values.yaml

## Default values for Aqua Server
## See Aqua helm documentation to learn more:
## https://docs.aquasec.com/docs/kubernetes-with-helm

# Specifies the secret data for imagePullSecrets needed to fetch the private docker images
imageCredentials:
  create: true
  # example
  name: aqua-registry-secret
  # for dockerhub - "docker.io"
  repositoryUriPrefix: "registry.aquasec.com"
  #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/"
  registry: "registry.aquasec.com"
  username: ""
  password: ""

clusterRole:
  roleRef: ""

# Create default cluster-role and cluster-role bindings according to the platform
rbac:
  create: true

openshift_route:
  #Enable if required openshift route for web and gateway
  create: false

serviceAccount:
  annotations: {}
  create: true      # change to false if service-account exists in the cluster to deploy server & gateway.
  name: ""            # mention existing service-account name to overwrite the default serviceAccount name, Default is {{ .Release.Namespace }}-sa

# enable only one of the modes
clustermode: ""
activeactive: ""

# Hashicorp Vault for secrets management
# Below vaultSecret and vaultAnnotations section helps to set vault sidecar/init-container agents to load secrets securely
vaultSecret:
  enabled: false          # Enable to true once you have secrets in vault and annotations are enabled to load admin and db passwords from vault
  vaultFilepath: ""       # Change the path to "/vault/secrets/<filename>" as per the setup

# Add hashicorp Vault annotations to enable sidecar/init-container vault agent to load admin and db passwords
# example annotations for self-hosted vault server:
vaultAnnotations:
  ####
  # vault.hashicorp.com/agent-inject: "true"
  # vault.hashicorp.com/agent-inject-status: update
  # vault.hashicorp.com/agent-pre-populate-only: 'false'                 # Enable to true to add vault agent as init-container without sidecar
  # vault.hashicorp.com/role: "aqua-server"                              # Specify your role used by vault agent auto-auth
  # vault.hashicorp.com/agent-inject-secret-enforcer-server ""           # Specify your vault secrets path, e.g. `kv/aqua-server/server`
  # vault.hashicorp.com/agent-inject-template-enforcer-server: |
  #  {{- with secret "kv/aqua-server/server" -}}
  #  export ADMIN_PASSWORD="{{ .Data.data.admin_password}}"              # Specify your stored vault secret keys, e.g. admin_password
  #  export SCALOCK_DBPASSWORD="{{ .Data.data.db_password}}"
  #  export SCALOCK_AUDIT_DBPASSWORD="{{ .Data.data.db_audit_password}}"
  #  export AQUA_PUBSUB_DBPASSWORD="{{ .Data.data.db_pubsub_password}}"
  #  {{- end -}}
  ####

admin:
  createSecret: true
  secretName: aqua-console-secrets
  token: ""
  password: ""

dockerSock:
  # put true for mount docker socket.
  mount:
  # pks - /var/vcap/data/sys/run/docker/docker.sock
  path: /var/run/docker.sock

nameOverride: ""

# podSecurity policy [Deprecated from kubernetes version > 1.21]
podSecurityPolicy:
  create: false     # Enable to true to create PSP
  privileged: true

global:
  # Specify the Kubernetes (k8s) platform acronym.
  # Allowed values are:
  # - aks: Azure Kubernetes Service
  # - eks: Amazon Elastic Kubernetes Service
  # - gke: Google Kubernetes Engine
  # - openshift: Red Hat OpenShift/OCP
  # - tkg: VMware Tanzu Kubernetes Grid
  # - tkgi: VMware Tanzu Kubernetes Grid Integrated Edition
  # - k8s: Plain/on-prem Vanilla Kubernetes
  # - rancher: Rancher Kubernetes Platform
  # - gs: Giant Swarm platform
  # - k3s: k3s Kubernetes platform
  # - mke: Mirantis Kubernetes Engine
  platform: "k3s"

  db:
    external:
      enabled: false
      name: ""
      host: ""
      port: ""
      user: ""
      password: ""
      auditName: ""
      auditHost: ""
      auditPort: ""
      auditUser: ""
      auditPassword: ""
      pubsubName: ""
      pubsubHost: ""
      pubsubPort: ""
      pubsubUser: ""
      pubsubPassword: ""

    passwordFromSecret:
      # Enable if loading passwords for db and audit-db from secret
      enabled: false
      # Specify the Password Secret name used for db password
      dbPasswordName: ""
      # Specify the db password key name stored in the #dbPasswordName secret
      dbPasswordKey: ""
      # Specify the Password Secret name used for audit db password
      dbAuditPasswordName: ""
      # Specify the audit db password key name stored in the #dbAuditPasswordName secret
      dbAuditPasswordKey: ""
      # Specify the Password Secret name used for pubsub db password
      dbPubsubPasswordName: ""
      # Specify the pubsub db password key name stored in the #PubsubPasswordName secret
      dbPubsubPasswordKey: ""

    ssl: false
    sslmode: require          # accepts: allow | prefer | require | verify-ca | verify-full (Default: Require)
    auditssl: false
    auditsslmode: require     # accepts: allow | prefer | require | verify-ca | verify-full (Default: Require)
    pubsubssl: false
    pubsubsslmode: require    # accepts: allow | prefer | require | verify-ca | verify-full (Default: Require)

    # To establish mTLS/verify-ca/verify-full with External DB, enable to true and supply dbcerts secret to dcertSecretName
    externalDbCerts:
      enable: false
      certSecretName: ""

    securityContext:
      runAsUser: 70
      runAsGroup: 70
      fsGroup: 11433
    container_securityContext:
      privileged: false
    # Possible values: “S” (default), “M”, “L”
    env_size: "S"
    image:
      repository: database
      tag: "2022.4"
      pullPolicy: Always
    service:
      type: ClusterIP
    persistence:
      database:
        enabled: true
        storageClass: ssd-storage
        size: 30Gi
        accessMode: ReadWriteOnce
      audit_database:
        enabled: true
        storageClass: ssd-storage
        size: 30Gi
        accessMode: ReadWriteOnce
    livenessProbe:
      exec:
        command:
        - sh
        - -c
        - exec pg_isready --host $POD_IP
      initialDelaySeconds: 60
      timeoutSeconds: 5
      failureThreshold: 6
    readinessProbe:
      exec:
        command:
        - sh
        - -c
        - exec pg_isready --host $POD_IP
      initialDelaySeconds: 5
      timeoutSeconds: 3
      periodSeconds: 5
    # We not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # Note: For recommendations please check the official sizing guide.
    resources:
       requests:
         cpu: 500m
         memory: 1Gi
       limits:
         cpu: 1000m
         memory: 2Gi
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}
    podLabels: {}
    #  my-annotation-key: my value; more value

    # extraEnvironmentVars is a list of extra environment variables to set in the database deployments.
    extraEnvironmentVars: {}
      # ENV_NAME: value

    # extraSecretEnvironmentVars is a list of extra environment variables to set in the database deployments.
    # These variables take value from existing Secret objects.
    extraSecretEnvironmentVars: []
      # - envName: ENV_NAME
      #   secretName: name
      #   secretKey: key

gateway:
  enabled: true
  imageCredentials:
    create: false
    # example
    name: aqua-registry-secret
    # for dockerhub - "docker.io"
    repositoryUriPrefix: "registry.aquasec.com"
    #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/"
    registry: "registry.aquasec.com"
  rbac:
    enabled: false
  clusterRole:
    roleRef: ""
  platform:
  console:
    publicIP:
    publicPort:
  serviceAccount:
    create: false
    name: ""
    annotations: {}
  replicaCount: 1
  logLevel:
  image:
    repository: gateway
    tag: "2022.4"
    pullPolicy: Always
  service:
    # you can enable gateway to external by changing type to "LoadBalancer"
    type: ClusterIP
    # Specify loadBalancerIP address for aqua-web in AKS platform
    loadbalancerIP: ""
    # Specify loadBalancerSourceRanges addresses if needed (list)
    loadBalancerSourceRanges:
    labels: {}
    annotations: {}
    ports:
      - name: aqua-gate
        port: 3622
        targetPort: 3622
        nodePort:
        protocol: TCP
      - name: aqua-gate-ssl
        port: 8443
        targetPort: 8443
        nodePort:
        protocol: TCP
      - name: aqua-health
        port: 8082
        protocol: TCP
        targetPort: 8082
        nodePort:

  #enable or disable creation of headless service for envoy
  headlessService: true

  publicIP:
  livenessProbe:
    httpGet:
      path: /
      port: 8082
    initialDelaySeconds: 60
    periodSeconds: 30
  readinessProbe:
    tcpSocket:
      port: 8443
    initialDelaySeconds: 60
    periodSeconds: 60
  resources:
    # Note: For recommendations please check the official sizing guide.
     requests:
       cpu: 500m
       memory: 500Mi
     limits:
       cpu: 1000m
       memory: 1Gi
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  #  my-annotation-key: my value; more value
  podLabels: {}
  securityContext:
    runAsUser: 11431
    runAsGroup: 11433
    fsGroup: 11433
  container_securityContext: {}
  pdb:
    minAvailable: "1"

  # TLS is for enabling mTLS/TLS establishment between gateway <-> server and gateway <-> enforcers
  TLS:
    # enable to true for secure communication (mTLS/TLS)
    enabled: false
    # provide certificates secret name created to enable tls/mtls communication between enforcer and gateway/envoy
    secretName: ""
    #provide filename of the public key eg: aqua_gateway.crt
    publicKey_fileName: ""
    #provide filename of the private key eg: aqua_gateway.key
    privateKey_fileName: ""
    #provide filename of the rootCA, if using self-signed certificates eg: rootCA.crt
    rootCA_fileName: ""
    # change it to "1" for enabling mTLS between enforcer and gateway/envoy
    aqua_verify_enforcer: "0"

  # extraEnvironmentVars is a list of extra environment variables to set in the gateway deployments.
  # https://docs.aquasec.com/docs/gateway-optional-variables
  extraEnvironmentVars: {}
    # ENV_NAME: value

  # extraSecretEnvironmentVars is a list of extra environment variables to set in the gateway deployments.
  # These variables take value from existing Secret objects.
  extraSecretEnvironmentVars: []
    # - envName: ENV_NAME
    #   secretName: name
    #   secretKey: key
web:
  replicaCount: 1
  logLevel:
  image:
    repository: console
    tag: "2022.4"
    pullPolicy: Always

  # Additional certificates that the server should trust, such as a network proxy
  # The certificates should be bundled into a single file inside a configmap
  additionalCerts: []
    # - createSecret: true                # Change to false if you're using existing server certificate secret
    #   secretName: "proxy-server-certs"  # Change secret name if already exists with server/web public certificate
    #   certFile:                         # If additionalCerts createSecret enable to true, add base64 value of the server public certificate or add filename of certificate if loading from custom secret

  service:
    type: NodePort
    # Specify loadBalancerIP address for aqua-gateway in AKS platform
    loadbalancerIP: ""
    labels: {}
    annotations: {}
    ports:
      - name: aqua-web
        port: 8080
        targetPort: 8080
        nodePort:
        protocol: TCP
        # uncomment to support appProtocol for SCP L7 LBs.
#        appProtocol: http
      - name: aqua-web-ssl
        port: 443
        targetPort: 8443
        nodePort:
        protocol: TCP
        # uncomment to support appProtocol for SCP L7 LBs.
#        appProtocol: http
    #As 443, 8443 already occupied in k3s kubernetes by traefik ingress. below are the console ports
    k3sPorts:
      - name: aqua-web
        port: 8080
        targetPort: 8080
        nodePort:
        protocol: TCP
      - name: aqua-web-ssl
        port: 444
        targetPort: 8443
        nodePort:
        protocol: TCP
  ingress:
    enabled: false
    # Allows you to specify the API version for the Ingress
    # This is useful where .Capabilities.APIVersions.Has does not work e.g. Helm template & ArgoCD
    # For example: networking.k8s.io/v1 or networking.k8s.io/v1beta1
    apiVersion:
    externalPort:
    annotations: {}
    #  kubernetes.io/ingress.class: nginx
    hosts: #REQUIRED
    # - aquasec-test.example.com
    path: /
    pathType: Prefix
    tls: []
    #  - secretName: aquasec-tls
    #    hosts:
    #      - aquasec.domain.com

  # Note: Please change the ports according to the requirement.
  # default liveness and readiness probe
  livenessProbe:
    httpGet:
      path: /
      port: 8080
    initialDelaySeconds: 60
    periodSeconds: 30

  readinessProbe:
    httpGet:
      path: /
      port: 8080
    initialDelaySeconds: 60
    periodSeconds: 30

  resources:
    # Note: For recommendations please check the official sizing guide.
     requests:
       cpu: 1000m
       memory: 1Gi
     limits:
       cpu: 1500m
       memory: 2Gi
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  #  my-annotation-key: my value; more value
  podLabels: {}
  # Allows you to specify the API version for the PodDisruptionBudget
  # This is useful where .Capabilities.APIVersions.Has does not work e.g. Helm template & ArgoCD
  # For example: policy/v1beta1 or policy/v1
  pdbApiVersion:

  securityContext:
    runAsUser: 11431
    runAsGroup: 11433
    fsGroup: 11433
  container_securityContext: {}

  pdb:
    minAvailable: "1"

  # TLS is for enabling mTLS/TLS establishment between server <-> gateway and https for aqua console
  TLS:
    # enable to true for secure communication
    enabled: false
    # provide certificates secret name created to enable tls/mtls communication between enforcer and gateway/envoy
    secretName: ""
    #provide filename of the public key eg: aqua_web.crt
    publicKey_fileName: ""
    #provide filename of the private key eg: aqua_web.key
    privateKey_fileName: ""
    #provide filename of the rootCA, if using self-signed certificates eg: rootCA.crt
    rootCA_fileName: ""

  maintenance_db:
    #Specifies the name of a maintenance database, to be used in place of the default postgres DB.
    #It will define the environment variable AQUA_MAINTENANCE_DBNAME
    name: ""

  # extraEnvironmentVars is a list of extra environment variables to set in the web deployments.
  # https://docs.aquasec.com/docs/server-optional-variables
  extraEnvironmentVars: {}
    # ENV_NAME: value

  # extraSecretEnvironmentVars is a list of extra environment variables to set in the web deployments.
  # These variables take value from existing Secret objects.
  extraSecretEnvironmentVars: []
    # - envName: ENV_NAME
    #   secretName: name
    #   secretKey: key

  # extraVolumeMounts is a list of extra volumes to mount into the container's filesystem of the KubeEnforcer deployment
  extraVolumeMounts: []

  # extraVolumes is a list of volumes that can be mounted inside the KubeEnforcer deployment
  extraVolumes: []

envoy:
  enabled: false
  replicaCount: 1

  image:
    repository: envoy
    tag: "2022.4"
    pullPolicy: Always

  service:
    type: LoadBalancer
    # Specify loadBalancerIP address for envoy in AKS platform
    loadbalancerIP: ""
    annotations: {}
      # service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
      # service.beta.kubernetes.io/aws-load-balancer-internal: "false"
      # service.beta.kubernetes.io/aws-load-balancer-type: nlb
    ports:
    - name: https
      port: 443
      targetPort: 8443
      nodePort:
      protocol: TCP
  #As 443, 8443 already occupied in k3s kubernetes by traefik ingress. below are the envoy service ports
    k3sPorts:
    - name: https
      port: 445
      targetPort: 8443
      nodePort:
      protocol: TCP

  # Enabling Envoy requires the use of TLS certificates for the listener section, while the cluster TLS section is optional and to be enabled if TLS is in use for gate and web.
  # Find the instructions in the readme for help with generating the required certificates.
  TLS:
    listener:
      # true to enable loading custom self-signed or CA certs, by default envoy uses packaged self-signed certs
      enabled: false
      # provide secret name containing the certificates
      secretName: "aqua-lb-tls"
      # provide filename of the public key in the secret eg: aqua-lb.fqdn.crt
      publicKey_fileName: ""
      # provide filename of the private key in the secret eg: aqua-lb.fqdn.key
      privateKey_fileName: ""
      # optional: use this field if using a custom CA or chain
      rootCA_fileName: ""
    cluster:
      # true to enable secure communication between Aqua Envoy and Gateways
      enabled: false
      # provide secret name containing the certificates
      secretName: "aqua-lb-tls-cluster"
      # provide filename of the public key in the secret eg: aqua-lb.crt
      publicKey_fileName: ""
      # provide filename of the private key in the secret eg: aqua-lb.key
      privateKey_fileName: ""
      # optional: use this field if using a custom CA or chain
      rootCA_fileName: ""

  livenessProbe:
    failureThreshold: 3
    httpGet:
      httpHeaders:
      - name: x-envoy-livenessprobe
        value: healthz
      path: /healthz
      port: 8443
      scheme: HTTPS
    initialDelaySeconds: 10
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 1
  readinessProbe:
    failureThreshold: 3
    httpGet:
      httpHeaders:
      - name: x-envoy-livenessprobe
        value: healthz
      path: /healthz
      port: 8443
      scheme: HTTPS
    initialDelaySeconds: 3
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 1

  resources: {}
    # Note: For recommendations please check the official sizing guide.
    # requests:
    #   cpu: 2000m
    #   memory: 4Gi
    # limits:
    #   cpu: 4000m
    #   memory: 10Gi
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  #  my-annotation-key: my value; more value
  podLabels: {}

  pdb:
    minAvailable: "1"
    # Allows you to specify the API version for the PodDisruptionBudget
    # This is useful where .Capabilities.APIVersions.Has does not work e.g. Helm template & ArgoCD
    # For example: policy/v1beta1 or policy/v1
    apiVersion:

  securityContext: {}

  ## Enabling this will replace any templated envoy configuration with the list of files passed below
  custom_envoy_files: {}
    # envoy.yaml: |
    #   static_resources:
    #     listeners:
    #     - address:
    #         socket_address:
    #           address: 0.0.0.0
    #           port_value: 8443
    #       filter_chains:
    #       - filters:
    #         - name: envoy.filters.network.http_connection_manager
    #           typed_config:
    #             "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
    #             stream_idle_timeout: 0s
    #             drain_timeout: 20s
    #             access_log:
    #             - name: envoy.access_loggers.file
    #               typed_config:
    #                 "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
    #                 path: "/dev/stdout"
    #             codec_type: AUTO
    #             stat_prefix: ingress_https
    #             route_config:
    #               name: local_route
    #               virtual_hosts:
    #               - name: https
    #                 domains:
    #                 - "*"
    #                 routes:
    #                 - match:
    #                     prefix: "/"
    #                   route:
    #                     cluster: aqua-gateway-svc
    #                     timeout: 0s
    #             http_filters:
    #             - name: envoy..extensions.filters.http.health_check
    #               typed_config:
    #                 "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
    #                 pass_through_mode: false
    #                 headers:
    #                 - name: ":path"
    #                   exact_match: "/healthz"
    #                 - name: "x-envoy-livenessprobe"
    #                   exact_match: "healthz"
    #             - name: envoy.filters.http.router
    #               typed_config:
    #                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
    #         transport_socket:
    #           name: envoy.transport_sockets.tls
    #           typed_config:
    #             "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
    #             common_tls_context:
    #               alpn_protocols: "h2,http/1.1"
    #               tls_certificates:
    #               - certificate_chain:
    #                   filename: "/etc/ssl/envoy/tls.crt"
    #                 private_key:
    #                   filename: "/etc/ssl/envoy/tls.key"
    #     clusters:
    #     - name: aqua-gateway-svc
    #       connect_timeout: 180s
    #       type: STRICT_DNS
    #       dns_lookup_family: V4_ONLY
    #       lb_policy: ROUND_ROBIN
    #       http2_protocol_options:
    #         hpack_table_size: 4294967
    #         max_concurrent_streams: 2147483647
    #       circuit_breakers:
    #           thresholds:
    #               max_pending_requests: 2147483647
    #               max_requests: 2147483647
    #       load_assignment:
    #         cluster_name: aqua-gateway-svc
    #         endpoints:
    #         - lb_endpoints:
    #           - endpoint:
    #               address:
    #                 socket_address:
    #                   address: {{ .Release.Name }}-gateway-headless-svc.{{ .Release.Namespace }}.svc.cluster.local
    #                   port_value: 8443
    #       transport_socket:
    #           name: envoy.transport_sockets.tls
    #           typed_config:
    #               "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
    #               sni: aqua-gateway-svc
    #   admin:
    #     access_log_path: "/dev/stdout"
    #     address:
    #       socket_address:
    #         address: 127.0.0.1
    #         port_value: 8090

sidecarContainers:
  enabled: false
  ContainersDefinitions:
#for example
#    - name: sidecar-name
#      image: image:tag
# etc..

initContainers:
  enabled: false
  ContainersDefinitions:
#for example
#    - name: init-name
#      image: image:tag
# etc..