-
Notifications
You must be signed in to change notification settings - Fork 195
/
Copy pathvalues.yaml
200 lines (174 loc) · 7.76 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
# Specifies the secret data for imagePullSecrets needed to fetch the private docker images
imageCredentials:
# If imageCredentials.create=false and imageCredentials.name not defined
# then will be used secret aqua-registry-secret which created by aqua-server helm chart
#####################
# If imageCredentials.create=false and imageCredentials.name defined then will be used secret with defined name
# but in this case secret should be created manually before chart deploying
#####################
# If imageCredentials.create=create and imageCredentials.name not defined
# then will be created a secret with name <Chart ReleaseName>-registry-secret
#####################
# If imageCredentials.create=create and imageCredentials.name defined
# then will be created a secret with name provided name
create: false
name:
repositoryUriPrefix: "registry.aquasec.com" # for dockerhub - "docker.io"
registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/"
username: ""
password: ""
# Specify the Kubernetes (k8s) platform acronym.
# Allowed values are:
# - aks: Azure Kubernetes Service
# - eks: Amazon Elastic Kubernetes Service
# - gke: Google Kubernetes Engine
# - openshift: Red Hat OpenShift/OCP
# - tkg: VMware Tanzu Kubernetes Grid
# - tkgi: VMware Tanzu Kubernetes Grid Integrated Edition
# - k8s: Plain/on-prem Vanilla Kubernetes
# - rancher: Rancher Kubernetes Platform
# - gs: Giant Swarm platform
# - k3s: k3s Kubernetes platform
# - mke: Mirantis Kubernetes Engine
platform: ""
clusterRole:
roleRef: ""
# Create default cluster-role and cluster-role bindings according to the platform
rbac:
create: true
dockerSock:
mount: # put true for mount docker socket.
path: /var/run/docker.sock # pks - /var/vcap/data/sys/run/docker/docker.sock
directCC:
enabled: true # Change it to false if the scanners don't connect directly to CyberCenter but only console does
# If serviceAccount.create=false and serviceAccount.name not defined
# then will be used serviceAccount aqua-sa which created by aqua-server helm chart
#####################
# If serviceAccount.create=false and serviceAccount.name defined then will be used serviceAccount with defined name
# but in this case serviceAccount should be created manually before chart deploying
#####################
# If serviceAccount.create=create and serviceAccount.name not defined
# then will be created a serviceAccount with name <Chart ReleaseName>-sa
#####################
# If serviceAccount.create=create and serviceAccount.name defined
# then will be created a serviceAccount with name provided name
serviceAccount:
create: false
name:
server:
scheme: "http" #specify the schema for the server host URL, default it is http
serviceName: "aqua-console-svc" # example
port: 8080
# Additional certificates that the server should trust, such as a network proxy
# The certificates should be bundled into a single file inside a configmap
additionalCerts: []
# - createSecret: true # Change to false if you're using existing server certificate secret
# secretName: "proxy-server-certs" # Change secret name if already exists with server/web public certificate
# certFile: # If additionalCerts createSecret enable to true, add unencoded value of the certificate to be added
# Multi-cert Usage Example
# - createSecret: true
# secretName: "proxy-server-certs"
# certFile: |
# -----BEGIN CERTIFICATE-----
# CERT
# -----END CERTIFICATE-----
# - createSecret: true
# secretName: "another-cert"
# certFile: "UNECODED_CERT_DATA"
serverSSL:
enable: false # Enable to true to establish secure connection with server
createSecret: true # Change to false if you're using existing server certificate secret
secretName: "scanner-web-cert" # Change secret name if already exists with server/web public certificate
certFile: # If serverSSL createSecret enable to true, add base64 value of the server public certificate or add filename of certificate if loading from custom secret
cyberCenter:
mtls:
enabled: false # enable to true for mTLS communication with cyber center
secretName: "" # provide certificates secret name created to enable tls/mtls communication between scanner and cyberCenter
publicKey_fileName: "" # provide filename of the public key eg: aqua_scanner.crt
privateKey_fileName: "" # provide filename of the private key eg: aqua_scanner.key
rootCA_fileName: "" # provide filename of the rootCA, if using self-signed certificates eg: rootCA.crt
image:
repository: scanner
tag: "2022.4"
pullPolicy: Always
logLevel:
#The scanners will be registered with the random name
#Working only for single scanner instance. If you need to deploy a several replicas keep it empty
nameOverride: ""
user: "" # username for the scanner created in the console
password: "" # password for the scanner user you can also use "passwordSecret" below for loading password from secrets
scannerToken: "" # token used for deploying USE scanners
scannerTokenSecret:
enable: false # change it to true for loading the scanner token from secrets
secretName: "" # secret name for the scanner token secret
tokenKey: "" # scanner token key name
# Loading scanner user & password from secret
scannerUserSecret:
enable: false # change it to true for loading password from secrets
secretName: "" # secret name for the scanner password secret
userKey: "" # secret key of the scanner user
passwordKey: "" # secret key of the scanner password
replicaCount: 1
# set this value to true for enabiling the livenessProbe
enableLivenessProbe: false
livenessProbe:
httpGet:
path: /healthz
port: 8081
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 60
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 1
readinessProbe: {}
resources: {}
# Note: For recommendations please check the official sizing guide.
# requests:
# cpu: 500m
# memory: 1Gi
# limits:
# cpu: 3000m
# memory: 5Gi
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
# my-annotation-key: my value; more value
podLabels: {}
# Annotations for Scanner deployment
annotations: {}
securityContext:
runAsUser: 11431
runAsGroup: 11433
fsGroup: 11433
container_securityContext: {}
# extraEnvironmentVars is a list of extra environment variables to set in the scanner deployments.
# https://docs.aquasec.com/docs/scanner-optional-variables
# The variables could be provided via values.yaml file as shown below
# or using cli command, for example: --set extraEnvironmentVars.http_proxy="1.1.1.1",extraEnvironmentVars.https_proxy="2.2.2.2"
extraEnvironmentVars: {}
# ENV_NAME: value
# extraSecretEnvironmentVars is a list of extra environment variables to set in the scanner deployments.
# These variables take value from existing Secret objects.
extraSecretEnvironmentVars: []
# - envName: ENV_NAME
# secretName: name
# secretKey: key
# extraVolumeMounts is a list of extra volumes to mount into the container's filesystem of the KubeEnforcer deployment
extraVolumeMounts: []
# extraVolumes is a list of volumes that can be mounted inside the KubeEnforcer deployment
extraVolumes: []
# A list of specific registries this scanner will be used for
# If none are passed, the scanner will be used for all registries
registries: []
# registries:
# - registry1
# - registry2
# Enable persistence for scanner
# Warning: enabling this feature on an already-deployed scanner will delete the existing deployment and redeploy using a StatefulSets
persistence:
enabled: false
accessMode: ReadWriteOnce
size: 30Gi # Change to required size
storageClass: # Optional