Welcome to Support Portal

TABLE OF CONTENTS

• Overview
• Prerequisites
• Connectivity check
• Deploy Aqua components in a Docker environment
• Deploy Aqua components in a Kubernetes environment
• Environment Variables

Overview

This article explains the process of deploying Aqua components for Supply Chain Security on your server which also hosts your code repositories. Once Aqua components are deployed on your server, it scans the code repositories, detects security issues, and reports them back to Aqua to display in the UI.

This integration includes the deployment of two main components on your server:

• Connector Client: an agent that can be deployed on your server and sends information about the detection of security issues in your code repositories to Aqua in real time
• Scanner Client: scans your code repositories hosted in your environment for security issues. It sends this information to Connector Client, which in turn sends it to Aqua to report in the UI.

You can deploy the components on either a Kubernetes cluster or a Docker environment. The following sections explain the procedures to deploy the components on Kubernetes and Docker environments. You can find deployment steps and command syntax for each Source Code Management (SCM) tool (Azure Server, Bitbucket Server, GitHub Server, and GitLab Server) in the relevant Integration page in the UI. For more information, refer to Code repository Integrations.

Prerequisites

Before you deploy these components, you should have the following details to fill them as environment variables in the commands:

• SCM URL: e.g. https://example.your-scm-server.com
• SCM Username: Access token name or Account name
• SCM Password: Access Token value or Account password
• HTTP or HTTPS details: Optionally you can add SSL CA certificate and client certificate/key for SSL connection to the SCM/CI server. The details required are HTTP/HTTPS Proxy, HTTPS certificate, HTTPS Key, and CA certificate.
• Connector URL: URL for the connector container from SCM used for webhooks, e.g. http://docker-compose-host:9999
• Local directory: which has HTTPS certificates

 For the list of all environment variables, refer to the Environment Variables section below.

Connectivity check

Before deploying Aqua components on your environment, you can run a check to validate whether your server would support the deployment of Aqua components.

Run the following commands in the terminal of the server where you want to deploy Aqua components:

curl https://connect.codesec.aquasec.com/
curl https://scan.codesec.aquasec.com/

# To authenticate with CSPM:
curl https://api.cloudsploit.com/v2/tokens

# For Aqua URL:
curl https://api.aquasec.com/v2/build

# For Trivy artifact download:
curl https://github.com/  
curl ghcr.io 
curl pkg-containers.githubusercontent.com

You will then get a result on whether your server has passed the validation. Once validated, you can move on to the next steps of deploying Aqua components.

Deploy Aqua components in a Docker environment

On a host with Docker Compose, perform the following actions to deploy Aqua components on your server:

1. Create a local version of docker-compose.yaml using the following syntax. The following syntax has parameters supported for deploying Aqua components on the environment which also hosts Azure Server.

version: '3.9'
services:
  broker:
    restart: unless-stopped
    image: docker.io/aquasec/codesec-connector:minified
    container_name: azure_server_connector
    ports:
      - 9999:9999
    environment:
      PORT: 9999
      HTTP_PROXY: ${HTTP_PROXY}
      HTTPS_PROXY: ${HTTPS_PROXY}
      CA_CERT: ${CA_CERT}
      HTTPS_CERT: ${HTTPS_CERT} # Certificate
      HTTPS_KEY: ${HTTPS_KEY} # Certificate Private Key
      SOURCE: azure_server
      SCM_URL: ${SCM_URL}
      USERNAME: ${USERNAME} # Access Token name or Account name, OMIT if access token is anonymous
      PASSWORD: ${PASSWORD} # Access Token value or Account password
      AQUA_KEY: BGZ3CHIaRROlliYNLxoYSy
      AQUA_SECRET: xypuG2CN9PiEFQsnTfaQn2Ib2LqnsSjGsv4
      CONNECTOR_URL: ${CONNECTOR_URL} # Full URL to the this connector container from the SCM (e.g. http://docker-compose-host:9999) Used for webhooks
    volumes:
      - ${LOCAL_CERT_DIR}:/home/private

  scanner:
    restart: unless-stopped
    image: docker.io/aquasec/codesec-scanner:latest
    environment:
      HTTP_PROXY: ${HTTP_PROXY}
      HTTPS_PROXY: ${HTTPS_PROXY}
      CA_CERT: ${CA_CERT}
      HTTPS_CERT: ${HTTPS_CERT} # Certificate
      HTTPS_KEY: ${HTTPS_KEY} # Certificate Private Key
      SOURCE: azure_server
      USERNAME: ${USERNAME} # Access Token name or Account name, OMIT if access token is anonymous
      PASSWORD: ${PASSWORD} # Access Token value or Account password
      AQUA_KEY: BGZ3CHIaRROlliYNLxoYSy
      AQUA_SECRET: xypuG2CN9PiEFQsnTfaQn2Ib2LqnsSjGsv4
    deploy:
      replicas: 1
    volumes:
      - ${LOCAL_CERT_DIR}:/home/private

        2. Run the following command after adding the required variables. 

SCM_URL={SCM_URL} CONNECTOR_URL={CONNECTOR_URL} PASSWORD={PASSWORD} USERNAME={USERNAME} LOCAL_CERT_DIR={LOCAL_CERT_DIR} HTTPS_CERT=/home/private/broker.crt HTTPS_KEY=/home/private/broker.key CA_CERT=/home/private/root.pem docker-compose -f docker-compose.yaml up -d

You can find syntax for each SCM tool in the relevant Integration page in the UI.

Deploy Aqua components in a Kubernetes environment

To deploy Aqua components on your Kubernetes cluster, run the following commands:

1.  Run the following command to add and update "Aqua codesec" Helm chart repository:

helm repo add aqua-helm https://helm.aquasec.com
  helm repo update

        2. Run one of the following commands after adding the required variables. The following commands have parameters
            supported for deploying Aqua components on the environment which also hosts Azure Server.

• Command with basic configuration:

helm upgrade --install --namespace aqua-codesec <RELEASE_NAME> aqua-helm/codesec-agent \
--set credentials.aqua_key=BGZ3CHIaRROlliYNLxoYSy \
--set credentials.aqua_secret=xypuG2CN9PiEFQsnTfaQn2Ib2LqnsSjGsv4 \
--set integration.source=azure_server \
--set integration.url="https://example.your-scm-server.com" \
--set integration.username={USERNAME} \
--set integration.password={PASSWORD} \
--set connect.client_url={CONNECTOR CLIENT IP/ENDPOINT}

credentials:
  aqua_key: BGZ3CHIaRROlliYNLxoYSy
  aqua_secret: xypuG2CN9PiEFQsnTfaQn2Ib2LqnsSjGsv4

integration:
  source: azure_server
  # SCM/Artifactory/CI url
  url:
  # Access Token/API Key/Account information
  username:
  password:

# Optionally add SSL CA cert and client cert/key for SSL connection to the SCM/CI server:
ssl:
  enabled: false
#  ca: -|
#    -----BEGIN CERTIFICATE-----
#    ca-cert
#    -----END CERTIFICATE
#  cert: -|
#    -----BEGIN CERTIFICATE-----
#    client-cert
#    -----END CERTIFICATE-----
#  key: -|
#    -----BEGIN RSA PRIVATE KEY-----
#    secure key
#    -----BEGIN RSA PRIVATE KEY-----

proxy:
  url:

connect:
  port: 9999
  client_url:
  service:
    port: 9999
    type: ClusterIP
    annotations: {}
  resources: {}
  nodeSelector: {}
  affinity: {}
  tolerations: {}

scan:
  resources: {}
  nodeSelector: {}
  affinity: {}
  tolerations: {}

        3. (Optional) Run the following command to upgrade release name to the latest chart version. This command is required
            to upgrade the already deployed Helm chart version.

helm upgrade -i <RELEASE_NAME> aqua-helm/codesec-agent --namespace aqua-codesec \
 --create-namespace \
 -f env-values.yaml

Environment Variables

You can pass values to the following environment variables in either a Docker or Kubernetes environment, while deploying Aqua components on your server. The following list describes these variables and their functions: