feat: node-collector custom imageRef (#941)

* feat: node-collector custom imageRef

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: node-collector custom imageRef

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>

deploy/helm/README.md

@@ -92,6 +92,7 @@ The values of the `OPERATOR_NAMESPACE` and `OPERATOR_TARGET_NAMESPACES` determin
 | `metrics.resourceLabelsPrefix`| `k8s_label`| Prefix that will be prepended to the labels names indicated in `report.ResourceLabels` when including them in the Prometheus metrics|
 |`report.recordFailedChecksOnly`| `"true"`| this flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment)
 | `skipResourceByLabels`| N/A| One-line comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels. Example: `test,transient`|
+| `node.collector.imageRef`             | ghcr.io/aquasecurity/node-collector:0.0.5                | The imageRef use for node-collector job .                                                                                                                                                                                                                                                                                                               |
 
 ## Trivy Configuration
 

deploy/helm/templates/config.yaml

@@ -53,6 +53,7 @@ data:
   {{- if .Values.operator.builtInTrivyServer }}
   trivy.serverURL: {{ printf "http://%s.%s:%s" .Values.trivy.serverServiceName (include "trivy-operator.namespace" .) "4954"  | quote }}
   {{- end }}
+  node.collector.imageRef: "{{ .Values.nodeCollector.repository }}:{{ .Values.nodeCollector.tag }}"
 ---
 apiVersion: v1
 kind: Secret

deploy/helm/values.yaml

@@ -403,3 +403,9 @@ priorityClassName: ""
 
   # automountServiceAccountToken the flag to enable automount for service account token
 automountServiceAccountToken: true
+
+nodeCollector:
+  # repository of the node-collector image
+  repository: ghcr.io/aquasecurity/node-collector
+  # tag version of the node-collector image
+  tag: 0.0.5

deploy/static/trivy-operator.yaml

@@ -1809,6 +1809,7 @@ data:
   vulnerabilityReports.scanner: "Trivy"
   configAuditReports.scanner: "Trivy"
   report.recordFailedChecksOnly: "true"
+  node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.0.5"
 ---
 # Source: trivy-operator/templates/config.yaml
 apiVersion: v1

docs/docs/vulnerability-scanning/trivy.md

@@ -94,6 +94,7 @@ EOF
 | `trivy.ignorePolicy.{ns}.{wl}`        | N/A                                | It specifies a namespace/workload specific [policy](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/examples/filter/#by-open-policy-agent) file which allows to customize which vulnerabilities are reported by Trivy.                                                                                                                                                 |
 | `trivy.timeout`                       | `5m0s`                             | The duration to wait for scan completion                                                                                                                                                                                                                                                                                                                                              |
 | `trivy.serverURL`                     | N/A                                | The endpoint URL of the Trivy server. Required in `ClientServer` mode.                                                                                                                                                                                                                                                                                                                |
+| `node.collector.imageRef`             | ghcr.io/aquasecurity/node-collector:0.0.5                | The imageRef use for node-collector job .                                                                                                                                                                                                                                                                                                               |
 | `trivy.serverTokenHeader`             | `Trivy-Token`                      | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified.                                                                                                                                                                                                                          |
 | `trivy.serverInsecure`                | N/A                                | The Flag to enable insecure connection to the Trivy server.                                                                                                                                                                                                                                                                                                                           |
 | `trivy.insecureRegistry.<id>`         | N/A                                | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`.                                                                                                                                                                                                                                                              |

docs/getting-started/installation/configuration.md

@@ -68,6 +68,7 @@ To change the target namespace from all namespaces to the `default` namespace ed
 | `metrics.resourceLabelsPrefix`| `k8s_label`| Prefix that will be prepended to the labels names indicated in `report.ResourceLabels` when including them in the Prometheus metrics|
 |`report.recordFailedChecksOnly`| `"true"`| this flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment)
 | `skipResourceByLabels`| N/A| One-line comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels. Example: `test,transient`|
+| `node.collector.imageRef`             | ghcr.io/aquasecurity/node-collector:0.0.5                | The imageRef use for node-collector job .                                                                                                                                                                                                                                                                                                               |
 
 ## Example - patch ConfigMap
 

go.mod

@@ -5,7 +5,7 @@ go 1.19
 require (
 	github.com/aquasecurity/defsec v0.82.7-0.20230120014503-046ee90ace59
 	github.com/aquasecurity/trivy v0.36.1
-	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20230209141105-56c8d8bd50ed
+	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20230210062334-34b25faa788b
 	github.com/bluele/gcache v0.0.2
 	github.com/caarlos0/env/v6 v6.10.1
 	github.com/davecgh/go-spew v1.1.1

go.sum

@@ -80,8 +80,8 @@ github.com/aquasecurity/trivy v0.36.1 h1:us206bak5Nn3OD28fqtF8REuX/8/SxtMyrw6pxc
 github.com/aquasecurity/trivy v0.36.1/go.mod h1:Ks5KGacvQr1R22PzQa2smp5qO5ZhisZoS2kgD0zT7pc=
 github.com/aquasecurity/trivy-db v0.0.0-20221227141502-af78ecb7db4c h1:CgJiXxVxgFOQ4btP97LEYqEHnx++FRpf2IJEXJV+xHs=
 github.com/aquasecurity/trivy-db v0.0.0-20221227141502-af78ecb7db4c/go.mod h1:/nULgnDeq/JMPMVwE1dmf4kWlYn++7VrM3O2naj4BHA=
-github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20230209141105-56c8d8bd50ed h1:UuG6SK8MhCvP7ueYshhzYz3fF6K6U6m839rmrrYtyZE=
-github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20230209141105-56c8d8bd50ed/go.mod h1:IyM3AXCiY6J8DJiQEJDsDWnMzvFFWyMMo6jIC0/KbDk=
+github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20230210062334-34b25faa788b h1:VB5SRpYl9Cuq9HG+SMwO4QRWo2JPxRcRWYS1mBXZy9A=
+github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20230210062334-34b25faa788b/go.mod h1:IyM3AXCiY6J8DJiQEJDsDWnMzvFFWyMMo6jIC0/KbDk=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=

pkg/configauditreport/controller/node.go

@@ -112,12 +112,14 @@ func (r *NodeReconciler) reconcileNodes() reconcile.Func {
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("getting job tolerations: %w", err)
 		}
+		nodeCollectorImageRef := r.GetTrivyOperatorConfig().NodeCollectorImageRef()
 		coll := j.NewCollector(cluster,
 			j.WithJobTemplateName(j.NodeCollectorName),
 			j.WithName(r.getNodeCollectorName(node)),
 			j.WithJobNamespace(on),
 			j.WithServiceAccount(r.ServiceAccount),
 			j.WithJobTolerations(jobTolerations),
+			j.WithImageRef(nodeCollectorImageRef),
 			j.WithJobLabels(map[string]string{
 				trivyoperator.LabelNodeInfoCollector: "Trivy",
 				trivyoperator.LabelK8SAppManagedBy:   trivyoperator.AppTrivyOperator,

pkg/trivyoperator/config.go

@@ -71,6 +71,7 @@ const (
 	KeyReportRecordFailedChecksOnly        = "report.recordFailedChecksOnly"
 	KeyMetricsResourceLabelsPrefix         = "metrics.resourceLabelsPrefix"
 	KeyTrivyServerURL                      = "trivy.serverURL"
+	KeyNodeCollectorImageRef               = "node.collector.imageRef"
 )
 
 // ConfigData holds Trivy-operator configuration settings as a set of key-value
@@ -90,8 +91,9 @@ func GetDefaultConfig() ConfigData {
 		keyVulnerabilityReportsScanner:  "Trivy",
 		keyConfigAuditReportsScanner:    "Trivy",
 		KeyScanJobcompressLogs:          "true",
-		"compliance.failEntriesLimit":   "10",
+		keyComplianceFailEntriesLimit:   "10",
 		KeyReportRecordFailedChecksOnly: "true",
+		KeyNodeCollectorImageRef:        "ghcr.io/aquasecurity/node-collector:0.0.5",
 	}
 }
 
@@ -265,6 +267,10 @@ func (c ConfigData) ReportRecordFailedChecksOnly() bool {
 	return c.getBoolKey(KeyReportRecordFailedChecksOnly)
 }
 
+func (c ConfigData) NodeCollectorImageRef() string {
+	return c[KeyNodeCollectorImageRef]
+}
+
 func (c ConfigData) GeTrivyServerURL() string {
 	return c[KeyTrivyServerURL]
 }