Skip to content

Commit

Permalink
build(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 (aqua…
Browse files Browse the repository at this point in the history
…security#1338)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@v3.1.0...v3.1.1)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • Loading branch information
dependabot[bot] authored and yanehi committed Jul 6, 2023
1 parent d3a1de1 commit 9297f1a
Show file tree
Hide file tree
Showing 6 changed files with 122 additions and 35 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/release-snapshot.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Install cosign
uses: sigstore/cosign-installer@v3.1.0
uses: sigstore/cosign-installer@v3.1.1
- name: Release snapshot
uses: goreleaser/goreleaser-action@v4
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Install cosign
uses: sigstore/cosign-installer@v3.1.0
uses: sigstore/cosign-installer@v3.1.1
- name: Login to docker.io registry
uses: docker/login-action@v2.2.0
with:
Expand Down
3 changes: 3 additions & 0 deletions deploy/helm/templates/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,9 @@ metadata:
data:
trivy.repository: "{{ required ".Values.trivy.image.registry is required" .Values.trivy.image.registry }}/{{ required ".Values.trivy.image.repository is required" .Values.trivy.image.repository }}"
trivy.tag: {{ required ".Values.trivy.image.tag is required" .Values.trivy.image.tag | quote }}
{{- if .Values.trivy.image.imagePullPolicy }}
trivy.imagePullPolicy: {{ .Values.trivy.image.imagePullPolicy | quote }}
{{- end }}
{{- if .Values.trivy.image.imagePullSecret }}
trivy.imagePullSecret: {{ .Values.trivy.image.imagePullSecret | quote }}
{{- end }}
Expand Down
2 changes: 2 additions & 0 deletions deploy/helm/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,8 @@ trivy:
# -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret
# It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
# imagePullSecret:
# -- imagePullPolicy controls when your trivy-image is pulled
imagePullPolicy: IfNotPresent

# -- mode is the Trivy client mode. Either Standalone or ClientServer. Depending
# on the active mode other settings might be applicable or required.
Expand Down
20 changes: 19 additions & 1 deletion pkg/plugins/trivy/plugin.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"github.com/aquasecurity/trivy-operator/pkg/trivyoperator"
"github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/pointer"
Expand All @@ -50,6 +51,7 @@ const (
keyTrivyImageTag = "trivy.tag"
//nolint:gosec
keyTrivyImagePullSecret = "trivy.imagePullSecret"
keyTrivyImagePullPolicy = "trivy.imagePullPolicy"
keyTrivyMode = "trivy.mode"
keyTrivyAdditionalVulnerabilityReportFields = "trivy.additionalVulnerabilityReportFields"
keyTrivyCommand = "trivy.command"
Expand Down Expand Up @@ -97,6 +99,7 @@ const (

const (
DefaultImageRepository = "ghcr.io/aquasecurity/trivy"
DefaultImagePullPolicy = "IfNotPresent"
DefaultDBRepository = "ghcr.io/aquasecurity/trivy-db"
DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db"
DefaultSeverity = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
Expand Down Expand Up @@ -185,6 +188,14 @@ func (c Config) GetImageTag() (string, error) {
return tag, nil
}

func (c Config) GetImagePullPolicy() (string, error) {
pullPolicy, err := c.GetRequiredData(keyTrivyImagePullPolicy)
if err != nil {
return "", err
}
return pullPolicy, nil
}

func (c Config) GetImagePullSecret() []corev1.LocalObjectReference {
ips, ok := c.Data[keyTrivyImagePullSecret]
if !ok {
Expand Down Expand Up @@ -553,6 +564,7 @@ func (p *plugin) Init(ctx trivyoperator.PluginContext) error {
Data: map[string]string{
keyTrivyImageRepository: DefaultImageRepository,
keyTrivyImageTag: "0.42.0",
keyTrivyImagePullPolicy: DefaultImagePullPolicy,
KeyTrivySeverity: DefaultSeverity,
keyTrivySlow: "true",
keyTrivyMode: string(Standalone),
Expand Down Expand Up @@ -608,6 +620,7 @@ func (p *plugin) GetScanJobSpec(ctx trivyoperator.PluginContext, workload client
}
// add image pull secret to be used when pulling trivy image fom private registry
podSpec.ImagePullSecrets = config.GetImagePullSecret()

return podSpec, secrets, err
}

Expand Down Expand Up @@ -684,6 +697,11 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx trivyoperator.PluginContext, co
return corev1.PodSpec{}, nil, err
}

trivyImagePullPolicy, err := config.GetImagePullPolicy()
if err != nil {
return corev1.PodSpec{}, nil, err
}

trivyConfigName := trivyoperator.GetPluginConfigMapName(Plugin)

dbRepository, err := config.GetDBRepository()
Expand Down Expand Up @@ -851,7 +869,7 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx trivyoperator.PluginContext, co
containers = append(containers, corev1.Container{
Name: c.Name,
Image: trivyImageRef,
ImagePullPolicy: corev1.PullIfNotPresent,
ImagePullPolicy: v1.PullPolicy(trivyImagePullPolicy),
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Env: env,
Command: cmd,
Expand Down
Loading

0 comments on commit 9297f1a

Please sign in to comment.