Merge pull request #216 from BaruchBilanski/aqua-add

x86 Environments successful, and as such we approve that image for the Repo and will create an issue to track the remaining testing & validation effort for ARM support

eks-anywhere-common/Addons/Partner/Aqua/aqua-enforcer.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: aqua-enforcer
+  namespace: aqua
+spec:
+  chart:
+    spec:
+      chart: enforcer
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: aqua-helm
+        namespace: flux-system
+      version: "2022.4.20"
+  interval: 30s
+  values:
+    global:
+      platform: eks
+      gateway:
+        port: 443
+      imageCredentials:
+        create: true
+        name:
+        repositoryUriPrefix: "registry.aquasec.com"
+        registry: "registry.aquasec.com"
+    image:
+      tag: "2022.4.461"
+    securityContext:
+      seLinuxOptions:
+        user: system_u
+        role: system_r
+        type: super_t
+        level: s0
+    serviceAccount:
+      create: true
+    nodeSelector: {}
+    tolerations: []
+    podAnnotations: {}
+    podLabels: {}
+    podSecurityContext: {}
+    affinity: {}
+    extraEnvironmentVars: {}
+  valuesFrom:
+  - kind: Secret
+    name: aqua-secrets-from-ps
+    valuesKey: aqua-geteway-address
+    targetPath: global.gateway.address
+  - kind: Secret
+    name: aqua-secrets-from-ps
+    valuesKey: aqua-enforcer-token
+    targetPath: enforcerToken
+  - kind: Secret
+    name: aqua-secrets-from-ps
+    valuesKey: aqua-image-username
+    targetPath: global.imageCredentials.username
+  - kind: Secret
+    name: aqua-secrets-from-ps
+    valuesKey: aqua-image-password
+    targetPath: global.imageCredentials.password
+

eks-anywhere-common/Addons/Partner/Aqua/aqua-source.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: aqua-helm
+  namespace: flux-system
+spec:
+  interval: 30s
+  url:  https://helm.aquasec.com

eks-anywhere-common/Addons/Partner/Aqua/external-secret.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: aqua-secretstore-eksa
+  namespace: aqua
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: eksa-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: aqua-secrets-from-ps          # Specify the name for the Kubernetes Secret
+  data:
+    - secretKey: aqua-enforcer-token    # Key in Kubernetes Secret
+      remoteRef:
+        key: /aqua-enforcer/enforcer-token  # Key in AWS Parameter Store
+
+    - secretKey: aqua-image-username
+      remoteRef:
+        key: /aqua-enforcer/username
+
+    - secretKey: aqua-image-password
+      remoteRef:
+        key: /aqua-enforcer/password
+
+    - secretKey: aqua-geteway-address
+      remoteRef:
+        key: /aqua-enforcer/gateway
+

eks-anywhere-common/Addons/Partner/Aqua/namespace.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: aqua
+  labels:
+    aws.conformance.vendor: aqua
+    aws.conformance.vendor-solution: aqua-enforcer

eks-anywhere-common/Testers/Aqua/aqua-testJob.yaml

@@ -0,0 +1,115 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: aqua-enforcer-tester
+  namespace: aqua
+spec:
+  schedule: "0 */12 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: 'aqua-enforcer-sa'
+          containers:
+            - name: test-aqua-enforcer
+              image: 'alpine/k8s:1.26.2'
+              imagePullPolicy: Always
+              command:
+                - /bin/bash
+              args:
+                - '-c'
+                - >-
+                  echo "Checking Aqua Enforcer";
+                  sleep 5;
+                  timeout_seconds=420; 
+                  retry_interval=30; 
+                  max_retry_attempts=5; 
+                  start_time=$(date +%s);
+                  aqua_enforcer_pods=($(kubectl get pods -n aqua -l app=aqua-enforcer-ds --field-selector=status.phase==Running -o jsonpath="{.items[*].metadata.name}"));
+                  
+                  for aqua_enforcer_pod in "${aqua_enforcer_pods[@]}"; do
+                      while true; do
+                          current_time=$(date +%s); elapsed_time=$((current_time - start_time));
+                  
+                          if [ $elapsed_time -ge $timeout_seconds ]; then
+                              echo "Error: Timeout reached while waiting for Aqua Enforcer pods to be ready.";
+                              exit 1;
+                          fi;
+                  
+                          aqua_enforcer_pod_status=$(kubectl get pod $aqua_enforcer_pod -n aqua -o jsonpath="{.status.phase}");
+                  
+                          if [[ $aqua_enforcer_pod_status != "Running" ]]; then
+                              echo "LOG: Pod $aqua_enforcer_pod, $aqua_enforcer_pod_status";
+                              sleep 15;
+                          else
+                              echo "LOG: Pod $aqua_enforcer_pod, Running";
+                              break;
+                          fi;
+                      done;
+                  done;
+                  
+                  for aqua_enforcer_pod in "${aqua_enforcer_pods[@]}"; do
+                      kubectl exec -n aqua $aqua_enforcer_pod -- timeout 30s /opt/aquasec/./slkaudit > /var/log/enforcer_testjob.log 2>&1
+                      grep -iq "Successfully connected to gateway" /var/log/enforcer_testjob.log
+                      grep_exit_code=$?;
+                  
+                      if [ $grep_exit_code -eq 0 ]; then
+                          echo "Success: Aqua Enforcer pod $aqua_enforcer_pod is running and connected";
+                      else
+                          echo "Error: Aqua Enforcer pod $aqua_enforcer_pod failed to connect.";
+                          echo "Retrying for 5 minutes.";
+                  
+                          start_time_retry=$(date +%s); retry_elapsed_time=0;
+                  
+                          while [ $retry_elapsed_time -lt $((retry_interval * max_retry_attempts)) ]; do
+                              kubectl exec -n aqua $aqua_enforcer_pod -- timeout 30s /opt/aquasec/./slkaudit > /var/log/enforcer_testjob.log 2>&1
+                              grep -iq "Successfully connected to gateway" /var/log/enforcer_testjob.log
+                              grep_exit_code=$?;
+                  
+                              if [ $grep_exit_code -eq 0 ]; then
+                                  echo "Success: Aqua Enforcer pod $aqua_enforcer_pod is running and connected after retry.";
+                                  break;
+                              else
+                                  echo "Retry: Aqua Enforcer pod $aqua_enforcer_pod failed to connect. Retrying in 30 seconds.";
+                                  sleep $retry_interval;
+                                  retry_elapsed_time=$((retry_elapsed_time + retry_interval));
+                              fi;
+                          done;
+                  
+                          if [ $grep_exit_code -ne 0 ]; then
+                              echo "Error: Retry limit reached. Aqua Enforcer pod $aqua_enforcer_pod still failed to connect.";
+                              exit 1;
+                          fi;
+                      fi;
+                  done;
+                  
+                  echo "Job completed successfully for all Aqua Enforcer pods.";
+                  exit 0;
+          restartPolicy: Never
+      backoffLimit: 1
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: aqua-enforcer-exec-role
+  namespace: aqua
+rules:
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: aqua-enforcer-exec-binding
+  namespace: aqua
+subjects:
+  - kind: ServiceAccount
+    name: aqua-enforcer-sa
+    namespace: aqua
+roleRef:
+  kind: Role
+  name: aqua-enforcer-exec-role
+  apiGroup: rbac.authorization.k8s.io