chore: workload identity settings (#1282)

Signed-off-by: chenk <hen.keinan@gmail.com>
aquasecurity · Jun 11, 2023 · c5f72b2 · c5f72b2
1 parent b31210e
commit c5f72b2
Show file tree

Hide file tree

Showing 4 changed files with 1 addition and 27 deletions.
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -117,9 +117,6 @@ Keeps security report resources updated
 | trivy.timeout | string | `"5m0s"` | timeout is the duration to wait for scan completion. |
 | trivy.useBuiltinRegoPolicies | string | `"true"` | The Flag to enable the usage of builtin rego policies by default  |
 | trivyOperator.additionalReportLabels | string | `""` | additionalReportLabels comma-separated representation of the labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage` |
-| trivyOperator.azureWorkloadIdentity | bool | `false` | azureWorkloadIdentity if enable azure workload identity annotation and labels wil be added to trivy-operator service account and scan job must be used with azureWorkloadIdentityClientID, azurerkloadIdentityTenantID and azureWorkloadIdentityUseAnnotation |
-| trivyOperator.azureWorkloadIdentityAnnotation | object | `{"azure.workload.identity/client-id":"client-id","azure.workload.identity/tenant-id":"tenant-id"}` | azureWorkloadIdentityAnnotation annotation to be added to trivy-operator service account it is required to update the values of : <tenant-id> and <client-id> |
-| trivyOperator.azureWorkloadIdentityUseLabel | object | `{"azure.workload.identity/use":true}` | azureWorkloadIdentityUseLabel label to be added to trivy-operator service account |
 | trivyOperator.configAuditReportsPlugin | string | `"Trivy"` | configAuditReportsPlugin the name of the plugin that generates config audit reports. |
 | trivyOperator.metricsResourceLabelsPrefix | string | `"k8s_label_"` | metricsResourceLabelsPrefix Prefix that will be prepended to the labels names indicated in `reportResourceLabels` when including them in the Prometheus metrics |
 | trivyOperator.reportRecordFailedChecksOnly | bool | `true` | reportRecordFailedChecksOnly flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment) |

diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml
@@ -25,13 +25,9 @@ data:
   {{- with .Values.nodeCollector.excludeNodes }}
   nodeCollector.excludeNodes: {{ . | quote }}
   {{- end }}
-  {{- if .Values.trivyOperator.azureWorkloadIdentity }}
-  scanJob.podTemplateLabels: {{ printf "azure.workload.identity/use=true,%s" .Values.trivyOperator.scanJobPodTemplateLabels | quote }}
-  {{- else }}
   {{- with .Values.trivyOperator.scanJobPodTemplateLabels }}
   scanJob.podTemplateLabels: {{ . | quote }}
   {{- end }}
-  {{- end }}
   {{- with .Values.trivyOperator.additionalReportLabels }}
   report.additionalLabels: {{ . | quote }}
   {{- end }}

diff --git a/deploy/helm/templates/rbac.yaml b/deploy/helm/templates/rbac.yaml
@@ -7,22 +7,10 @@ metadata:
   namespace: {{ include "trivy-operator.namespace" . }}
   labels:
     {{- include "trivy-operator.labels" . | nindent 4 }}
-     {{- if .Values.trivyOperator.azureWorkloadIdentity}}
-    {{- range $name, $value := .Values.trivyOperator.azureWorkloadIdentityUseLabel }}
-    {{ $name }}: {{ $value | quote }}
-    {{- end -}}
-     {{- end }}
-    {{- if or .Values.serviceAccount.annotations .Values.trivyOperator.azureWorkloadIdentity }}
+  {{- with .Values.serviceAccount.annotations }}
   annotations:
-   {{- end }}
-   {{- with .Values.serviceAccount.annotations }}
     {{- . | toYaml | nindent 4 }}
   {{- end }}
-    {{- if .Values.trivyOperator.azureWorkloadIdentity}}
-     {{- range $name, $value := .Values.trivyOperator.azureWorkloadIdentityAnnotation }}
-    {{ $name }}: {{ $value | quote }}
-    {{- end -}}
-    {{- end }}
 {{- end }}
 
 {{- if .Values.rbac.create }}

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -217,13 +217,6 @@ trivyOperator:
   # labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage`
   additionalReportLabels: ""
 
-  # -- azureWorkloadIdentity if enable azure workload identity annotation and labels wil be added to trivy-operator service account and scan job must be used with azureWorkloadIdentityClientID, azurerkloadIdentityTenantID and azureWorkloadIdentityUseAnnotation
-  azureWorkloadIdentity: false
-  # -- azureWorkloadIdentityAnnotation annotation to be added to trivy-operator service account it is required to update the values of : <tenant-id> and <client-id>
-  azureWorkloadIdentityAnnotation: {azure.workload.identity/client-id: client-id, azure.workload.identity/tenant-id: tenant-id}
-  # -- azureWorkloadIdentityUseLabel label to be added to trivy-operator service account
-  azureWorkloadIdentityUseLabel: {azure.workload.identity/use: true}
-
 trivy:
   # -- createConfig indicates whether to create config objects
   createConfig: true