diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 676e999409..7d3d2d7dd2 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -98,7 +98,7 @@ dependencies: version: 15.7.25 repository: https://charts.bitnami.com/bitnami - name: trivy-operator - version: 0.25.0 + version: 0.28.0 repository: https://aquasecurity.github.io/helm-charts/ - name: velero version: 5.4.1 diff --git a/charts/trivy-operator/Chart.yaml b/charts/trivy-operator/Chart.yaml index 296d7998b7..02fa6e1847 100644 --- a/charts/trivy-operator/Chart.yaml +++ b/charts/trivy-operator/Chart.yaml @@ -1,31 +1,12 @@ apiVersion: v2 -name: trivy-operator +appVersion: 0.26.0 description: Keeps security report resources updated -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.25.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.23.0 - -# kubeVersion: A SemVer range of compatible Kubernetes versions (optional) - keywords: - - aquasecurity - - trivyoperator - - trivy -# home: https://github.com/aquasecurity/trivy-operator +- aquasecurity +- trivyoperator +- trivy +name: trivy-operator sources: - - https://github.com/aquasecurity/trivy-operator -# maintainers: # (optional) -# - name: The maintainers name (required for each maintainer) -# email: The maintainers email (optional for each maintainer) -# url: A URL for the maintainer (optional for each maintainer) -# icon: A URL to an SVG or PNG image to be used as an icon (optional). -# annotations: -# example: A list of annotations keyed by name (optional). +- https://github.com/aquasecurity/trivy-operator +type: application +version: 0.28.0 diff --git a/charts/trivy-operator/README.md b/charts/trivy-operator/README.md index c94bbcf6c6..16ececd90d 100644 --- a/charts/trivy-operator/README.md +++ b/charts/trivy-operator/README.md @@ -1,6 +1,6 @@ # trivy-operator -![Version: 0.25.0](https://img.shields.io/badge/Version-0.25.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.23.0](https://img.shields.io/badge/AppVersion-0.23.0-informational?style=flat-square) +![Version: 0.28.0](https://img.shields.io/badge/Version-0.28.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.0](https://img.shields.io/badge/AppVersion-0.26.0-informational?style=flat-square) Keeps security report resources updated @@ -19,8 +19,10 @@ Keeps security report resources updated | compliance.reportType | string | `"summary"` | reportType this flag control the type of report generated (summary or all) | | compliance.specs | list | `["k8s-cis-1.23","k8s-nsa-1.0","k8s-pss-baseline-0.1","k8s-pss-restricted-0.1"]` | specs is a list of compliance specs to be used by the cluster compliance scanner - k8s-cis-1.23 - k8s-nsa-1.0 - k8s-pss-baseline-0.1 - k8s-pss-restricted-0.1 - eks-cis-1.4 - rke2-cis-1.24 | | excludeNamespaces | string | `""` | excludeNamespaces is a comma separated list of namespaces (or glob patterns) to be excluded from scanning. Only applicable in the all namespaces install mode, i.e. when the targetNamespaces values is a blank string. | +| extraEnv | list | `[]` | extraEnv is a list of extra environment variables for the trivy-operator. | | fullnameOverride | string | `""` | fullnameOverride override operator full name | | global | object | `{"image":{"registry":""}}` | global values provide a centralized configuration for 'image.registry', reducing the potential for errors. If left blank, the chart will default to the individually set 'image.registry' values | +| hostAliases | list | `[]` | hostAliases for `deployment` (TrivyOperator) and `statefulset` (TrivyServer) | | image.pullPolicy | string | `"IfNotPresent"` | pullPolicy set the operator pullPolicy | | image.pullSecrets | list | `[]` | pullSecrets set the operator pullSecrets | | image.registry | string | `"mirror.gcr.io"` | | @@ -145,7 +147,7 @@ Keeps security report resources updated | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) | | trivy.image.registry | string | `"mirror.gcr.io"` | registry of the Trivy image | | trivy.image.repository | string | `"aquasec/trivy"` | repository of the Trivy image | -| trivy.image.tag | string | `"0.57.1"` | tag version of the Trivy image | +| trivy.image.tag | string | `"0.62.0"` | tag version of the Trivy image | | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. | | trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem | | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. | @@ -195,7 +197,7 @@ Keeps security report resources updated | trivyOperator.policiesConfig | string | `""` | policiesConfig Custom Rego Policies to be used by the config audit scanner See https://github.com/aquasecurity/trivy-operator/blob/main/docs/tutorials/writing-custom-configuration-audit-policies.md for more details. | | trivyOperator.reportRecordFailedChecksOnly | bool | `true` | reportRecordFailedChecksOnly flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment) | | trivyOperator.reportResourceLabels | string | `""` | reportResourceLabels comma-separated scanned resource labels which the user wants to include in the Prometheus metrics report. Example: `owner,app` | -| trivyOperator.scanJobAffinity | list | `[]` | scanJobAffinity affinity to be applied to the scanner pods and node-collector | +| trivyOperator.scanJobAffinity | object | `{}` | scanJobAffinity affinity to be applied to the scanner pods and node-collector | | trivyOperator.scanJobAnnotations | string | `""` | scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner jobs and pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scanner jobs and pods with the annotations `foo: bar` and `env: stage` | | trivyOperator.scanJobAutomountServiceAccountToken | bool | `false` | scanJobAutomountServiceAccountToken the flag to enable automount for service account token on scan job | | trivyOperator.scanJobCompressLogs | bool | `true` | scanJobCompressLogs control whether scanjob output should be compressed or plain | diff --git a/charts/trivy-operator/templates/configmaps/trivy.yaml b/charts/trivy-operator/templates/configmaps/trivy.yaml index 3af9786e3c..498eee3f5b 100644 --- a/charts/trivy-operator/templates/configmaps/trivy.yaml +++ b/charts/trivy-operator/templates/configmaps/trivy.yaml @@ -128,6 +128,7 @@ data: TRIVY_DEBUG: {{ .Values.trivy.debug | quote }} TRIVY_SKIP_DB_UPDATE: "false" TRIVY_DB_REPOSITORY: "{{ .Values.trivy.dbRegistry }}/{{ .Values.trivy.dbRepository }}" + TRIVY_JAVA_DB_REPOSITORY: "{{ .Values.trivy.javaDbRegistry }}/{{ .Values.trivy.javaDbRepository }}" TRIVY_INSECURE: "{{ .Values.operator.builtInServerRegistryInsecure }}" {{- end }} {{- end }} diff --git a/charts/trivy-operator/templates/deployment.yaml b/charts/trivy-operator/templates/deployment.yaml index 509bf13450..28f6f0e25b 100644 --- a/charts/trivy-operator/templates/deployment.yaml +++ b/charts/trivy-operator/templates/deployment.yaml @@ -6,7 +6,7 @@ metadata: {{- with .Values.operator.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} - labels: + labels: {{- include "trivy-operator.labels" . | nindent 4 }} {{- with .Values.operator.labels }} {{- toYaml . | nindent 4 }} @@ -31,6 +31,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.hostAliases }} + hostAliases: + {{- toYaml .Values.hostAliases | nindent 8 }} + {{- end }} serviceAccountName: {{ include "trivy-operator.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} containers: @@ -50,6 +54,9 @@ spec: value: {{ tpl .Values.targetWorkloads . | quote }} - name: OPERATOR_SERVICE_ACCOUNT value: {{ include "trivy-operator.serviceAccountName" . | quote }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} envFrom: - configMapRef: name: trivy-operator-config diff --git a/charts/trivy-operator/templates/specs/eks-cis-1.4.yaml b/charts/trivy-operator/templates/specs/eks-cis-1.4.yaml index 7da6d3fdbc..ef96002b0c 100644 --- a/charts/trivy-operator/templates/specs/eks-cis-1.4.yaml +++ b/charts/trivy-operator/templates/specs/eks-cis-1.4.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.26.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml b/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml index a3c68b6385..afd5b5cbb7 100644 --- a/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml +++ b/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.26.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml b/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml index 9798749f75..39d1ed4f04 100644 --- a/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml +++ b/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.26.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml b/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml index 36624e4813..7815b3b848 100644 --- a/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml +++ b/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.26.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml b/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml index 3f263ea9dc..c6d0f6837b 100644 --- a/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml +++ b/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.26.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/charts/trivy-operator/templates/specs/rke2-cis-1.24.yaml b/charts/trivy-operator/templates/specs/rke2-cis-1.24.yaml index 0ad2a959a5..21eab79a62 100644 --- a/charts/trivy-operator/templates/specs/rke2-cis-1.24.yaml +++ b/charts/trivy-operator/templates/specs/rke2-cis-1.24.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.26.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/charts/trivy-operator/templates/trivy-server/statefulset.yaml b/charts/trivy-operator/templates/trivy-server/statefulset.yaml index 8106da3683..61459e9c83 100644 --- a/charts/trivy-operator/templates/trivy-server/statefulset.yaml +++ b/charts/trivy-operator/templates/trivy-server/statefulset.yaml @@ -46,6 +46,10 @@ spec: app.kubernetes.io/name: trivy-server app.kubernetes.io/instance: trivy-server spec: + {{- if .Values.hostAliases }} + hostAliases: + {{- toYaml .Values.hostAliases | nindent 8 }} + {{- end }} {{- with .Values.trivy.priorityClassName }} priorityClassName: {{ . }} {{- end }} diff --git a/charts/trivy-operator/values.yaml b/charts/trivy-operator/values.yaml index af34eef598..5427b88561 100644 --- a/charts/trivy-operator/values.yaml +++ b/charts/trivy-operator/values.yaml @@ -20,6 +20,21 @@ targetNamespaces: "" # mode, i.e. when the targetNamespaces values is a blank string. excludeNamespaces: "" +# -- extraEnv is a list of extra environment variables for the trivy-operator. +extraEnv: [] + +# -- hostAliases for `deployment` (TrivyOperator) and `statefulset` (TrivyServer) + +hostAliases: [] +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" + # -- targetWorkloads is a comma seperated list of Kubernetes workload resources # to be included in the vulnerability and config-audit scans # if left blank, all workload resources will be scanned @@ -238,7 +253,7 @@ trivyOperator: # -- scanJobCompressLogs control whether scanjob output should be compressed or plain scanJobCompressLogs: true # -- scanJobAffinity affinity to be applied to the scanner pods and node-collector - scanJobAffinity: [] + scanJobAffinity: {} # -- scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints scanJobTolerations: [] # -- If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the @@ -340,7 +355,7 @@ trivy: # -- repository of the Trivy image repository: aquasec/trivy # -- tag version of the Trivy image - tag: 0.57.1 + tag: 0.62.0 # -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace imagePullSecret: ~ @@ -636,7 +651,7 @@ serviceAccount: podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 +# fsGroup: 2000 # -- securityContext security context securityContext: @@ -659,16 +674,17 @@ volumes: emptyDir: {} resources: {} - # -- We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi +# -- We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + # -- nodeSelector set the operator nodeSelector nodeSelector: {} @@ -681,7 +697,7 @@ affinity: {} # -- priorityClassName set the operator priorityClassName priorityClassName: "" - # -- automountServiceAccountToken the flag to enable automount for service account token +# -- automountServiceAccountToken the flag to enable automount for service account token automountServiceAccountToken: true policiesBundle: @@ -691,7 +707,7 @@ policiesBundle: repository: aquasec/trivy-checks # -- tag version of the policies bundle tag: 1 - # -- registryUser is the user for the registry + # -- registryUser is the user for the registry registryUser: ~ # -- registryPassword is the password for the registry registryPassword: ~ @@ -703,7 +719,6 @@ policiesBundle: # -- insecure is the flag to enable insecure connection to the policy bundle registry insecure: false - nodeCollector: # -- useNodeSelector determine if to use nodeSelector (by auto detecting node name) with node-collector scan job useNodeSelector: true