Environment 


Deployment Task

This article explains how to deploy the Aqua database using Azure Database for PostgreSQL. This is a managed database service that is provided by Azure. We recommending referring to our security best practices guide for this implementation. 


Deployment Steps
Step 1: Create an Azure Database for PostgreSQL instance(s)

  • Ensure that you have created a PostgreSQL instance through Azure while referencing the sizing guide and choosing suitable recommendations for your environment.
    1. A recommended security best practice is to separate the Aqua audit database from the operational database to ensure continuity of operations when audit event data completely uses available disk space. This prevents the addition of new data.
    2. Another recommendation is to ensure that the “Enforce SSL connection” option is enabled for a secure database connection (under the Settings > Connection Security).  This will ensure that the “sslmode=require” key-value pair is specified in the connection string defined.

Step 2: Remove the Aqua database service and deployment manifest

As mentioned in the Aqua deployment guide on Kubernetesdelete the aqua-db service and deployment manifests, as they will not be necessary for the deployment of the PostgreSQL managed database service.

 

Here is an example of the objects that need to be deleted:

apiVersion: v1

kind: Service

metadata:

  name: aqua-db

  labels:

    app: aqua-db

spec:

  ports:

    - port: 5432

  selector:

    app: aqua-db

---

apiVersion: apps/v1

kind: Deployment

metadata:

  name: aqua-db

spec:

  replicas: 1

  selector:

    matchLabels:

      app: aqua-db

  template:

    metadata:

      labels:

        app: aqua-db

      name: aqua-db

    spec:

      serviceAccount: aqua

      containers:

      - name: aqua-db

        image: registry.aquasec.com/database:4.5

        env:

          - name: POSTGRES_PASSWORD

            valueFrom:

              secretKeyRef:

                name: aqua-db

                key: password

        volumeMounts:

          - mountPath: /var/lib/postgresql/data

            name: postgres-db

        ports:

        - containerPort: 5432

      volumes:

        - name: postgres-db

          hostPath:

            path: /var/lib/aqua/db

---

Step 3: Modify the Aqua Console (Web) manifest to use the Azure Database for PostgreSQL instance

  • Ensure that you modify the following environment variables to match the audit and operational database instance(s) created in Step 1
  • Ensure that the database users, passwords, and database hosts are the same as the ones defined in Step 1.
    • Aqua operational database configuration;

          - name: SCALOCK_DBUSER

            value: "aqua_operationaldb_user@aqua-operationaldb"

          - name: SCALOCK_DBHOST

            value: aqua-operationaldb.postgres.database.azure.com

  • Aqua audit database configuration;

          - name: SCALOCK_AUDIT_DBUSER

            value: "aqua_auditdb_user@aqua-auditdb"

          - name: SCALOCK_AUDIT_DBHOST

            value: aqua-auditdb.postgres.database.azure.com

  • The remaining environment variables to be configured are to ensure that SSL mode is required when the Aqua Console is connecting to the operational and audit databases:

          - name: SCALOCK_AUDIT_DBSSL

            value: "require"

          - name: SCALOCK_DBSSL

            value: "require"

Here is an example of a completely modified Aqua Console manifest with the above environment variables:


apiVersion: apps/v1

kind: Deployment

metadata:

  name: aqua-web

spec:

  replicas: 1

  selector:

    matchLabels:

      app: aqua-web

  template:

    metadata:

      labels:

        app: aqua-web

      name: aqua-web

    spec:

      serviceAccount: aqua

      containers:

      - name: aqua-web

        image: registry.aquasec.com/console:4.5

        env:

          - name: SCALOCK_DBUSER

            value: "aqua_operationaldb_user@aqua-operationaldb"

          - name: SCALOCK_DBPASSWORD

            valueFrom:

              secretKeyRef:

                name: aqua-db

                key: password

          - name: SCALOCK_DBNAME

            value: "scalock"

          - name: SCALOCK_DBHOST

            value: aqua-operationaldb.postgres.database.azure.com

          - name: SCALOCK_DBPORT

            value: "5432"

            - name: SCALOCK_AUDIT_DBUSER

            value: "aqua_auditdb_user@aqua-auditdb"

          - name: SCALOCK_AUDIT_DBPASSWORD

            valueFrom: 

              secretKeyRef:

                name: aqua-db

                key: password

          - name: SCALOCK_AUDIT_DBNAME

            value: "slk_audit"

          - name: SCALOCK_AUDIT_DBHOST

            value: aqua-auditdb.postgres.database.azure.com

          - name: SCALOCK_AUDIT_DBPORT

            value: "5432"

          - name: SCALOCK_AUDIT_DBSSL

            value: "require"

          - name: SCALOCK_DBSSL

            value: "require"

        volumeMounts:

          - mountPath: /var/run/docker.sock

            name: docker-socket-mount

        ports:

        - containerPort: 8080

      volumes:

        - name: docker-socket-mount

          hostPath:

            path: /var/run/docker.sock  

---

Step 4: Modify the Aqua Gateway manifest to use the Azure Database for PostgreSQL instance

  • Just like the Aqua Console, ensure that you modify the following environment variables to match the audit and operational database instance(s) created in Step 1
  • Ensure that the database users, passwords and database hosts are the same as the ones defined in Step 1.
    • Aqua operational database configuration:

          - name: SCALOCK_DBUSER

            value: "aqua_operationaldb_user@aqua-operationaldb"

          - name: SCALOCK_DBHOST

            value: aqua-operationaldb.postgres.database.azure.com

  • Aqua audit database configuration;

          - name: SCALOCK_AUDIT_DBUSER

            value: "aqua_auditdb_user@aqua-auditdb"

          - name: SCALOCK_AUDIT_DBHOST

            value: aqua-auditdb.postgres.database.azure.com

  • The remaining environment variables to be configured such that they ensure that SSL mode is required when the Aqua Gateway is connecting to the operational and audit databases:

          - name: SCALOCK_AUDIT_DBSSL

            value: "require"

          - name: SCALOCK_DBSSL

            value: "require"

  • Here is an example of a completely modified Aqua Gateway manifest with the above environment variables:

apiVersion: apps/v1

kind: Deployment

metadata:

  name: aqua-gateway

spec:

  replicas: 1

  selector:

    matchLabels:

      app: aqua-gateway

  template:

    metadata:

      labels:

        app: aqua-gateway

      name: aqua-gateway

    spec:

      serviceAccount: aqua      

      containers:

      - name: aqua-gateway

        image: registry.aquasec.com/gateway:4.5

        env:

          - name: SCALOCK_GATEWAY_PUBLIC_IP

            value: aqua-gateway

          - name: AQUA_CONSOLE_SECURE_ADDRESS

            value: aqua-web:443

          - name: SCALOCK_DBUSER

            value: "aqua_operationaldb_user@aqua-operationaldb"

          - name: SCALOCK_DBPASSWORD

            valueFrom: 

              secretKeyRef:

                name: aqua-db

                key: password

          - name: SCALOCK_DBNAME

            value: "scalock"

          - name: SCALOCK_DBHOST

            value: aqua-operationaldb.postgres.database.azure.com

          - name: SCALOCK_DBPORT

            value: "5432"

          - name: SCALOCK_AUDIT_DBUSER

            value: "aqua_auditdb_user@aqua-auditdb"

          - name: SCALOCK_AUDIT_DBPASSWORD

            valueFrom: 

              secretKeyRef:

                name: aqua-db

                key: password

          - name: SCALOCK_AUDIT_DBNAME

            value: "slk_audit"

          - name: SCALOCK_AUDIT_DBHOST

            value: aqua-auditdb.postgres.database.azure.com

          - name: SCALOCK_AUDIT_DBPORT

            value: "5432"

          - name: SCALOCK_AUDIT_DBSSL

            value: "require"

          - name: SCALOCK_DBSSL

            value: "require"

        ports:

        - containerPort: 3622

---

Step 5: Deploy the modified Aqua Console & Gateway manifests

  • Once you are satisfied with your modified manifests, deploy the components so that they can communicate with the Azure Database for PostgreSQL instance(s).
    • Make sure that the instances allow inbound connections from the public and private addresses of the Aqua Console and Gateway.

Related information