From c5f72b25a5f3d90c78111691305f37894f19bed6 Mon Sep 17 00:00:00 2001 From: chenk Date: Sun, 11 Jun 2023 20:41:16 +0300 Subject: [PATCH] chore: workload identity settings (#1282) Signed-off-by: chenk --- deploy/helm/README.md | 3 --- deploy/helm/templates/config.yaml | 4 ---- deploy/helm/templates/rbac.yaml | 14 +------------- deploy/helm/values.yaml | 7 ------- 4 files changed, 1 insertion(+), 27 deletions(-) diff --git a/deploy/helm/README.md b/deploy/helm/README.md index 2f59f0659..40786db8e 100644 --- a/deploy/helm/README.md +++ b/deploy/helm/README.md @@ -117,9 +117,6 @@ Keeps security report resources updated | trivy.timeout | string | `"5m0s"` | timeout is the duration to wait for scan completion. | | trivy.useBuiltinRegoPolicies | string | `"true"` | The Flag to enable the usage of builtin rego policies by default | | trivyOperator.additionalReportLabels | string | `""` | additionalReportLabels comma-separated representation of the labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage` | -| trivyOperator.azureWorkloadIdentity | bool | `false` | azureWorkloadIdentity if enable azure workload identity annotation and labels wil be added to trivy-operator service account and scan job must be used with azureWorkloadIdentityClientID, azurerkloadIdentityTenantID and azureWorkloadIdentityUseAnnotation | -| trivyOperator.azureWorkloadIdentityAnnotation | object | `{"azure.workload.identity/client-id":"client-id","azure.workload.identity/tenant-id":"tenant-id"}` | azureWorkloadIdentityAnnotation annotation to be added to trivy-operator service account it is required to update the values of : and | -| trivyOperator.azureWorkloadIdentityUseLabel | object | `{"azure.workload.identity/use":true}` | azureWorkloadIdentityUseLabel label to be added to trivy-operator service account | | trivyOperator.configAuditReportsPlugin | string | `"Trivy"` | configAuditReportsPlugin the name of the plugin that generates config audit reports. | | trivyOperator.metricsResourceLabelsPrefix | string | `"k8s_label_"` | metricsResourceLabelsPrefix Prefix that will be prepended to the labels names indicated in `reportResourceLabels` when including them in the Prometheus metrics | | trivyOperator.reportRecordFailedChecksOnly | bool | `true` | reportRecordFailedChecksOnly flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment) | diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml index faaaabb5e..511e64d00 100644 --- a/deploy/helm/templates/config.yaml +++ b/deploy/helm/templates/config.yaml @@ -25,13 +25,9 @@ data: {{- with .Values.nodeCollector.excludeNodes }} nodeCollector.excludeNodes: {{ . | quote }} {{- end }} - {{- if .Values.trivyOperator.azureWorkloadIdentity }} - scanJob.podTemplateLabels: {{ printf "azure.workload.identity/use=true,%s" .Values.trivyOperator.scanJobPodTemplateLabels | quote }} - {{- else }} {{- with .Values.trivyOperator.scanJobPodTemplateLabels }} scanJob.podTemplateLabels: {{ . | quote }} {{- end }} - {{- end }} {{- with .Values.trivyOperator.additionalReportLabels }} report.additionalLabels: {{ . | quote }} {{- end }} diff --git a/deploy/helm/templates/rbac.yaml b/deploy/helm/templates/rbac.yaml index c803c9166..bbaf29946 100644 --- a/deploy/helm/templates/rbac.yaml +++ b/deploy/helm/templates/rbac.yaml @@ -7,22 +7,10 @@ metadata: namespace: {{ include "trivy-operator.namespace" . }} labels: {{- include "trivy-operator.labels" . | nindent 4 }} - {{- if .Values.trivyOperator.azureWorkloadIdentity}} - {{- range $name, $value := .Values.trivyOperator.azureWorkloadIdentityUseLabel }} - {{ $name }}: {{ $value | quote }} - {{- end -}} - {{- end }} - {{- if or .Values.serviceAccount.annotations .Values.trivyOperator.azureWorkloadIdentity }} + {{- with .Values.serviceAccount.annotations }} annotations: - {{- end }} - {{- with .Values.serviceAccount.annotations }} {{- . | toYaml | nindent 4 }} {{- end }} - {{- if .Values.trivyOperator.azureWorkloadIdentity}} - {{- range $name, $value := .Values.trivyOperator.azureWorkloadIdentityAnnotation }} - {{ $name }}: {{ $value | quote }} - {{- end -}} - {{- end }} {{- end }} {{- if .Values.rbac.create }} diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index bfcdf2384..aa1dbec12 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -217,13 +217,6 @@ trivyOperator: # labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage` additionalReportLabels: "" - # -- azureWorkloadIdentity if enable azure workload identity annotation and labels wil be added to trivy-operator service account and scan job must be used with azureWorkloadIdentityClientID, azurerkloadIdentityTenantID and azureWorkloadIdentityUseAnnotation - azureWorkloadIdentity: false - # -- azureWorkloadIdentityAnnotation annotation to be added to trivy-operator service account it is required to update the values of : and - azureWorkloadIdentityAnnotation: {azure.workload.identity/client-id: client-id, azure.workload.identity/tenant-id: tenant-id} - # -- azureWorkloadIdentityUseLabel label to be added to trivy-operator service account - azureWorkloadIdentityUseLabel: {azure.workload.identity/use: true} - trivy: # -- createConfig indicates whether to create config objects createConfig: true