Integration with On-Premises Artifact Registries
TABLE OF CONTENTS
- Overview
- Prerequisites
- Connectivity check
- Deploy Aqua components in a Docker environment
- Deploy Aqua components in a Kubernetes environment
- Environment Variables
Overview
This article explains the process of deploying Aqua components for Supply Chain Security on your server which also hosts your artifact registries. Once Aqua components are deployed on your server, Aqua detects security issues in the registry and displays them in the Tool Chain page > Artifact category in the form of failed checks.
This integration explains the deployment of Connector Client on your server. The Connector client is an agent which sends information about the detection of security issues in your artifact registries to Aqua in real time.
You can deploy the components on either a Kubernetes cluster or a Docker environment. The following sections explain the procedures to deploy the components on Kubernetes and Docker environments. You can find deployment steps and command syntax for the artifact registry in the relevant Integration page in the UI.
Prerequisites
Before you deploy these components, you should have the following details which are required to populate them through the environment variables in the commands:
- SCM URL: Artifact registry URL e.g., https://example.Jfrog.io
- SCM Username: Username of the artifact registry
- SCM Password: Enter access token of the artifact registry in this variable. Refer to the Permissions required to create an access token section below to create an access token with the required permissions.
For more information on creating an access token in your JFrog environment, refer to the JFrog documentation, Generating Admin Tokens. - HTTP or HTTPS details: Optionally, you can add SSL CA certificate and client certificate/key for SSL connection to the artifact registry server. The details required are HTTP/HTTPS Proxy, HTTPS certificate, HTTPS Key, and CA certificate.
- Local directory: which has HTTPS certificates
- AQUA KEY and AQUA SECRET: Generate values to these variables in the Aqua Account Management > Settings > API Keys page. For more information, refer to Generating a CSPM API Key and Secret. Before you generate Aqua key and secret, ensure that time in the server on which you will deploy Aqua components is same as in the machine from where you will generate Aqua key and secret.
For the list of all environment variables, refer to the Environment Variables section below.
Permissions required to create an access token for JFrog Artifactory Server
When creating an access token, enter the following details:
- Token scope: Admin
- Service: select All
Connectivity check
Before deploying Aqua components on your environment, you can run a check to validate whether your server would support the deployment of Aqua components. Run the following commands in the terminal of the server where you want to deploy Aqua components:
curl https://connect.codesec.aquasec.com/ #To authenticate with CSPM: curl https://api.cloudsploit.com/v2/tokens
To deploy Aqua components in one of the specific regions mentioned below, you should pass the respective values for the connectivity check:
Docker compose | Kubernetes | Values to check connectivity by region |
---|---|---|
CSPM_SERVER_URL | cspmServerUrl |
|
SERVER_URL | connectServerUrl |
You will then get a result on whether your server has passed the validation. Once validated, you can move on to the next steps to deploy Aqua components.
Deploy Aqua components in a Docker environment
On a host with Docker Compose, perform the following actions to deploy Aqua components on your server:
- Create a local version of docker-compose.yaml using the following syntax. The following syntax has parameters supported for deploying Aqua components on the environment which also hosts JFrog artifact registry.
version: '3.9' services: aqua-connector: restart: unless-stopped image: docker.io/aquasec/codesec-connector:minified environment: SOURCE: 'jfrog_server' SCM_URL: ${SCM_URL} USERNAME: ${SCM_USERNAME} PASSWORD: ${SCM_PASSWORD} AQUA_KEY: ${AQUA_KEY} AQUA_SECRET: ${AQUA_SECRET} # Uncomment if you have a proxy # HTTP_PROXY: ${HTTP_PROXY} # Uncomment this section if you are using a custom certificate # CA_CERT: ${CA_CERT} # .pem file path # HTTPS_CERT: ${HTTPS_CERT} # certificate file path # HTTPS_KEY: ${HTTPS_KEY} # certificate private key path # volumes: # - ${LOCAL_CERT_DIR}:/home/private
2. Run the following command after adding the required variables.
export AQUA_KEY=<aqua key> export AQUA_SECRET=<aqua secret> export SCM_URL=<scm endpoint> export SCM_PASSWORD=<access-token or password> export SCM_USERNAME=<token-name or account-name/empty> docker-compose up -d
You can find the syntax in the UI page of JFrog Artifactory Server integration.
Deploy Aqua components in a Kubernetes environment
To deploy Aqua components on your Kubernetes cluster, run the following commands:
- Run the following command to add and update "Aqua codesec" Helm chart repository:
helm repo add aqua-helm https://helm.aquasec.com helm repo update
2. Run one of the following commands after adding the required variables. The following commands have parameters supported for deploying Aqua components on the environment which also hosts JFrog artifact registry.
- Command with basic configuration:
helm upgrade -i aqua-codesec aqua-helm/codesec-agent --namespace aqua-codesec \ --create-namespace \ --set integration.source=jfrog_server \ --set credentials.aqua_key=<aqua key> \ --set credentials.aqua_secret=<aqua secret> \ --set integration.url=<scm endpoint> \ --set integration.username=<token-name or account-name/empty> \ --set integration.password=<access-token or password> \ --set scan. Replicas=0
- Command with advanced configuration:
credentials: # Aqua key and secret generated from the platform aqua_key: <AQUA_KEY> aqua_secret: <AQUA_SECRET> integration: source: { { SOURCE } } # Your SCM url url: <SCM_URL> # Access Token/Api Key/Account information username: <SCM_USERNAME> password: <SCM_PASSWORD> scan: replicas: 0
You can get AQUA_KEY and AQUA_SECRET from the Aqua Account Management > Settings > API Keys page. For more information, refer to Generating a CSPM API Key and Secret.
3. (Optional) Run the following command to upgrade release name to the latest chart version. This command is required to update the Helm chart version.
helm upgrade -i aqua-codesec aqua-helm/codesec-agent --namespace aqua-codesec \ --create-namespace -f env-values.yaml
You can find the syntax in the UI page of JFrog Artifactory Server integration.
Environment Variables
You can pass values to the following environment variables in either a Docker or Kubernetes environment, when deploying Aqua components on your server. The following list describes these variables and their functions:
Docker compose | Kubernetes | Description |
---|---|---|
AQUA_KEY | credentials.aqua_key | Aqua Key (from Account Management > Settings > API Keys) |
AQUA_SECRET | credentials.aqua_secret | Aqua Secret (from Account Management > Settings > API Keys) |
CA_CERT | ssl.ca | CA Certificate |
HTTP_PROXY | proxy.url | HTTP Proxy |
HTTPS_CERT | ssl.cert | SSL Certificate |
HTTPS_KEY | ssl.key | SSL Certificate key |
HTTPS_PROXY | proxy.url | HTTPS Proxy |
LOCAL_CERT_DIR | Certificates directory | |
PASSWORD | integration.password | Access Token value for artifact registry authentication |
< RELEASE_NAME > | Release name to update the Helm chart version | |
SCM_URL | integration.url | Base URL of the artifact registry |
SOURCE | integration.source | Provider identifier (Hardcoded) |
USERNAME | integration.username | Username for the artifact registry authentication |
Did you find it helpful? Yes No
Send feedback