Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(helm): add support for setting trivy container commands and args and statefulset automountServiceAccountToken #5688

Closed
wants to merge 10 commits into from
Closed

feat(helm): add support for setting trivy container commands and args and statefulset automountServiceAccountToken #5688

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ad20cb8
Values provide a opt-out of automountServiceAccountToken option
meDracula Oct 2, 2023
4ae0590
Helm/trivy README add automountServiceAccountToken description to table
meDracula Oct 2, 2023
8c7d0e7
helm/trivy README Provide automatic markdown table alignment
meDracula Oct 2, 2023
a0f2cd5
Refactor default down for automountServiceAccountToken
meDracula Oct 2, 2023
3b91175
Add automountServiceAccountToken default to values.yaml
meDracula Oct 2, 2023
e121668
Template Statefulset override trivy image command and args
meDracula Oct 2, 2023
5eba87a
Describe Trivy template overriding default command and args
meDracula Oct 2, 2023
d2e00dc
Add to default trivy args described in helm/trivy/README.md
meDracula Oct 2, 2023
59b928e
helm/trivy convert template trivy command and args toJson output format
meDracula Oct 2, 2023
ade0d19
Helm/trivy automountServiceAccountToken remove values.yaml set default
meDracula Oct 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
73 changes: 38 additions & 35 deletions helm/trivy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,41 +54,44 @@ The command removes all the Kubernetes components associated with the chart and

The following table lists the configurable parameters of the Trivy chart and their default values.

| Parameter | Description | Default |
|---------------------------------------|-------------------------------------------------------------------------|----------------|
| `image.registry` | Image registry | `docker.io` |
| `image.repository` | Image name | `aquasec/trivy` |
| `image.tag` | Image tag | `{TAG_NAME}` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.pullSecret` | The name of an imagePullSecret used to pull trivy image from e.g. Docker Hub or a private registry | |
| `replicaCount` | Number of Trivy Pods to run | `1` |
| `trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting | |
| `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set. | |
| `trivy.serviceAccount.annotations` | Additional annotations to add to the Kubernetes service account resource | |
| `trivy.skipDBUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` |
| `trivy.dbRepository` | OCI repository to retrieve the trivy vulnerability database from | `ghcr.io/aquasecurity/trivy-db` |
| `trivy.cache.redis.enabled` | Enable Redis as caching backend | `false` |
| `trivy.cache.redis.url` | Specify redis connection url, e.g. redis://redis.redis.svc:6379 | `` |
| `trivy.cache.redis.ttl` | Specify redis TTL, e.g. 3600s or 24h | `` |
| `trivy.cache.redis.tls` | Enable Redis TLS with public certificates | `` |
| `trivy.serverToken` | The token to authenticate Trivy client with Trivy server | `` |
| `trivy.existingSecret` | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
| `trivy.podAnnotations` | Annotations for pods created by statefulset | `{}` |
| `trivy.extraEnvVars` | extraEnvVars to be set on the container | `{}` |
| `service.name` | If specified, the name used for the Trivy service | |
| `service.type` | Kubernetes service type | `ClusterIP` |
| `service.port` | Kubernetes service port | `4954` |
| `service.sessionAffinity` | Kubernetes service session affinity | `ClientIP` |
| `httpProxy` | The URL of the HTTP proxy server | |
| `httpsProxy` | The URL of the HTTPS proxy server | |
| `noProxy` | The URLs that the proxy settings do not apply to | |
| `nodeSelector` | Node labels for pod assignment | |
| `affinity` | Affinity settings for pod assignment | |
| `tolerations` | Tolerations for pod assignment | |
| `podAnnotations` | Annotations for pods created by statefulset | `{}` |
| Parameter | Description | Default |
| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
| `image.registry` | Image registry | `docker.io` |
| `image.repository` | Image name | `aquasec/trivy` |
| `image.tag` | Image tag | `{TAG_NAME}` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.pullSecret` | The name of an imagePullSecret used to pull trivy image from e.g. Docker Hub or a private registry | |
| `replicaCount` | Number of Trivy Pods to run | `1` |
| `trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting | |
| `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set. | |
| `trivy.serviceAccount.annotations` | Additional annotations to add to the Kubernetes service account resource | |
| `trivy.skipDBUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` |
| `trivy.dbRepository` | OCI repository to retrieve the trivy vulnerability database from | `ghcr.io/aquasecurity/trivy-db` |
| `trivy.cache.redis.enabled` | Enable Redis as caching backend | `false` |
| `trivy.cache.redis.url` | Specify redis connection url, e.g. redis://redis.redis.svc:6379 | `` |
| `trivy.cache.redis.ttl` | Specify redis TTL, e.g. 3600s or 24h | `` |
| `trivy.cache.redis.tls` | Enable Redis TLS with public certificates | `` |
| `trivy.serverToken` | The token to authenticate Trivy client with Trivy server | `` |
| `trivy.existingSecret` | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
| `trivy.podAnnotations` | Annotations for pods created by statefulset | `{}` |
| `trivy.extraEnvVars` | extraEnvVars to be set on the container | `{}` |
| `trivy.command` | Override default Trivy container command (useful when using custom images) | |
| `trivy.args` | Override default container args (useful when using custom images) | `["server"]` |
| `service.name` | If specified, the name used for the Trivy service | |
| `service.type` | Kubernetes service type | `ClusterIP` |
| `service.port` | Kubernetes service port | `4954` |
| `service.sessionAffinity` | Kubernetes service session affinity | `ClientIP` |
| `httpProxy` | The URL of the HTTP proxy server | |
| `httpsProxy` | The URL of the HTTPS proxy server | |
| `noProxy` | The URLs that the proxy settings do not apply to | |
| `nodeSelector` | Node labels for pod assignment | |
| `affinity` | Affinity settings for pod assignment | |
| `tolerations` | Tolerations for pod assignment | |
| `podAnnotations` | Annotations for pods created by statefulset | `{}` |
| `automountServiceAccountToken` | Opt out of the Statefulset Kubelet to automatically mount a ServiceAccount's API credentials | |

The above parameters map to the env variables defined in [trivy](https://github.com/aquasecurity/trivy#configuration).

Expand Down
8 changes: 5 additions & 3 deletions helm/trivy/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ include "trivy.fullname" . }}
automountServiceAccountToken: false
automountServiceAccountToken: {{ default false .Values.automountServiceAccountToken }}
{{- if .Values.podSecurityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 8 }}
Expand Down Expand Up @@ -71,8 +71,10 @@ spec:
securityContext:
{{ toYaml .Values.securityContext | indent 12 }}
{{- end }}
args:
- server
{{- if .Values.trivy.command }}
command: {{ .Values.trivy.command | toJson }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't saw trivy.command on values.yaml file , am I missing anything ?

{{- end }}
args: {{ .Values.trivy.args | toJson }}
{{- if .Values.trivy.registryCredentialsExistingSecret }}
env:
- name: TRIVY_USERNAME
Expand Down
5 changes: 5 additions & 0 deletions helm/trivy/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,9 @@ trivy:
existingSecret: ""
# extraEnvVars to be set on the container
extraEnvVars: {}
# args trivy container args
args:
- server

service:
# If specified, the name used for the Trivy service.
Expand Down Expand Up @@ -161,3 +164,5 @@ httpProxy:
httpsProxy:
# noProxy the URLs that the proxy settings do not apply to
noProxy:
# automountServiceAccountToken the Kubelet to automatically mount a ServiceAccount's API credentials
automountServiceAccountToken: