add trivy-operator 2.5.0

Author: devopstales

charts/trivy-operator-2.5.0.tgz

@@ -1,18 +1,18 @@
 apiVersion: v2
 name: trivy-operator
-description: A Helm chart for trivy-operator
+description: "This chart deploys an operator that default every 5 minutes execute a scan script. It will get image list from all namespaces with the label `trivy-scan=true`, and then scan this images with trivy, finally we will get metrics on `http://[pod-ip]:9115/metrics`"
 type: application
-version: 2.4.3
-appVersion: "1.16.0"
+version: 2.5.0
+appVersion: "0.23.0"
 kubeVersion: ">=1.19.x-0"
 keywords:
   - Trivy
   - Admission Controller
   - Operator
   - Image Secutity
-home: https://devopstales.github.io/trivy-operator/
+home: https://github.com/devopstales/trivy-operator
 icon: https://github.com/devopstales/helm-charts/raw/main/icons/trivy.png
 sources:
   - https://github.com/devopstales/trivy-operator
   - https://github.com/devopstales/helm-charts
-deprecated: false
+deprecated: false

charts/trivy-operator/Chart.yaml

@@ -1,43 +1,77 @@
 ### Trivy Operator
 
+![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=for-the-badge)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge)
+![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=for-the-badge)
+
+## Description
+
 This chart deploys an operator that default every 5 minutes execute a scan script. It will get image list from all namespaces with the label `trivy-scan=true`, and then scan this images with trivy, finally we will get metrics on `http://[pod-ip]:9115/metrics`
 
 ## Configuration
 
 The following tables lists configurable parameters of the trivy-operator chart and their default values.
 
-|               Parameter             |                Description                  |                  Default                 |
-| ----------------------------------- | ------------------------------------------- | -----------------------------------------|
-| image.repository                    | image | devopstales/trivy-operator |
-| image.pullPolicy                    | pullPolicy | Always |
-| image.tag                           | image tag | 2.4.1 |
-| imagePullSecrets                    | imagePullSecrets list | [] |
-| podSecurityContext.fsGroup          | mount id | 10001 |
-| serviceAccount.create               | create serviceAccount | true |
-| serviceAccount.annotations          | add annotation to serviceAccount | {} |
-| serviceAccount.name                 | name of the serviceAccount | trivy-operator |
-| monitoring.port                     | prometheus endpoint port | 9115 |
-| serviceMonitor.enabled              | enable serviceMonitor object creation | false |
-| serviceMonitor.namespace            | where to create serviceMonitor object | kube-system |
-| serviceMonitor.interval             | set interval to serviceMonitor | 60s |
-| serviceMonitor.scrapeTimeout        | set scrapeTimeout to serviceMonitor | 30s |
-| serviceMonitor.relabelings          | set relabelings to serviceMonitor | [] |
-| serviceMonitor.metricRelabelings    | set metricRelabelings to serviceMonitor | [] |
-| persistence.enabled                 | enable pv to store trivy database | true |
-| persistence.size                    | pv size | 1Gi |
-| persistence.storageClass            | storageClass | Not defined |
-| persistence.accessMode              | accessMode | ReadWriteOnce |
-| persistence.annotations             | add extra annotations | No value |
-| NamespaceScanner.crontab            | cronjob scheduler | "*/5 * * * *" |
-| NamespaceScanner.namespaceSelector  | Namespace Selector | "trivy-scan" |
-| NamespaceScanner.clusterWide        | scan all namespaces | "false" |
-| NamespaceScanner.policyreport       | generate policy reports | "false" |
-| registryAuth.enabled                | enable registry authentication in operator | false |
-| registryAuth.registry               | registry name for authentication |
-| registryAuth.user                   | username for authentication |
-| registryAuth.password               | password for authentication |
-| githubToken.enabled                 | Enable githubToken usage for trivy database update | false |
-| githubToken.token                   | githubToken value | "" |
-| nodeSelector                        | Select node where deploy | "" |
-| tolerations                         |  Tolerations for use with node taints | [] |
-| affinity                            | Assign custom affinity rules to the trivy operator | {} |
+<fill out>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| TimeZone | string | `"UTC"` | Time Zone in container |
+| admissionController.enabled | bool | `false` | enable adission controller |
+| affinity | object | `{}` | Set the affinity for the pod. |
+| cache.enabled | bool | `false` | enable redis cache |
+| clusterScanner.crontab | string | `"*/1 * * * *"` | crontab for scheduled scan |
+| clusterScanner.enabled | bool | `false` | enable clusterScanner cr creation |
+| clusterScanner.integrations | object | `{}` | configure defectdojo integration |
+| clusterScanner.scanProfileName | string | `"cis-1.23"` | kube-hunter scan profile |
+| githubToken.enabled | bool | `false` | enable github authentiation token |
+| githubToken.token | string | `""` | github authentiation token value |
+| grafana.dashboards.enabled | bool | `true` | Enable the deployment of grafana dashboards |
+| grafana.dashboards.label | string | `"grafana_dashboard"` | Label to find dashboards using the k8s sidecar |
+| grafana.dashboards.value | string | `"1"` | Label value to find dashboards using the k8s sidecar |
+| grafana.folder.annotation | string | `"grafana_folder"` | Annotation to enable folder storage using the k8s sidecar |
+| grafana.folder.name | string | `"Policy Reporter"` | Grafana folder in which to store the dashboards |
+| grafana.namespace | string | `nil` | namespace for configMap of grafana dashboards |
+| image.pullPolicy | string | `"Always"` | The docker image pull policy |
+| image.repository | string | `"devopstales/trivy-operator"` | The docker image repository to use |
+| image.tag | string | `"2.5.0"` | The docker image tag to use |
+| imagePullSecrets | list | `[]` | list of secrets to use for imae pull |
+| kube_bench_scnner.image.pullPolicy | string | `"Always"` | The docker image pull policy |
+| kube_bench_scnner.image.repository | string | `"devopstales/kube-bench-scnner"` | The docker image repository to use |
+| kube_bench_scnner.image.tag | string | `"2.5"` | The docker image tag to use |
+| log_level | string | `"INFO"` | Log level |
+| monitoring.port | string | `"9115"` | configure prometheus monitoring port |
+| namespaceScanner.clusterWide | bool | `false` |  |
+| namespaceScanner.crontab | string | `"*/5 * * * *"` |  |
+| namespaceScanner.integrations.policyreport | bool | `false` |  |
+| namespaceScanner.namespaceSelector | string | `"trivy-scan"` |  |
+| nodeSelector | object | `{}` | Set the node selector for the pod. |
+| offline.db_repository | string | `"localhost:5000/trivy-db"` | repository to use for download trivy vuln db |
+| offline.db_repository_insecure | bool | `false` | insecure repository |
+| offline.enabled | bool | `false` | enable air-gapped mode |
+| persistence.accessMode | string | `"ReadWriteOnce"` | Volumes mode |
+| persistence.annotations | object | `{}` | Volumes annotations |
+| persistence.enabled | bool | `true` | Volumes for the pod |
+| persistence.size | string | `"1Gi"` | Volumes size |
+| podSecurityContext | object | `{"fsGroup":10001,"fsGroupChangePolicy":"OnRootMismatch"}` | security options for the pod |
+| registryAuth.enabled | bool | `false` | enable registry authentication |
+| registryAuth.image_pull_secrets | list | `["regcred"]` | list of image pull secrets for authentication |
+| serviceAccount.annotations | object | `{}` | serviceAccount annotations |
+| serviceAccount.create | bool | `true` | Enable serviceAccount creation |
+| serviceAccount.name | string | `"trivy-operator"` | Name of the serviceAccount |
+| serviceMonitor.enabled | bool | `false` | allow to override the namespace for serviceMonitor |
+| serviceMonitor.labels.release | string | `"prometheus"` | labels to match the serviceMonitorSelector of the Prometheus Resource |
+| serviceMonitor.metricRelabelings | list | `[]` | metricRelabeling config for serviceMonitor |
+| serviceMonitor.namespace | object | `{}` | Name of the namespace for serviceMonitor |
+| serviceMonitor.relabelings | list | `[]` | relabel config for serviceMonitor |
+| tolerations | list | `[]` | Set the tolerations for the pod. |
+
+**Homepage:** <https://github.com/devopstales/trivy-operator>
+
+## Source Code
+
+* <https://github.com/devopstales/trivy-operator>
+* <https://github.com/devopstales/helm-charts>
+

charts/trivy-operator/README.md

@@ -0,0 +1,97 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: cluster-scanners.trivy-operator.devopstales.io
+spec:
+  conversion:
+    strategy: None
+  group: trivy-operator.devopstales.io
+  names:
+    kind: ClusterScanner
+    listKind: ClusterScannerList
+    plural: cluster-scanners
+    shortNames:
+    - cs-scan
+    singular: cluster-scanner
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: Kubernetes Scan Profile
+      jsonPath: .spec.scanProfileName
+      name: ClusterScanProfile
+      type: string
+    - description: crontab value
+      jsonPath: .spec.crontab
+      name: Crontab
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          crontab:
+            pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$
+            type: string
+          scanProfileName:
+            type: string
+            enum:
+              - ack-1.0
+              - aks-1.0
+              - gke-1.0
+              - gke-1.2.0
+              - eks-1.0.1
+              - cis-1.5
+              - cis-1.6
+              - cis-1.20
+              - cis-1.23
+              - rh-0.7
+              - rh-1.0
+              - k3s-cis-1.6-permissive
+              - k3s-cis-1.6-hardened
+              - k3s-cis-1.20-hardened
+              - k3s-cis-1.20-permissive
+              - k3s-cis-1.23-hardened
+              - k3s-cis-1.23-permissive
+              - rke-cis-1.4
+              - rke-cis-1.5-hardened
+              - rke-cis-1.5-permissive
+              - rke-cis-1.6-hardened
+              - rke-cis-1.6-permissive
+              - rke-cis-1.20-hardened
+              - rke-cis-1.20-permissive
+              - rke-cis-1.23-hardened
+              - rke-cis-1.23-permissive
+              - rke2-cis-1.5-hardened
+              - rke2-cis-1.5-permissive
+              - rke2-cis-1.6-hardened
+              - rke2-cis-1.6-permissive
+              - rke2-cis-1.20-hardened
+              - rke2-cis-1.20-permissive
+              - rke2-cis-1.23-hardened
+              - rke2-cis-1.23-permissive
+          integrations:
+            type: object
+            properties:
+              defectdojo:
+                description: DefectDojo integration options
+                type: object
+                properties:
+                  host:
+                    description: URL of the DefectDojo server.
+                    type: string
+                  api_key:
+                    description: Api key for DefectDojo api authentication.
+                    type: string
+                  k8s-cluster-name:
+                    description: Name of the Kubernetes Cluster in defectdojo.
+                    type: string
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

charts/trivy-operator/crds/0-crd.yaml

@@ -35,12 +35,42 @@ spec:
       openAPIV3Schema:
         properties:
           crontab:
+            description: Crontab format expression for scheduling scans.
             pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$
             type: string
           namespace_selector:
+            description: NamespaceSelector selects the namespaces to scan
+              images.
             type: string
           clusterWide:
-            type: string
+            description: Selector for cluster wide scan.
+            type: boolean
+          integrations:
+            type: object
+            properties:
+              policyreport:
+                description: Selector to enable policy report object creation
+                  and integration wit plicy-reporter.
+                type: boolean
+              defectdojo:
+                description: DefectDojo integration options
+                type: object
+                properties:
+                  host:
+                    description: URL of the DefectDojo server.
+                    type: string
+                  api_key:
+                    description: Api key for DefectDojo api authentication.
+                    type: string
+                  k8s-cluster-name:
+                    description: Name of the Kubernetes Cluster in defectdojo.
+                    type: string
+          image_pull_secrets:
+            description: List of image pull secret names in the operator's
+              namespace for image pulls.
+            type: array
+            items:
+              type: string
           spec:
             type: object
             x-kubernetes-preserve-unknown-fields: true