Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(helm): allows users to define an existing secret for tokens #2587

Merged
merged 2 commits into from
Jul 31, 2022
Merged

feat(helm): allows users to define an existing secret for tokens #2587

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bf837b6
allows users to define an existing secret for tokens
cebidhem Jul 25, 2022
3159382
update reviewed and commented items
cebidhem Jul 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions helm/trivy/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: trivy
version: 0.4.16
appVersion: 0.29.2
version: 0.5.0
cebidhem marked this conversation as resolved.
Show resolved Hide resolved
appVersion: 0.30.3
cebidhem marked this conversation as resolved.
Show resolved Hide resolved
description: Trivy helm chart
keywords:
- scanner
Expand Down
61 changes: 31 additions & 30 deletions helm/trivy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,36 +54,37 @@ The command removes all the Kubernetes components associated with the chart and

The following table lists the configurable parameters of the Trivy chart and their default values.

| Parameter | Description | Default |
|---------------------------------------|-------------------------------------------------------------------------|----------------|
| `image.registry` | Image registry | `docker.io` |
| `image.repository` | Image name | `aquasec/trivy` |
| `image.tag` | Image tag | `{TAG_NAME}` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.pullSecret` | The name of an imagePullSecret used to pull trivy image from e.g. Docker Hub or a private registry | |
| `replicaCount` | Number of Trivy Pods to run | `1` |
| `trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting | |
| `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set. | |
| `trivy.serviceAccount.annotations` | Additional annotations to add to the Kubernetes service account resource | |
| `trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` |
| `trivy.dbRepository` | OCI repository to retrieve the trivy vulnerability database from | `ghcr.io/aquasecurity/trivy-db` |
| `trivy.cache.redis.enabled` | Enable Redis as caching backend | `false` |
| `trivy.cache.redis.url` | Specify redis connection url, e.g. redis://redis.redis.svc:6379 | `` |
| `trivy.serverToken` | The token to authenticate Trivy client with Trivy server | `` |
| `trivy.podAnnotations` | Annotations for pods created by statefulset | `{}` |
| `service.name` | If specified, the name used for the Trivy service | |
| `service.type` | Kubernetes service type | `ClusterIP` |
| `service.port` | Kubernetes service port | `4954` |
| `httpProxy` | The URL of the HTTP proxy server | |
| `httpsProxy` | The URL of the HTTPS proxy server | |
| `noProxy` | The URLs that the proxy settings do not apply to | |
| `nodeSelector` | Node labels for pod assignment | |
| `affinity` | Affinity settings for pod assignment | |
| `tolerations` | Tolerations for pod assignment | |
| `podAnnotations` | Annotations for pods created by statefulset | `{}` |
| Parameter | Description | Default |
|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------|
cebidhem marked this conversation as resolved.
Show resolved Hide resolved
| `image.registry` | Image registry | `docker.io` |
| `image.repository` | Image name | `aquasec/trivy` |
| `image.tag` | Image tag | `{TAG_NAME}` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.pullSecret` | The name of an imagePullSecret used to pull trivy image from e.g. Docker Hub or a private registry | |
| `replicaCount` | Number of Trivy Pods to run | `1` |
| `trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting | |
| `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set. | |
| `trivy.serviceAccount.annotations` | Additional annotations to add to the Kubernetes service account resource | |
| `trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` |
| `trivy.dbRepository` | OCI repository to retrieve the trivy vulnerability database from | `ghcr.io/aquasecurity/trivy-db` |
| `trivy.cache.redis.enabled` | Enable Redis as caching backend | `false` |
| `trivy.cache.redis.url` | Specify redis connection url, e.g. redis://redis.redis.svc:6379 | `` |
| `trivy.serverToken` | The token to authenticate Trivy client with Trivy server | `` |
| `trivy.podAnnotations` | Annotations for pods created by statefulset | `{}` |
| `trivy.existingSecret` | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
| `service.name` | If specified, the name used for the Trivy service | |
| `service.type` | Kubernetes service type | `ClusterIP` |
| `service.port` | Kubernetes service port | `4954` |
| `httpProxy` | The URL of the HTTP proxy server | |
| `httpsProxy` | The URL of the HTTPS proxy server | |
| `noProxy` | The URLs that the proxy settings do not apply to | |
| `nodeSelector` | Node labels for pod assignment | |
| `affinity` | Affinity settings for pod assignment | |
| `tolerations` | Tolerations for pod assignment | |
| `podAnnotations` | Annotations for pods created by statefulset | `{}` |

The above parameters map to the env variables defined in [trivy](https://github.com/aquasecurity/trivy#configuration).

Expand Down
2 changes: 2 additions & 0 deletions helm/trivy/templates/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if not .Values.trivy.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -12,3 +13,4 @@ data:
TRIVY_USERNAME: {{ .Values.trivy.registryUsername | default "" | b64enc | quote }}
TRIVY_PASSWORD: {{ .Values.trivy.registryPassword | default "" | b64enc | quote }}
{{- end -}}
{{- end }}
4 changes: 4 additions & 0 deletions helm/trivy/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,11 @@ spec:
- configMapRef:
name: {{ include "trivy.fullname" . }}
- secretRef:
{{- if not .Values.trivy.existingSecret }}
name: {{ include "trivy.fullname" . }}
{{- else }}
name: {{ .Values.trivy.existingSecret }}
{{- end }}
ports:
- name: trivy-http
containerPort: {{ .Values.service.port }}
Expand Down
3 changes: 3 additions & 0 deletions helm/trivy/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,9 @@ trivy:
labels: {}
# serverToken is the token to authenticate Trivy client with Trivy server.
serverToken: ""
# existingSecret if an existing secret has been created outside the chart.
# Overrides gitHubToken, registryUsername, registryPassword, serverToken
existingSecret: ""

service:
# If specified, the name used for the Trivy service.
Expand Down