-web
+spec:
+  template:
+    metadata:
+      labels:
+        app: aqua-web
+      name: aqua-web
+    spec:
+      serviceAccount: aqua-sa
+      containers:
+      - name: aqua-web
+        image: registry.aquasec.com/console:4.0
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          privileged: false
+        env:
+          - name: SCALOCK_DBUSER
+            value: "postgres"
+          - name: SCALOCK_DBPASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: aqua-db
+                key: password
+          - name: SCALOCK_DBNAME
+            value: "scalock"
+          - name: SCALOCK_DBHOST
+            value: aqua-db
+          - name: SCALOCK_DBPORT
+            value: "5432"
+          - name: SCALOCK_AUDIT_DBUSER
+            value: "postgres"
+          - name: SCALOCK_AUDIT_DBPASSWORD
+            valueFrom: 
+              secretKeyRef:
+                name: aqua-db
+                key: password
+          - name: SCALOCK_AUDIT_DBNAME
+            value: "slk_audit"
+          - name: SCALOCK_AUDIT_DBHOST
+            value: aqua-db
+          - name: SCALOCK_AUDIT_DBPORT
+            value: "5432"
+          - name:  "AUTHORIZATION_HEADER"
+			      value: "aqua-auth"
+		      - name:  "BATCH_INSTALL_GATEWAY"
+			      value: "aqua-gateway"
+			    - name:  "BATCH_INSTALL_NAME"
+			      value: "pks"
+			    - name:  "BATCH_INSTALL_ENFORCE_MODE"
+			      value: "true"
+			    - name: "BATCH_INSTALL_TOKEN"
+            value: "tests"
+        volumeMounts:
+          - mountPath: /var/run/docker.sock
+            name: docker-socket-mount
+        ports:
+        - containerPort: 8080
+      volumes:
+        - name: docker-socket-mount
+          hostPath:
+            path: /var/vcap/data/sys/run/docker/docker.sock