diff --git a/apps.yaml b/apps.yaml index eb2b8bc2d5..282f1c8220 100644 --- a/apps.yaml +++ b/apps.yaml @@ -317,7 +317,7 @@ appsInfo: integration: APL installs and configures Thanos using sidecars ans leverages the central object storage configuration. trivy: title: Trivy Operator - appVersion: 0.28.0 + appVersion: 0.29.0 repo: https://github.com/aquasecurity/trivy-operator maintainers: Aqua Security relatedLinks: diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 4f919a62a7..b49e1d4117 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -130,7 +130,7 @@ dependencies: version: 15.7.25 repository: https://charts.bitnami.com/bitnami - name: trivy-operator - version: 0.30.0 + version: 0.31.0 repository: https://aquasecurity.github.io/helm-charts/ - name: velero version: 5.4.1 diff --git a/charts/trivy-operator/Chart.yaml b/charts/trivy-operator/Chart.yaml index c87cf8555d..f9d1ae9108 100644 --- a/charts/trivy-operator/Chart.yaml +++ b/charts/trivy-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.28.0 +appVersion: 0.29.0 description: Keeps security report resources updated keywords: - aquasecurity @@ -9,4 +9,4 @@ name: trivy-operator sources: - https://github.com/aquasecurity/trivy-operator type: application -version: 0.30.0 +version: 0.31.0 diff --git a/charts/trivy-operator/README.md b/charts/trivy-operator/README.md index 2ac3ee3752..32321b317c 100644 --- a/charts/trivy-operator/README.md +++ b/charts/trivy-operator/README.md @@ -1,6 +1,6 @@ # trivy-operator -![Version: 0.30.0](https://img.shields.io/badge/Version-0.30.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.28.0](https://img.shields.io/badge/AppVersion-0.28.0-informational?style=flat-square) +![Version: 0.31.0](https://img.shields.io/badge/Version-0.31.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.29.0](https://img.shields.io/badge/AppVersion-0.29.0-informational?style=flat-square) Keeps security report resources updated @@ -73,6 +73,7 @@ Keeps security report resources updated | operator.namespace | string | `""` | namespace to install the operator, defaults to the .Release.Namespace | | operator.noProxy | string | `nil` | noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings. | | operator.podLabels | object | `{}` | additional labels for the operator pod | +| operator.pprofBindAddress | string | `""` | pprofBindAddress the address to bind the pprof server to. By default, it is not enabled. | | operator.privateRegistryScanSecretsNames | object | `{}` | privateRegistryScanSecretsNames is map of namespace:secrets, secrets are comma seperated which can be used to authenticate in private registries in case if there no imagePullSecrets provided example : {"mynamespace":"mySecrets,anotherSecret"} | | operator.rbacAssessmentScannerEnabled | bool | `true` | rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner | | operator.replicas | int | `1` | replicas the number of replicas of the operator's pod | @@ -151,7 +152,7 @@ Keeps security report resources updated | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) | | trivy.image.registry | string | `"mirror.gcr.io"` | registry of the Trivy image | | trivy.image.repository | string | `"aquasec/trivy"` | repository of the Trivy image | -| trivy.image.tag | string | `"0.65.0"` | tag version of the Trivy image | +| trivy.image.tag | string | `"0.66.0"` | tag version of the Trivy image | | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. | | trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem | | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. | @@ -167,6 +168,7 @@ Keeps security report resources updated | trivy.registry | object | `{"mirror":{}}` | Mirrored registries. There can be multiple registries with different keys. Make sure to quote registries containing dots | | trivy.resources | object | `{"limits":{"cpu":"500m","memory":"500M"},"requests":{"cpu":"100m","memory":"100M"}}` | resources resource requests and limits for scan job containers | | trivy.sbomSources | string | `""` | sbomSources trivy will try to retrieve SBOM from the specified sources (oci,rekor) | +| trivy.server.extraServerVolumes | object | `{"volumeMounts":[],"volumes":[]}` | volumes set trivy-server volumes | | trivy.server.podSecurityContext | object | `{"fsGroup":65534,"runAsNonRoot":true,"runAsUser":65534}` | podSecurityContext set trivy-server podSecurityContext | | trivy.server.replicas | int | `1` | the number of replicas of the trivy-server | | trivy.server.resources | object | `{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":"200m","memory":"512Mi"}}` | resources set trivy-server resource | diff --git a/charts/trivy-operator/generated/role.yaml b/charts/trivy-operator/generated/role.yaml index e8f464746c..7e0bb7e8e6 100644 --- a/charts/trivy-operator/generated/role.yaml +++ b/charts/trivy-operator/generated/role.yaml @@ -20,6 +20,12 @@ rules: - get - list - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get - apiGroups: - "" resources: diff --git a/charts/trivy-operator/templates/configmaps/trivy-operator-config.yaml b/charts/trivy-operator/templates/configmaps/trivy-operator-config.yaml index a9adf90346..468a3d0297 100644 --- a/charts/trivy-operator/templates/configmaps/trivy-operator-config.yaml +++ b/charts/trivy-operator/templates/configmaps/trivy-operator-config.yaml @@ -20,6 +20,7 @@ data: OPERATOR_METRICS_FINDINGS_ENABLED: {{ .Values.operator.metricsFindingsEnabled | quote }} OPERATOR_METRICS_VULN_ID_ENABLED: {{ .Values.operator.metricsVulnIdEnabled | quote }} OPERATOR_HEALTH_PROBE_BIND_ADDRESS: ":9090" + OPERATOR_PPROF_BIND_ADDRESS: {{ .Values.operator.pprofBindAddress | quote }} OPERATOR_VULNERABILITY_SCANNER_ENABLED: {{ .Values.operator.vulnerabilityScannerEnabled | quote }} OPERATOR_SBOM_GENERATION_ENABLED: {{ .Values.operator.sbomGenerationEnabled | quote }} OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: {{ .Values.operator.clusterSbomCacheEnabled | quote }} diff --git a/charts/trivy-operator/templates/configmaps/trivy.yaml b/charts/trivy-operator/templates/configmaps/trivy.yaml index 498eee3f5b..759edae8b5 100644 --- a/charts/trivy-operator/templates/configmaps/trivy.yaml +++ b/charts/trivy-operator/templates/configmaps/trivy.yaml @@ -80,6 +80,10 @@ data: {{- with .Values.trivy.timeout }} trivy.timeout: {{ . | quote }} {{- end }} + {{- if .Values.trivy.configFile }} + trivy.configFile: | + {{- .Values.trivy.configFile | toYaml | nindent 4 }} + {{- end }} {{- if .Values.trivy.ignoreFile }} trivy.ignoreFile: | {{- range .Values.trivy.ignoreFile }} diff --git a/charts/trivy-operator/templates/monitor/servicemonitor.yaml b/charts/trivy-operator/templates/monitor/servicemonitor.yaml index 7e5c8032eb..24753f1fe5 100644 --- a/charts/trivy-operator/templates/monitor/servicemonitor.yaml +++ b/charts/trivy-operator/templates/monitor/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and (eq .Values.serviceMonitor.enabled true) (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") }} +{{- if .Values.serviceMonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/trivy-operator/templates/specs/eks-cis-1.4.yaml b/charts/trivy-operator/templates/specs/eks-cis-1.4.yaml index 075c3ed457..f944c988cf 100644 --- a/charts/trivy-operator/templates/specs/eks-cis-1.4.yaml +++ b/charts/trivy-operator/templates/specs/eks-cis-1.4.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.28.0 + app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml b/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml index fad8cf0bfb..a4fc5a1201 100644 --- a/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml +++ b/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.28.0 + app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml b/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml index d8fd26e429..afbe2ad2c6 100644 --- a/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml +++ b/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.28.0 + app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml b/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml index 0937cd73b9..502d3fbda9 100644 --- a/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml +++ b/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.28.0 + app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml b/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml index 27061c856e..11b6fc2653 100644 --- a/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml +++ b/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.28.0 + app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/charts/trivy-operator/templates/specs/rke2-cis-1.24.yaml b/charts/trivy-operator/templates/specs/rke2-cis-1.24.yaml index af84d0f432..ce06240d17 100644 --- a/charts/trivy-operator/templates/specs/rke2-cis-1.24.yaml +++ b/charts/trivy-operator/templates/specs/rke2-cis-1.24.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.28.0 + app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/charts/trivy-operator/templates/trivy-server/statefulset.yaml b/charts/trivy-operator/templates/trivy-server/statefulset.yaml index 61459e9c83..24ad39a6df 100644 --- a/charts/trivy-operator/templates/trivy-server/statefulset.yaml +++ b/charts/trivy-operator/templates/trivy-server/statefulset.yaml @@ -132,6 +132,9 @@ spec: name: ssl-cert-dir readOnly: true {{- end }} + {{- with .Values.trivy.server.extraServerVolumes.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.trivy.server.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} @@ -147,6 +150,9 @@ spec: hostPath: path: {{ . }} {{- end }} + {{- with .Values.trivy.server.extraServerVolumes.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/trivy-operator/values.yaml b/charts/trivy-operator/values.yaml index 49883179d3..d28e04b311 100644 --- a/charts/trivy-operator/values.yaml +++ b/charts/trivy-operator/values.yaml @@ -199,6 +199,9 @@ operator: # -- valuesFromSecret name of a Secret to apply OPERATOR_* environment variables. Will override Helm AND ConfigMap values. valuesFromSecret: "" + # -- pprofBindAddress the address to bind the pprof server to. By default, it is not enabled. + pprofBindAddress: "" + image: registry: "mirror.gcr.io" repository: "aquasec/trivy-operator" @@ -228,7 +231,7 @@ service: # -- Prometheus ServiceMonitor configuration -- to install the trivy operator with the ServiceMonitor # you must have Prometheus already installed and running. If you do not have Prometheus installed, enabling this will -# have no effect. +# produce an error. serviceMonitor: # -- enabled determines whether a serviceMonitor should be deployed enabled: false @@ -357,7 +360,7 @@ trivy: # -- repository of the Trivy image repository: aquasec/trivy # -- tag version of the Trivy image - tag: 0.65.0 + tag: 0.66.0 # -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace imagePullSecret: ~ @@ -621,6 +624,20 @@ trivy: # -- the number of replicas of the trivy-server replicas: 1 + # -- volumes set trivy-server volumes + extraServerVolumes: + # Statefulset volumeMounts + volumeMounts: [] + # - name: trusted-ca + # mountPath: /etc/ssl/trusted-ca + # subPath: trusted-ca.crt + # readOnly: true + # Statefulset volumes + volumes: [] + # - name: trusted-ca + # secret: + # secretName: trusted-ca + # -- vaulesFromConfigMap name of a ConfigMap to apply TRIVY_* environment variables. Will override Helm values. valuesFromConfigMap: ""