diff --git a/eks-anywhere-common/Addons/Partner/Aqua/aqua-enforcer.yaml b/eks-anywhere-common/Addons/Partner/Aqua/aqua-enforcer.yaml new file mode 100644 index 00000000..66f4e05c --- /dev/null +++ b/eks-anywhere-common/Addons/Partner/Aqua/aqua-enforcer.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: aqua-enforcer + namespace: aqua +spec: + chart: + spec: + chart: enforcer + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: aqua-helm + namespace: flux-system + version: "2022.4.20" + interval: 30s + values: + global: + platform: eks + gateway: + port: 443 + imageCredentials: + create: true + name: + repositoryUriPrefix: "registry.aquasec.com" + registry: "registry.aquasec.com" + image: + tag: "2022.4.461" + securityContext: + seLinuxOptions: + user: system_u + role: system_r + type: super_t + level: s0 + serviceAccount: + create: true + nodeSelector: {} + tolerations: [] + podAnnotations: {} + podLabels: {} + podSecurityContext: {} + affinity: {} + extraEnvironmentVars: {} + valuesFrom: + - kind: Secret + name: aqua-secrets-from-ps + valuesKey: aqua-geteway-address + targetPath: global.gateway.address + - kind: Secret + name: aqua-secrets-from-ps + valuesKey: aqua-enforcer-token + targetPath: enforcerToken + - kind: Secret + name: aqua-secrets-from-ps + valuesKey: aqua-image-username + targetPath: global.imageCredentials.username + - kind: Secret + name: aqua-secrets-from-ps + valuesKey: aqua-image-password + targetPath: global.imageCredentials.password + diff --git a/eks-anywhere-common/Addons/Partner/Aqua/aqua-source.yaml b/eks-anywhere-common/Addons/Partner/Aqua/aqua-source.yaml new file mode 100644 index 00000000..f49e0ac4 --- /dev/null +++ b/eks-anywhere-common/Addons/Partner/Aqua/aqua-source.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: aqua-helm + namespace: flux-system +spec: + interval: 30s + url: https://helm.aquasec.com diff --git a/eks-anywhere-common/Addons/Partner/Aqua/external-secret.yaml b/eks-anywhere-common/Addons/Partner/Aqua/external-secret.yaml new file mode 100644 index 00000000..81322e3b --- /dev/null +++ b/eks-anywhere-common/Addons/Partner/Aqua/external-secret.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: aqua-secretstore-eksa + namespace: aqua +spec: + refreshInterval: 1m + secretStoreRef: + name: eksa-secret-store + kind: ClusterSecretStore + target: + name: aqua-secrets-from-ps # Specify the name for the Kubernetes Secret + data: + - secretKey: aqua-enforcer-token # Key in Kubernetes Secret + remoteRef: + key: /aqua-enforcer/enforcer-token # Key in AWS Parameter Store + + - secretKey: aqua-image-username + remoteRef: + key: /aqua-enforcer/username + + - secretKey: aqua-image-password + remoteRef: + key: /aqua-enforcer/password + + - secretKey: aqua-geteway-address + remoteRef: + key: /aqua-enforcer/gateway + diff --git a/eks-anywhere-common/Addons/Partner/Aqua/namespace.yaml b/eks-anywhere-common/Addons/Partner/Aqua/namespace.yaml new file mode 100644 index 00000000..9f347e03 --- /dev/null +++ b/eks-anywhere-common/Addons/Partner/Aqua/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: aqua + labels: + aws.conformance.vendor: aqua + aws.conformance.vendor-solution: aqua-enforcer diff --git a/eks-anywhere-common/Testers/Aqua/aqua-testJob.yaml b/eks-anywhere-common/Testers/Aqua/aqua-testJob.yaml new file mode 100644 index 00000000..7d4c5550 --- /dev/null +++ b/eks-anywhere-common/Testers/Aqua/aqua-testJob.yaml @@ -0,0 +1,115 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: aqua-enforcer-tester + namespace: aqua +spec: + schedule: "0 */12 * * *" + jobTemplate: + spec: + template: + spec: + serviceAccountName: 'aqua-enforcer-sa' + containers: + - name: test-aqua-enforcer + image: 'alpine/k8s:1.26.2' + imagePullPolicy: Always + command: + - /bin/bash + args: + - '-c' + - >- + echo "Checking Aqua Enforcer"; + sleep 5; + timeout_seconds=420; + retry_interval=30; + max_retry_attempts=5; + start_time=$(date +%s); + aqua_enforcer_pods=($(kubectl get pods -n aqua -l app=aqua-enforcer-ds --field-selector=status.phase==Running -o jsonpath="{.items[*].metadata.name}")); + + for aqua_enforcer_pod in "${aqua_enforcer_pods[@]}"; do + while true; do + current_time=$(date +%s); elapsed_time=$((current_time - start_time)); + + if [ $elapsed_time -ge $timeout_seconds ]; then + echo "Error: Timeout reached while waiting for Aqua Enforcer pods to be ready."; + exit 1; + fi; + + aqua_enforcer_pod_status=$(kubectl get pod $aqua_enforcer_pod -n aqua -o jsonpath="{.status.phase}"); + + if [[ $aqua_enforcer_pod_status != "Running" ]]; then + echo "LOG: Pod $aqua_enforcer_pod, $aqua_enforcer_pod_status"; + sleep 15; + else + echo "LOG: Pod $aqua_enforcer_pod, Running"; + break; + fi; + done; + done; + + for aqua_enforcer_pod in "${aqua_enforcer_pods[@]}"; do + kubectl exec -n aqua $aqua_enforcer_pod -- timeout 30s /opt/aquasec/./slkaudit > /var/log/enforcer_testjob.log 2>&1 + grep -iq "Successfully connected to gateway" /var/log/enforcer_testjob.log + grep_exit_code=$?; + + if [ $grep_exit_code -eq 0 ]; then + echo "Success: Aqua Enforcer pod $aqua_enforcer_pod is running and connected"; + else + echo "Error: Aqua Enforcer pod $aqua_enforcer_pod failed to connect."; + echo "Retrying for 5 minutes."; + + start_time_retry=$(date +%s); retry_elapsed_time=0; + + while [ $retry_elapsed_time -lt $((retry_interval * max_retry_attempts)) ]; do + kubectl exec -n aqua $aqua_enforcer_pod -- timeout 30s /opt/aquasec/./slkaudit > /var/log/enforcer_testjob.log 2>&1 + grep -iq "Successfully connected to gateway" /var/log/enforcer_testjob.log + grep_exit_code=$?; + + if [ $grep_exit_code -eq 0 ]; then + echo "Success: Aqua Enforcer pod $aqua_enforcer_pod is running and connected after retry."; + break; + else + echo "Retry: Aqua Enforcer pod $aqua_enforcer_pod failed to connect. Retrying in 30 seconds."; + sleep $retry_interval; + retry_elapsed_time=$((retry_elapsed_time + retry_interval)); + fi; + done; + + if [ $grep_exit_code -ne 0 ]; then + echo "Error: Retry limit reached. Aqua Enforcer pod $aqua_enforcer_pod still failed to connect."; + exit 1; + fi; + fi; + done; + + echo "Job completed successfully for all Aqua Enforcer pods."; + exit 0; + restartPolicy: Never + backoffLimit: 1 + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: aqua-enforcer-exec-role + namespace: aqua +rules: + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: aqua-enforcer-exec-binding + namespace: aqua +subjects: + - kind: ServiceAccount + name: aqua-enforcer-sa + namespace: aqua +roleRef: + kind: Role + name: aqua-enforcer-exec-role + apiGroup: rbac.authorization.k8s.io