feat: Add existing secret to policies bundle (#1952)

KevinDW-Fluxys · chen-keinan · web-flow · commit 380f5d3d2d3d · 2024-03-27T20:55:05.000+02:00
* chore: Add existing secret to policies bundle

* chore: external bundle secret docs

Signed-off-by: chenk &lt;hen.keinan@gmail.com&gt;

---------

Signed-off-by: chenk &lt;hen.keinan@gmail.com&gt;
Co-authored-by: chenk &lt;hen.keinan@gmail.com&gt;
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -86,6 +86,7 @@ Keeps security report resources updated
 | operator.webhookSendDeletedReports | bool | `false` | webhookSendDeletedReports the flag to enable sending deleted reports if webhookBroadcastURL is enabled |
 | podAnnotations | object | `{}` | podAnnotations annotations added to the operator's pod |
 | podSecurityContext | object | `{}` |  |
+| policiesBundle.existingSecret | bool | `false` | existingSecret if a secret containing registry credentials that have been created outside the chart (e.g external-secrets, sops, etc...). Keys must be at least one of the following: policies.bundle.oci.user, policies.bundle.oci.password Overrides policiesBundle.registryUser, policiesBundle.registryPassword values. Note: The secret has to be named "trivy-operator". |
 | policiesBundle.registry | string | `"ghcr.io"` | registry of the policies bundle |
 | policiesBundle.registryPassword | string | `nil` | registryPassword is the password for the registry |
 | policiesBundle.registryUser | string | `nil` | registryUser is the user for the registry |
diff --git a/deploy/helm/templates/secrets/operator.yaml b/deploy/helm/templates/secrets/operator.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.policiesBundle.existingSecret }}
 ---
 apiVersion: v1
 kind: Secret
@@ -12,4 +13,4 @@ data:
   {{- with .Values.policiesBundle.registryPassword }}
   policies.bundle.oci.password: {{ . | b64enc | quote }}
   {{- end }}
-  
+{{- end }}
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -622,6 +622,11 @@ policiesBundle:
   registryUser: ~
   # -- registryPassword is the password for the registry
   registryPassword: ~
+  # -- existingSecret if a secret containing registry credentials that have been created outside the chart (e.g external-secrets, sops, etc...).
+  # Keys must be at least one of the following: policies.bundle.oci.user, policies.bundle.oci.password
+  # Overrides policiesBundle.registryUser, policiesBundle.registryPassword values.
+  # Note: The secret has to be named "trivy-operator".
+  existingSecret: false
 
 
 nodeCollector:
