diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8d2271ef1..add86f334 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -100,181 +100,3 @@ jobs: uses: codecov/codecov-action@v5 with: files: ./coverage.txt - itest-trivy-operator: - name: Run integration tests - needs: - - operator-envtest - runs-on: ubuntu-latest - timeout-minutes: 15 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - - - name: Install tools - uses: aquaproj/aqua-installer@v3.1.1 - with: - aqua_version: v1.25.0 - - - name: Setup Kubernetes cluster (KIND) - uses: engineerd/setup-kind@v0.6.2 - with: - version: ${{ env.KIND_VERSION }} - image: ${{ env.KIND_IMAGE }} - - - name: Test connection to Kubernetes cluster - run: | - kubectl cluster-info - kubectl wait --for=condition=Ready nodes --all --timeout=300s - kubectl describe node - - - name: Run integration tests - run: | - kubectl create -k deploy/static - mage test:integration - env: - KUBECONFIG: /home/runner/.kube/config - OPERATOR_NAMESPACE: trivy-system - OPERATOR_TARGET_NAMESPACES: default - - - name: Upload code coverage - uses: codecov/codecov-action@v5 - with: - files: ./itest/trivy-operator/coverage.txt - - e2e-testing: - name: Run end to end testing - needs: - - itest-trivy-operator - runs-on: ubuntu-latest - env: - DOCKER_CLI_EXPERIMENTAL: enabled - steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - name: Available platforms - run: echo ${{ steps.buildx.outputs.platforms }} - - name: Checkout code - uses: actions/checkout@v4 - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - - name: Release snapshot - uses: goreleaser/goreleaser-action@v6 - with: - version: v2.4.8 - args: release -f=goreleaser-e2e.yaml --snapshot --skip=publish --clean - - name: Install kind and create cluster - run: > - curl -Lo ./kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION - }}/kind-linux-amd64 - - chmod +x ./kind - - sudo mv ./kind /usr/local/bin/kind - - kind create cluster - - curl -LO https://dl.k8s.io/release/v1.26.0/bin/linux/amd64/kubectl - - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - - name: Test connection to Kubernetes cluster - run: | - kubectl cluster-info - kubectl wait --for=condition=Ready nodes --all --timeout=300s - kubectl describe node - - name: Load operator image to cluster - run: > - docker tag mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64 - mirror.gcr.io/aquasec/trivy-operator:e2e - - docker save -o trivy-operator.tar mirror.gcr.io/aquasec/trivy-operator:e2e - - kind load image-archive trivy-operator.tar - - name: Init E2E tests (Install kuttl & helm) - run: > - mkdir -p ./bin - - curl -L https://github.com/kudobuilder/kuttl/releases/download/v0.15.0/kubectl-kuttl_0.15.0_linux_x86_64 -o ./bin/kuttl; - - chmod +x ./bin/kuttl; - - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - - chmod 700 get_helm.sh - - ./get_helm.sh - - name: Image scan mode producing vulnerability,misconfig and exposedsecrets - reports tests - run: > - kubectl create namespace e2e-test - - ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/image-mode.yaml - - ./tests/resources-cleanup.sh > /dev/null 2>&1 - - name: Files System scan mode producing vulnerability,misconfig and exposedsecrets reports tests - run: | - kubectl create namespace e2e-test - - ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/fs-mode.yaml - - ./tests/resources-cleanup.sh > /dev/null 2>&1 - - name: Client/server mode producing vulnerability,misconfig and exposedsecrets - reports tests - run: > - kubectl create namespace e2e-test - - ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/client-server.yaml - - ./tests/resources-cleanup.sh > /dev/null 2>&1 - - name: Standalon mode with Sbom scanning - reports tests - run: > - kubectl create namespace e2e-test - - ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/sbom-standalone.yaml - - ./tests/resources-cleanup.sh > /dev/null 2>&1 - - name: Client/Server with Sbom scanning - reports tests - run: > - kubectl create namespace e2e-test - - ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/client-server-sbom.yaml - - ./tests/resources-cleanup.sh > /dev/null 2>&1 - - name: file system with Sbom scanning - reports tests - run: > - kubectl create namespace e2e-test - - ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/fs-sbom.yaml - - ./tests/resources-cleanup.sh > /dev/null 2>&1 - - name: Node scan producing cluster infraassessment report - run: > - kubectl create namespace e2e-test - - ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/node-collector.yaml - - ./tests/resources-cleanup.sh > /dev/null 2>&1 - - name: Cluster vulnerabilities report - run: > - ./bin/kuttl test --start-kind=false --config tests/e2e/config/cluster-scan.yaml - - - name: The job has failed - print the logs - if: ${{ failure() }} - run: > - kubectl logs -n trivy-system deployment/trivy-operator - - - name: Delete kind cluster - run: | - kind delete cluster diff --git a/.github/workflows/chart-testing.yaml b/.github/workflows/chart-testing.yaml index 2d63443de..e69de29bb 100644 --- a/.github/workflows/chart-testing.yaml +++ b/.github/workflows/chart-testing.yaml @@ -1,92 +0,0 @@ ---- -name: Helm -on: - push: - branches: - - main - paths: - - deploy/** - pull_request: - branches: - - main - paths: - - deploy/** -env: - KIND_VERSION: v0.17.0 - KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6 - GO_VERSION: '1.23' -permissions: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true -jobs: - chart-testing: - name: Run chart testing - runs-on: ubuntu-22.04 - env: - DOCKER_CLI_EXPERIMENTAL: enabled - steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - name: Available platforms - run: echo ${{ steps.buildx.outputs.platforms }} - - name: Checkout code - uses: actions/checkout@v4 - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - - name: Release snapshot - uses: goreleaser/goreleaser-action@v6 - with: - version: v2.4.8 - args: release -f=goreleaser-e2e.yaml --snapshot --skip=publish --clean - - - name: Install kind and create cluster - run: | - curl -Lo ./kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 - chmod +x ./kind - sudo mv ./kind /usr/local/bin/kind - kind create cluster - curl -LO https://dl.k8s.io/release/v1.26.0/bin/linux/amd64/kubectl - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - - name: Test connection to Kubernetes cluster - run: | - kubectl cluster-info - kubectl wait --for=condition=Ready nodes --all --timeout=300s - kubectl describe node - - name: Install helm and yq - run: > - curl -fsSL -o get_helm.sh - https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - - chmod 700 get_helm.sh - - name: update appVersion - uses: mikefarah/yq@master - with: - cmd: yq -i '.appVersion = "ct"' ./deploy/helm/Chart.yaml - - name: Load operator image to cluster - run: > - docker tag mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64 - mirror.gcr.io/aquasec/trivy-operator:ct - - docker save -o trivy-operator.tar mirror.gcr.io/aquasec/trivy-operator:ct - - kind load image-archive trivy-operator.tar - - name: Set up python - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b - with: - python-version: 3.7 - - name: Setup chart-testing - id: lint - uses: helm/chart-testing-action@v2.7.0 - - name: Install yamllint - run: pip install yamllint - - name: Run chart-testing - run: ct lint-and-install --validate-maintainers=false --charts deploy/helm - - name: Delete kind cluster - run: | - kind delete cluster diff --git a/.github/workflows/private-registries.yaml b/.github/workflows/private-registries.yaml index f9c5507c8..e69de29bb 100644 --- a/.github/workflows/private-registries.yaml +++ b/.github/workflows/private-registries.yaml @@ -1,117 +0,0 @@ ---- -name: Private Registries E2E -on: - push: - branches: - - main - paths-ignore: - - .github/ISSUE_TEMPLATE/*.md - - "*.md" - - docs/** - - mkdocs.yml - - LICENSE - - NOTICE - pull_request_target: - branches: - - main - paths-ignore: - - .github/ISSUE_TEMPLATE/*.md - - "*.md" - - docs/** - - mkdocs.yml - - LICENSE - - NOTICE -env: - KIND_VERSION: v0.17.0 - KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6 - GO_VERSION: '1.23' -permissions: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true -jobs: - private-registry-testing: - name: private registry testing - runs-on: ubuntu-22.04 - env: - DOCKER_CLI_EXPERIMENTAL: enabled - steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - name: Available platforms - run: echo ${{ steps.buildx.outputs.platforms }} - - name: Checkout code - uses: actions/checkout@v4 - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - - name: Release snapshot - uses: goreleaser/goreleaser-action@v6 - with: - version: v2.4.8 - args: release -f=goreleaser-e2e.yaml --snapshot --skip=publish --clean - - name: Install kind and create cluster - run: > - curl -Lo ./kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION - }}/kind-linux-amd64 - - chmod +x ./kind - - sudo mv ./kind /usr/local/bin/kind - - kind create cluster - - curl -LO https://dl.k8s.io/release/v1.26.0/bin/linux/amd64/kubectl - - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - - name: Test connection to Kubernetes cluster - run: | - kubectl cluster-info - kubectl wait --for=condition=Ready nodes --all --timeout=300s - kubectl describe node - kubectl create namespace private - - kubectl create secret docker-registry artcred \ - --docker-server=https://index.docker.io/v1 \ - --docker-username=${{ secrets.DOCKERHUB_USER }} \ - --docker-password=${{ secrets.DOCKERHUB_TOKEN }} \ - --docker-email=private@gmail.com \ - -n private - - name: Load operator image to cluster - run: > - docker tag mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64 - mirror.gcr.io/aquasec/trivy-operator:e2e - - docker save -o trivy-operator.tar mirror.gcr.io/aquasec/trivy-operator:e2e - - kind load image-archive trivy-operator.tar - - name: Init E2E tests (Install kuttl & helm) - run: > - mkdir -p ./bin - - curl -L https://github.com/kudobuilder/kuttl/releases/download/v0.15.0/kubectl-kuttl_0.15.0_linux_x86_64 -o ./bin/kuttl; - - chmod +x ./bin/kuttl; - - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - - chmod 700 get_helm.sh - - ./get_helm.sh - - name: image private registries via pod image pull secret tests - run: > - ./bin/kuttl test --start-kind=false --config tests/e2e/config/image-private-registries.yaml - - ./tests/resources-cleanup-private.sh > /dev/null 2>&1 - - name: image private registries via service account image pull secret tests - run: > - ./bin/kuttl test --start-kind=false --config tests/e2e/config/image-private-registries-sa.yaml - - ./tests/resources-cleanup-private.sh > /dev/null 2>&1 - - name: Delete kind cluster - run: | - kind delete cluster diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml index 56802db29..e69de29bb 100644 --- a/.github/workflows/publish-docs.yaml +++ b/.github/workflows/publish-docs.yaml @@ -1,59 +0,0 @@ ---- -# This is a manually triggered workflow to build and publish the MkDocs from the -# specified Git revision to GitHub pages on https://aquasecurity.github.io/trivy-operator. -name: Publish documentation - -on: - repository_dispatch: - types: [publish-docs] - workflow_dispatch: - inputs: - ref: - description: The branch, tag or SHA to deploy, e.g. v0.0.1 - required: true - -# Disable permissions granted to the GITHUB_TOKEN for all the available scopes. -permissions: {} - -jobs: - deploy: - name: Deploy documentation - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout main - if: github.event.inputs.ref == '' - uses: actions/checkout@v4 - with: - fetch-depth: 0 - ref: ${{ github.event.client_payload.tag }} - persist-credentials: true - - name: Checkout main - if: github.event.inputs.ref != '' - uses: actions/checkout@v4 - with: - fetch-depth: 0 - ref: ${{ github.event.inputs.ref }} - persist-credentials: true - - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b - with: - python-version: 3.x - - run: | - pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git - pip install mike - pip install mkdocs-macros-plugin - env: - # Note: It is not the same as ${{ secrets.GITHUB_TOKEN }} ! - GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }} - - run: | - git config user.name "aqua-bot" - git config user.email "aqua-bot@users.noreply.github.com" - - name: Checkout main input - if: github.event.inputs.ref != '' - run: | - mike deploy --push --update-aliases ${{ github.event.inputs.ref }} latest - - name: Checkout main release - if: github.event.inputs.ref == '' - run: | - mike deploy --push --update-aliases ${{ github.event.client_payload.tag }} latest diff --git a/.github/workflows/publish-helm-chart.yaml b/.github/workflows/publish-helm-chart.yaml index 6b1264e0b..e69de29bb 100644 --- a/.github/workflows/publish-helm-chart.yaml +++ b/.github/workflows/publish-helm-chart.yaml @@ -1,107 +0,0 @@ ---- -# This is a manually triggered workflow to package and upload the Helm chart from the -# main branch to Aqua Security repository at https://github.com/aquasecurity/helm-charts. -name: Publish Helm chart -on: - repository_dispatch: - types: [publish-chart] - paths: - - deploy/helm/Chart.yaml -env: - CR_PACKAGE_PATH: .cr-release-packages - HELM_REP: helm-charts - GH_OWNER: aquasecurity - CHART_DIR: deploy/helm - KIND_VERSION: v0.17.0 - KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6 -jobs: - release: - # this job will only run if the PR has been merged - if: github.event.client_payload.action == 'chart-release' || github.event.client_payload.action == 'chart-and-app-release' - permissions: - contents: write # for peter-evans/repository-dispatch to create a repository dispatch event - packages: write # to push OCI chart package to GitHub Registry - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install Helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - with: - version: v3.14.2 - - name: Set up python - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 - with: - python-version: 3.7 - - name: Setup Chart Linting - id: lint - uses: helm/chart-testing-action@v2.7.0 - - name: Setup Kubernetes cluster (KIND) - uses: helm/kind-action@v1.12.0 # v1.5.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_IMAGE }} - - name: Run chart-testing - run: ct lint-and-install --validate-maintainers=false --charts deploy/helm - - name: Install chart-releaser - run: | - wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz - echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37 chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c - - tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr - - name: Package helm chart - run: | - ./cr package ${{ env.CHART_DIR }} - - # Classic helm repository with GitHub pages - - name: Upload helm chart - # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101 - continue-on-error: true - run: | - ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} - - name: Index helm chart - run: | - ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml - - name: Push index file - uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 # v1.1.1 - env: - API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }} - with: - source_file: "index.yaml" - destination_repo: "${{ env.GH_OWNER }}/${{ env.HELM_REP }}" - destination_folder: "." - destination_branch: "gh-pages" - user_email: aqua-bot@users.noreply.github.com - user_name: "aqua-bot" - - # OCI registry as helm repository (helm 3.8+) - - name: Login to GHCR - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push chart to GHCR - run: | - shopt -s nullglob - for pkg in ${{ env.CR_PACKAGE_PATH }}/*.tgz; do - if [ -z "${pkg:-}" ]; then - break - fi - helm push "${pkg}" oci://ghcr.io/${{ env.GH_OWNER }}/${{ env.HELM_REP }} - done - - - name: Get latest tag - id: latest_tag - run: | - latest_tag=$(git describe --tags --abbrev=0) - echo "::set-output name=tag::$latest_tag" - - - name: Repository Dispatch Publish docs - if: github.event.client_payload.action == 'chart-and-app-release' && !contains(steps.latest_tag.outputs.tag, 'rc') - uses: peter-evans/repository-dispatch@v3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - event-type: publish-docs - client-payload: '{"action": "docs-release", "tag": "${{ steps.latest_tag.outputs.tag }}"}' diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml index 29b3cb0f2..e69de29bb 100644 --- a/.github/workflows/release-snapshot.yaml +++ b/.github/workflows/release-snapshot.yaml @@ -1,63 +0,0 @@ ---- -# Release snapshot on CRON schedule (every night) or on demand. -name: Release snapshot - -on: - workflow_dispatch: {} - schedule: - - cron: "0 0 * * *" - -env: - GO_VERSION: '1.23' - -# Disable permissions granted to the GITHUB_TOKEN for all the available scopes. -permissions: {} - -jobs: - release-snapshot: - name: Release unversioned snapshot - runs-on: ubuntu-latest - env: - DOCKER_CLI_EXPERIMENTAL: "enabled" - permissions: - id-token: write - steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - name: Available platforms - run: echo ${{ steps.buildx.outputs.platforms }} - - name: Checkout code - uses: actions/checkout@v4 - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - - name: Install cosign - uses: sigstore/cosign-installer@v3.7.0 - - name: Release snapshot - uses: goreleaser/goreleaser-action@v6 - with: - version: v2.4.8 - args: release -f=goreleaser-e2e.yaml --snapshot --skip=publish --clean - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_EXPERIMENTAL: 1 - - name: Scan Trivy Operator image for vulnerabilities - uses: aquasecurity/trivy-action@master - with: - image-ref: 'mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64' - exit-code: '1' - ignore-unfixed: true - severity: 'CRITICAL,HIGH' - - name: Notify dedicated teams channel - uses: jdcargile/ms-teams-notification@v1.4 - if: failure() - with: - github-token: ${{ secrets.ORG_REPO_TOKEN }} - ms-teams-webhook-uri: ${{ secrets.MS_TEAMS_WEBHOOK_URI }} - notification-summary: vulnerabilities has been found in trivy-operator image - notification-color: 17a2b8 - timezone: America/Denver diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c0b5f17d5..1c5c51304 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -32,41 +32,6 @@ jobs: aqua_version: v1.25.0 - name: Run unit tests run: mage test:unit - # itest-trivy-operator: - # name: Run integration tests / Trivy Operator - # needs: - # - tests - # runs-on: ubuntu-latest - # timeout-minutes: 15 - # steps: - # - name: Checkout code - # uses: actions/checkout@v4 - # - name: Setup Go - # uses: actions/setup-go@v5 - # with: - # go-version: ${{ env.GO_VERSION }} - # - name: Install tools - # uses: aquaproj/aqua-installer@v3.1.1 - # with: - # aqua_version: v1.25.0 - # - name: Setup Kubernetes cluster (KIND) - # uses: engineerd/setup-kind@v0.6.2 - # with: - # version: ${{ env.KIND_VERSION }} - # image: ${{ env.KIND_IMAGE }} - # - name: Test connection to Kubernetes cluster - # run: | - # kubectl cluster-info - # kubectl wait --for=condition=Ready nodes --all --timeout=300s - # kubectl describe node - # - name: Run integration tests - # run: | - # kubectl create -k deploy/static - # mage test:integration - # env: - # KUBECONFIG: /home/runner/.kube/config - # OPERATOR_NAMESPACE: trivy-system - # OPERATOR_TARGET_NAMESPACES: default release: name: Release needs: @@ -96,11 +61,12 @@ jobs: go-version: ${{ env.GO_VERSION }} - name: Install cosign uses: sigstore/cosign-installer@v3.7.0 - - name: Login to docker.io registry + - name: Login to ghcr registry uses: docker/login-action@v3.3.0 with: - username: ${{ secrets.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Release uses: goreleaser/goreleaser-action@v6 with: @@ -109,10 +75,3 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} COSIGN_EXPERIMENTAL: 1 - - name: Repository Dispatch Publish Helm Chart - if: ${{ steps.latest_tag.outputs.tag == steps.chart_version.outputs.app_version }} - uses: peter-evans/repository-dispatch@v3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - event-type: publish-chart - client-payload: '{"action": "chart-and-app-release"}' diff --git a/.github/workflows/title_checker-labeler.yaml b/.github/workflows/title_checker-labeler.yaml deleted file mode 100644 index 67df1d494..000000000 --- a/.github/workflows/title_checker-labeler.yaml +++ /dev/null @@ -1,37 +0,0 @@ -name: "Lint PR title and label" - -on: - pull_request_target: - types: - - opened - - edited - - synchronize - - reopened - -jobs: - pr-title-checker: - name: Validate PR title - runs-on: ubuntu-latest - steps: - - uses: amannn/action-semantic-pull-request@v5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - types: | - feat - fix - docs - style - refactor - perf - test - build - ci - sec - chore - release - revert - - name: Label the PR - uses: gerrymanoim/pr-prefix-labeler@v3 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/validate-chart-appVersion.yaml b/.github/workflows/validate-chart-appVersion.yaml deleted file mode 100644 index 6b0520026..000000000 --- a/.github/workflows/validate-chart-appVersion.yaml +++ /dev/null @@ -1,41 +0,0 @@ -name: Chart-Content -on: - pull_request_target: - types: - - closed - paths: - - deploy/helm/Chart.yaml - -jobs: - appVersion-validation: - if: github.event.pull_request.merged == true - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Get latest tag - id: latest_tag - run: | - latest_tag=$(git describe --tags --abbrev=0 | sed 's/v//') - echo "::set-output name=tag::$latest_tag" - - - name: Read Chart.yaml appVersion - id: chart_version - run: | - app_version=$(grep -E '^appVersion:' deploy/helm/Chart.yaml | awk '{print $2}') - echo "::set-output name=app_version::$app_version" - - - name: Repository Dispatch Publish Helm Chart - if: ${{ steps.latest_tag.outputs.tag == steps.chart_version.outputs.app_version }} - uses: peter-evans/repository-dispatch@v3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - event-type: publish-chart - client-payload: '{"action": "chart-release"}' diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 5cf36ee0c..11bf24b7c 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -68,7 +68,7 @@ changelog: order: 9999 dockers: - image_templates: - - "docker.io/martinwrona/trivy-operator:{{ .Version }}-amd64" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-amd64" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -81,12 +81,12 @@ dockers: - "--label=org.opencontainers.image.vendor=Aqua Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy-operator" + - "--label=org.opencontainers.image.source=https://github.com/digitecgalaxus/trivy-operator" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy-operator/v{{ .Version }}/" - "--platform=linux/amd64" - image_templates: - - "docker.io/martinwrona/trivy-operator:{{ .Version }}-ubi8-amd64" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ubi8-amd64" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile.ubi8 @@ -99,12 +99,12 @@ dockers: - "--label=org.opencontainers.image.vendor=Aqua Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy-operator" + - "--label=org.opencontainers.image.source=https://github.com/digitecgalaxus/trivy-operator" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy-operator/v{{ .Version }}/" - "--platform=linux/amd64" - image_templates: - - "docker.io/martinwrona/trivy-operator:{{ .Version }}-arm64" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-arm64" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -117,12 +117,12 @@ dockers: - "--label=org.opencontainers.image.vendor=Aqua Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy-operator" + - "--label=org.opencontainers.image.source=https://github.com/digitecgalaxus/trivy-operator" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy-operator/v{{ .Version }}/" - "--platform=linux/arm64" - image_templates: - - "docker.io/martinwrona/trivy-operator:{{ .Version }}-ubi8-arm64" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ubi8-arm64" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile.ubi8 @@ -135,12 +135,12 @@ dockers: - "--label=org.opencontainers.image.vendor=Aqua Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy-operator" + - "--label=org.opencontainers.image.source=https://github.com/digitecgalaxus/trivy-operator" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy-operator/v{{ .Version }}/" - "--platform=linux/arm64" - image_templates: - - "docker.io/martinwrona/trivy-operator:{{ .Version }}-s390x" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-s390x" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -153,12 +153,12 @@ dockers: - "--label=org.opencontainers.image.vendor=Aqua Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy-operator" + - "--label=org.opencontainers.image.source=https://github.com/digitecgalaxus/trivy-operator" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy-operator/v{{ .Version }}/" - "--platform=linux/s390x" - image_templates: - - "docker.io/martinwrona/trivy-operator:{{ .Version }}-ppc64le" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ppc64le" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -171,12 +171,12 @@ dockers: - "--label=org.opencontainers.image.vendor=Aqua Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy-operator" + - "--label=org.opencontainers.image.source=https://github.com/digitecgalaxus/trivy-operator" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy-operator/v{{ .Version }}/" - "--platform=linux/ppc64le" - image_templates: - - "docker.io/martinwrona/trivy-operator:{{ .Version }}-ubi8-s390x" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ubi8-s390x" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile.ubi8 @@ -189,12 +189,12 @@ dockers: - "--label=org.opencontainers.image.vendor=Aqua Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy-operator" + - "--label=org.opencontainers.image.source=https://github.com/digitecgalaxus/trivy-operator" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy-operator/v{{ .Version }}/" - "--platform=linux/s390x" - image_templates: - - "docker.io/martinwrona/trivy-operator:{{ .Version }}-ubi8-ppc64le" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ubi8-ppc64le" use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile.ubi8 @@ -207,23 +207,23 @@ dockers: - "--label=org.opencontainers.image.vendor=Aqua Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy-operator" + - "--label=org.opencontainers.image.source=https://github.com/digitecgalaxus/trivy-operator" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy-operator/v{{ .Version }}/" - "--platform=linux/ppc64le" docker_manifests: - - name_template: "martinwrona/trivy-operator:{{ .Version }}" + - name_template: "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}" image_templates: - - "martinwrona/trivy-operator:{{ .Version }}-amd64" - - "martinwrona/trivy-operator:{{ .Version }}-arm64" - - "martinwrona/trivy-operator:{{ .Version }}-s390x" - - "martinwrona/trivy-operator:{{ .Version }}-ppc64le" - - name_template: "martinwrona/trivy-operator:{{ .Version }}-ubi8" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-amd64" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-arm64" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-s390x" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ppc64le" + - name_template: "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ubi8" image_templates: - - "martinwrona/trivy-operator:{{ .Version }}-ubi8-amd64" - - "martinwrona/trivy-operator:{{ .Version }}-ubi8-arm64" - - "martinwrona/trivy-operator:{{ .Version }}-ubi8-s390x" - - "martinwrona/trivy-operator:{{ .Version }}-ubi8-ppc64le" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ubi8-amd64" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ubi8-arm64" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ubi8-s390x" + - "ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-ubi8-ppc64le" signs: - cmd: cosign diff --git a/README.md b/README.md index 1b5ad179d..b0f2546fd 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,21 @@ [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/trivy-operator)](https://artifacthub.io/packages/helm/trivy-operator/trivy-operator) +# Reason for the Fork +We're running AKS with Azure CNI Powered by Cilium. +Without the fork we exhaust the cilium identity buffer because of the cardinality of trivy job/pod labels. +At the moment it's not possible to configure which labels should be used by cilium as it would be possible with a self managed CNI. [See cilium doc](https://docs.cilium.io/en/stable/operations/performance/scalability/identity-relevant-labels/) +We created an issue for AKS without the expectation to be solve it in the near feature. [See github issue](https://github.com/Azure/AKS/issues/4608) + +As a workaround we changed the label assignment to the by default ignored "annotation.*". +Additionaly Azure CNI Powered by Cilium does not exclude the controller-uid label so that we had to change the job<->pod default behavior using "manualSelector: true" in the job definition. + +### Release +``` +git tag -a v0.0.1 -m 'Release v0.0.1' +git push origin v0.0.1 +``` + # Introduction The Trivy Operator leverages [Trivy](https://github.com/aquasecurity/trivy) to continuously scan your Kubernetes cluster for security issues. The scans are summarised in security reports as Kubernetes [Custom Resource Definitions], which become accessible through the Kubernetes API. The Operator does this by watching Kubernetes for state changes and automatically triggering security scans in response. For example, a vulnerability scan is initiated when a new Pod is created. diff --git a/docs/docs/crds/clustervulnerability-report.md b/docs/docs/crds/clustervulnerability-report.md index 8ed403dd6..5169812a1 100644 --- a/docs/docs/crds/clustervulnerability-report.md +++ b/docs/docs/crds/clustervulnerability-report.md @@ -16,7 +16,7 @@ metadata: creationTimestamp: "2023-11-30T08:29:43Z" generation: 1 labels: - resource-spec-hash: 6b5887445b + annotation.resource-spec-hash: 6b5887445b annotation.trivy-operator.container.name: k8s-cluster annotation.trivy-operator.resource.kind: ClusterSbomReport annotation.trivy-operator.resource.name: 584b5cdcd5 diff --git a/docs/docs/crds/configaudit-report.md b/docs/docs/crds/configaudit-report.md index ad91c67a0..cc2a326d3 100644 --- a/docs/docs/crds/configaudit-report.md +++ b/docs/docs/crds/configaudit-report.md @@ -20,7 +20,7 @@ metadata: annotation.trivy-operator.resource.name: nginx-6d4cf56db6 annotation.trivy-operator.resource.namespace: default plugin-config-hash: 7f65d98b75 - resource-spec-hash: 7cb64cb677 + annotation.resource-spec-hash: 7cb64cb677 uid: d5cf8847-c96d-4534-beb9-514a34230302 ownerReferences: - apiVersion: apps/v1 diff --git a/docs/docs/crds/exposedsecret-report.md b/docs/docs/crds/exposedsecret-report.md index 8501c646e..5877d91ae 100644 --- a/docs/docs/crds/exposedsecret-report.md +++ b/docs/docs/crds/exposedsecret-report.md @@ -14,7 +14,7 @@ metadata: creationTimestamp: "2022-06-29T14:25:54Z" generation: 2 labels: - resource-spec-hash: 8495697ff5 + annotation.resource-spec-hash: 8495697ff5 annotation.trivy-operator.container.name: app annotation.trivy-operator.resource.kind: ReplicaSet annotation.trivy-operator.resource.name: app-67b77f5965 diff --git a/docs/docs/crds/infraassessment-report.md b/docs/docs/crds/infraassessment-report.md index 3edcae397..84473c31e 100644 --- a/docs/docs/crds/infraassessment-report.md +++ b/docs/docs/crds/infraassessment-report.md @@ -23,7 +23,7 @@ metadata: generation: 1 labels: plugin-config-hash: 659b7b9c46 - resource-spec-hash: 56fd79dd67 + annotation.resource-spec-hash: 56fd79dd67 annotation.trivy-operator.resource.kind: Pod annotation.trivy-operator.resource.name: kube-apiserver-minikube annotation.trivy-operator.resource.namespace: kube-system diff --git a/docs/docs/crds/rbacassessment-report.md b/docs/docs/crds/rbacassessment-report.md index b2c811a90..ec8328d44 100644 --- a/docs/docs/crds/rbacassessment-report.md +++ b/docs/docs/crds/rbacassessment-report.md @@ -18,7 +18,7 @@ metadata: generation: 1 labels: plugin-config-hash: 659b7b9c46 - resource-spec-hash: 59b6bf95c6 + annotation.resource-spec-hash: 59b6bf95c6 annotation.trivy-operator.resource.kind: Role annotation.trivy-operator.resource.name-hash: 868458b9d6 annotation.trivy-operator.resource.namespace: default diff --git a/docs/docs/crds/sbom-report.md b/docs/docs/crds/sbom-report.md index b27c07db0..79c1ee19d 100644 --- a/docs/docs/crds/sbom-report.md +++ b/docs/docs/crds/sbom-report.md @@ -16,7 +16,7 @@ metadata: creationTimestamp: "2023-07-10T09:37:21Z" generation: 1 labels: - resource-spec-hash: 796669cd5d + annotation.resource-spec-hash: 796669cd5d annotation.trivy-operator.container.name: kube-apiserver annotation.trivy-operator.resource.kind: Pod annotation.trivy-operator.resource.name: kube-apiserver-kind-control-plane diff --git a/docs/docs/design/ttl_scans.md b/docs/docs/design/ttl_scans.md index 060160635..6542d34c8 100644 --- a/docs/docs/design/ttl_scans.md +++ b/docs/docs/design/ttl_scans.md @@ -35,7 +35,7 @@ metadata: annotations: trivy-operator.aquasecurity.github.io/report-ttl: 24h labels: - resource-spec-hash: 86b58dcb99 + annotation.resource-spec-hash: 86b58dcb99 annotation.trivy-operator.container.name: manager annotation.trivy-operator.resource.kind: ReplicaSet annotation.trivy-operator.resource.name: source-controller-b5d5cfdf4 diff --git a/docs/getting-started/installation/troubleshooting.md b/docs/getting-started/installation/troubleshooting.md index 2628b072a..46d21175e 100644 --- a/docs/getting-started/installation/troubleshooting.md +++ b/docs/getting-started/installation/troubleshooting.md @@ -291,9 +291,8 @@ We get the output: ```sh app.kubernetes.io/managed-by: trivy-operator -controller-uid: 10aba790-6ee6-4802-81ed-ad77908ea10d -job-name: scan-vulnerabilityreport-6dfb8dc69f -resource-spec-hash: 764dd688f +annotation.controller-uid: 10aba790-6ee6-4802-81ed-ad77908ea10d +annotation.resource-spec-hash: 764dd688f annotation.trivy-operator.resource.kind: ReplicaSet annotation.trivy-operator.resource.name: trivy-operator-6b65576869 annotation.trivy-operator.resource.namespace: trivy-system diff --git a/docs/tutorials/writing-custom-configuration-audit-policies.md b/docs/tutorials/writing-custom-configuration-audit-policies.md index b4476de54..3ecd94e30 100644 --- a/docs/tutorials/writing-custom-configuration-audit-policies.md +++ b/docs/tutorials/writing-custom-configuration-audit-policies.md @@ -177,7 +177,7 @@ metadata: annotation.trivy-operator.resource.name: test annotation.trivy-operator.resource.namespace: default plugin-config-hash: df767ff5f - resource-spec-hash: 7c96769cf + annotation.resource-spec-hash: 7c96769cf name: configmap-test namespace: default ownerReferences: diff --git a/goreleaser-e2e.yaml b/goreleaser-e2e.yaml index 1b1f84698..a62c4e488 100644 --- a/goreleaser-e2e.yaml +++ b/goreleaser-e2e.yaml @@ -38,7 +38,7 @@ changelog: - ^release dockers: - image_templates: - - mirror.gcr.io/aquasec/trivy-operator:{{ .Version }}-amd64 + - ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-amd64 use: buildx goos: linux dockerfile: build/trivy-operator/Dockerfile @@ -52,12 +52,12 @@ dockers: - --label=org.opencontainers.image.vendor=Aqua Security - --label=org.opencontainers.image.version={{ .Version }} - --label=org.opencontainers.image.created={{ .Date }} - - --label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy-operator + - --label=org.opencontainers.image.source=https://github.com/digitecgalaxus/trivy-operator - --label=org.opencontainers.image.revision={{ .FullCommit }} - --label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy-operator/v{{ .Version }}/ - --platform=linux/amd64 docker_manifests: - - name_template: mirror.gcr.io/aquasec/trivy-operator:{{ .Version }} + - name_template: ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }} image_templates: - - mirror.gcr.io/aquasec/trivy-operator:{{ .Version }}-amd64 + - ghcr.io/digitecgalaxus/trivy-operator:{{ .Version }}-amd64 diff --git a/pkg/kube/logs.go b/pkg/kube/logs.go index d1b040c0a..e49ed116f 100644 --- a/pkg/kube/logs.go +++ b/pkg/kube/logs.go @@ -9,8 +9,9 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "github.com/aquasecurity/trivy-operator/pkg/trivyoperator" "k8s.io/client-go/kubernetes" + + "github.com/aquasecurity/trivy-operator/pkg/trivyoperator" ) var podControlledByJobNotFoundErr = errors.New("pod for job not found") diff --git a/pkg/kube/object_test.go b/pkg/kube/object_test.go index 98074b8bf..e4acc333b 100644 --- a/pkg/kube/object_test.go +++ b/pkg/kube/object_test.go @@ -1022,14 +1022,14 @@ func TestObjectResolver_ReportOwner(t *testing.T) { Name: "pi", UID: "ef340242-b677-485e-b506-2ac1dde48bca", Labels: map[string]string{ - "controller-uid": "ef340242-b677-485e-b506-2ac1dde48bca", - "job-name": "pi", + "annotation.controller-uid": "ef340242-b677-485e-b506-2ac1dde48bca", + "job-name": "pi", }, }, Spec: batchv1.JobSpec{ Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ - "controller-uid": "ef340242 - b677 - 485e-b506-2ac1dde48bca", + "annotation.controller-uid": "ef340242 - b677 - 485e-b506-2ac1dde48bca", }, }, }, @@ -1043,8 +1043,8 @@ func TestObjectResolver_ReportOwner(t *testing.T) { Namespace: corev1.NamespaceDefault, Name: "pi-wnbbm", Labels: map[string]string{ - "controller-uid": "ef340242-b677-485e-b506-2ac1dde48bca", - "job-name": "pi", + "annotation.controller-uid": "ef340242-b677-485e-b506-2ac1dde48bca", + "job-name": "pi", }, UID: "3921e0cd-1852-4c1d-ab0a-9721f3f28276", OwnerReferences: []metav1.OwnerReference{ diff --git a/pkg/vulnerabilityreport/builder.go b/pkg/vulnerabilityreport/builder.go index b90416f29..417a9e6a4 100644 --- a/pkg/vulnerabilityreport/builder.go +++ b/pkg/vulnerabilityreport/builder.go @@ -38,7 +38,7 @@ type ScanJobBuilder struct { podSecurityContext *corev1.PodSecurityContext containerSecurityContext *corev1.SecurityContext podPriorityClassName string - controllerUid string + controllerUid string skipInitContainers bool sbomClusterReports map[string]v1alpha1.SbomReportData customVolumesMount []corev1.VolumeMount @@ -193,7 +193,7 @@ func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) { jobLabels := map[string]string{ trivyoperator.LabelResourceSpecHash: podSpecHash, - trivyoperator.LabelControllerUid: s.controllerUid, + trivyoperator.LabelControllerUid: s.controllerUid, trivyoperator.LabelK8SAppManagedBy: trivyoperator.AppTrivyOperator, trivyoperator.LabelVulnerabilityReportScanner: s.pluginContext.GetName(), } @@ -213,8 +213,8 @@ func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) { BackoffLimit: ptr.To[int32](0), Completions: ptr.To[int32](1), ActiveDeadlineSeconds: utils.DurationSecondsPtr(s.timeout), - ManualSelector: ptr.To[bool](true), - Selector: &metav1.LabelSelector{ + ManualSelector: ptr.To[bool](true), + Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ trivyoperator.LabelControllerUid: s.controllerUid, }, diff --git a/pkg/vulnerabilityreport/builder_test.go b/pkg/vulnerabilityreport/builder_test.go index 5cc8efc94..a8baa1557 100644 --- a/pkg/vulnerabilityreport/builder_test.go +++ b/pkg/vulnerabilityreport/builder_test.go @@ -117,7 +117,7 @@ func TestScanJobBuilder(t *testing.T) { trivyoperator.LabelResourceName: "nginx-6799fc88d8", trivyoperator.LabelResourceNamespace: "prod-ns", trivyoperator.LabelResourceSpecHash: "78b69db6df", - trivyoperator.LabelControllerUid: "guid1", + trivyoperator.LabelControllerUid: "guid1", }, Annotations: map[string]string{ trivyoperator.AnnotationContainerImages: `{"nginx":"nginx:1.16"}`, @@ -127,8 +127,8 @@ func TestScanJobBuilder(t *testing.T) { BackoffLimit: ptr.To[int32](0), Completions: ptr.To[int32](1), ActiveDeadlineSeconds: ptr.To[int64](3), - ManualSelector: ptr.To[bool](true), - Selector: &metav1.LabelSelector{ + ManualSelector: ptr.To[bool](true), + Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ trivyoperator.LabelControllerUid: "guid1", }, @@ -142,7 +142,7 @@ func TestScanJobBuilder(t *testing.T) { trivyoperator.LabelResourceName: "nginx-6799fc88d8", trivyoperator.LabelResourceNamespace: "prod-ns", trivyoperator.LabelResourceSpecHash: "78b69db6df", - trivyoperator.LabelControllerUid: "guid1", + trivyoperator.LabelControllerUid: "guid1", }, }, Spec: corev1.PodSpec{}, @@ -200,7 +200,7 @@ func TestScanJobBuilder(t *testing.T) { trivyoperator.LabelResourceName: "nginx-6799fc88d8", trivyoperator.LabelResourceNamespace: "prod-ns", trivyoperator.LabelResourceSpecHash: "78b69db6df", - trivyoperator.LabelControllerUid: "guid1", + trivyoperator.LabelControllerUid: "guid1", }, Annotations: map[string]string{ "test-annotation": "test-value", @@ -211,8 +211,8 @@ func TestScanJobBuilder(t *testing.T) { BackoffLimit: ptr.To[int32](0), Completions: ptr.To[int32](1), ActiveDeadlineSeconds: ptr.To[int64](3), - ManualSelector: ptr.To[bool](true), - Selector: &metav1.LabelSelector{ + ManualSelector: ptr.To[bool](true), + Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ trivyoperator.LabelControllerUid: "guid1", }, @@ -226,7 +226,7 @@ func TestScanJobBuilder(t *testing.T) { trivyoperator.LabelResourceName: "nginx-6799fc88d8", trivyoperator.LabelResourceNamespace: "prod-ns", trivyoperator.LabelResourceSpecHash: "78b69db6df", - trivyoperator.LabelControllerUid: "guid1", + trivyoperator.LabelControllerUid: "guid1", }, Annotations: map[string]string{ "test-annotation": "test-value", @@ -289,7 +289,7 @@ func TestScanJobBuilder(t *testing.T) { trivyoperator.LabelResourceName: "nginx-6799fc88d8", trivyoperator.LabelResourceNamespace: "prod-ns", trivyoperator.LabelResourceSpecHash: "78b69db6df", - trivyoperator.LabelControllerUid: "guid1", + trivyoperator.LabelControllerUid: "guid1", }, Annotations: map[string]string{ trivyoperator.AnnotationContainerImages: `{"nginx":"nginx:1.16"}`, @@ -299,8 +299,8 @@ func TestScanJobBuilder(t *testing.T) { BackoffLimit: ptr.To[int32](0), Completions: ptr.To[int32](1), ActiveDeadlineSeconds: ptr.To[int64](3), - ManualSelector: ptr.To[bool](true), - Selector: &metav1.LabelSelector{ + ManualSelector: ptr.To[bool](true), + Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ trivyoperator.LabelControllerUid: "guid1", }, @@ -314,7 +314,7 @@ func TestScanJobBuilder(t *testing.T) { trivyoperator.LabelResourceName: "nginx-6799fc88d8", trivyoperator.LabelResourceNamespace: "prod-ns", trivyoperator.LabelResourceSpecHash: "78b69db6df", - trivyoperator.LabelControllerUid: "guid1", + trivyoperator.LabelControllerUid: "guid1", }, }, Spec: corev1.PodSpec{}, @@ -385,12 +385,13 @@ func TestScanJobBuilder(t *testing.T) { Name: "scan-vulnerabilityreport-64d65c457", Namespace: "trivy-operator-ns", Labels: map[string]string{ - "app.kubernetes.io/managed-by": "trivy-operator", - "resource-spec-hash": "5dc8867774", - "trivy-operator.resource.kind": "ReplicaSet", - "trivy-operator.resource.name": "nginx-6799fc88d8", - "trivy-operator.resource.namespace": "prod-ns", - "vulnerabilityReport.scanner": "test-plugin", + "app.kubernetes.io/managed-by": "trivy-operator", + "annotation.resource-spec-hash": "5dc8867774", + "annotation.trivy-operator.resource.kind": "ReplicaSet", + "annotation.trivy-operator.resource.name": "nginx-6799fc88d8", + "annotation.trivy-operator.resource.namespace": "prod-ns", + "annotation.controller-uid": "", + "vulnerabilityReport.scanner": "test-plugin", }, Annotations: map[string]string{ "trivy-operator.container-images": `{"test-container":"test-image","test-init-container":"test-init-image"}`, @@ -400,15 +401,22 @@ func TestScanJobBuilder(t *testing.T) { BackoffLimit: ptr.To[int32](0), Completions: ptr.To[int32](1), ActiveDeadlineSeconds: ptr.To[int64](3), + ManualSelector: ptr.To[bool](true), + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + trivyoperator.LabelControllerUid: "", + }, + }, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{ - "app.kubernetes.io/managed-by": "trivy-operator", - "resource-spec-hash": "5dc8867774", - "trivy-operator.resource.kind": "ReplicaSet", - "trivy-operator.resource.name": "nginx-6799fc88d8", - "trivy-operator.resource.namespace": "prod-ns", - "vulnerabilityReport.scanner": "test-plugin", + "vulnerabilityReport.scanner": "test-plugin", + "annotation.trivy-operator.resource.kind": "ReplicaSet", + "annotation.trivy-operator.resource.namespace": "prod-ns", + "annotation.trivy-operator.resource.name": "nginx-6799fc88d8", + "app.kubernetes.io/managed-by": "trivy-operator", + "annotation.resource-spec-hash": "5dc8867774", + "annotation.controller-uid": "", }, }, Spec: corev1.PodSpec{ diff --git a/pkg/vulnerabilityreport/controller/workload.go b/pkg/vulnerabilityreport/controller/workload.go index 6b80d4d03..a0e370607 100644 --- a/pkg/vulnerabilityreport/controller/workload.go +++ b/pkg/vulnerabilityreport/controller/workload.go @@ -7,6 +7,7 @@ import ( "time" "github.com/go-logr/logr" + "github.com/google/uuid" batchv1 "k8s.io/api/batch/v1" k8sapierror "k8s.io/apimachinery/pkg/api/errors" ctrl "sigs.k8s.io/controller-runtime" @@ -29,7 +30,6 @@ import ( "github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport" . "github.com/aquasecurity/trivy-operator/pkg/operator/predicate" - "github.com/google/uuid" ) const trivyServerUp = "trivy_server_up" diff --git a/tests/envtest/controller_test.go b/tests/envtest/controller_test.go index 904683327..0e631d65c 100644 --- a/tests/envtest/controller_test.go +++ b/tests/envtest/controller_test.go @@ -56,10 +56,11 @@ var _ = Describe("Workload controller", func() { job.ResourceVersion = "" job.CreationTimestamp = metav1.Time{} job.ManagedFields = nil - job.Spec.Selector.MatchLabels["controller-uid"] = "" - job.Spec.Template.Labels["controller-uid"] = "" - job.Spec.Template.Labels["resource-spec-hash"] = "" - job.Labels["resource-spec-hash"] = "" + job.Spec.Selector.MatchLabels["annotation.controller-uid"] = "" + job.Spec.Template.Labels["annotation.controller-uid"] = "" + job.Spec.Template.Labels["annotation.resource-spec-hash"] = "" + job.Labels["annotation.resource-spec-hash"] = "" + job.Labels["annotation.controller-uid"] = "" for i := range job.Spec.Template.Spec.InitContainers { job.Spec.Template.Spec.InitContainers[i].Name = "" } @@ -100,7 +101,7 @@ var _ = Describe("Workload controller", func() { ca.OwnerReferences[0].UID = "" ca.Labels["plugin-config-hash"] = "" - ca.Labels["resource-spec-hash"] = "" + ca.Labels["annotation.resource-spec-hash"] = "" ca.Report.UpdateTimestamp = metav1.Time{} sort.Sort(ByCheckID(ca.Report.Checks)) return ca diff --git a/tests/envtest/testdata/fixture/config-audit-ttl-historical.yaml b/tests/envtest/testdata/fixture/config-audit-ttl-historical.yaml index b0936c5bd..f0b9d8a74 100644 --- a/tests/envtest/testdata/fixture/config-audit-ttl-historical.yaml +++ b/tests/envtest/testdata/fixture/config-audit-ttl-historical.yaml @@ -8,7 +8,7 @@ metadata: creationTimestamp: 2022-12-08T15:50:37Z generation: 1 labels: - resource-spec-hash: 65df6ff459 + annotation.resource-spec-hash: 65df6ff459 plugin-config-hash: 659b7b9c47 annotation.trivy-operator.container.name: coredns annotation.trivy-operator.resource.kind: ReplicaSet diff --git a/tests/envtest/testdata/fixture/config-audit-ttl.yaml b/tests/envtest/testdata/fixture/config-audit-ttl.yaml index 701fde552..a714c362b 100644 --- a/tests/envtest/testdata/fixture/config-audit-ttl.yaml +++ b/tests/envtest/testdata/fixture/config-audit-ttl.yaml @@ -7,7 +7,7 @@ metadata: creationTimestamp: 2022-12-08T15:50:37Z generation: 1 labels: - resource-spec-hash: 65df6ff459 + annotation.resource-spec-hash: 65df6ff459 plugin-config-hash: 659b7b9c47 annotation.trivy-operator.container.name: coredns annotation.trivy-operator.resource.kind: ReplicaSet diff --git a/tests/envtest/testdata/fixture/cronjob-configauditreport-expected.yaml b/tests/envtest/testdata/fixture/cronjob-configauditreport-expected.yaml index 76cdf3f79..1e0b6d15e 100644 --- a/tests/envtest/testdata/fixture/cronjob-configauditreport-expected.yaml +++ b/tests/envtest/testdata/fixture/cronjob-configauditreport-expected.yaml @@ -5,7 +5,7 @@ metadata: generation: 1 labels: plugin-config-hash: - resource-spec-hash: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: CronJob annotation.trivy-operator.resource.name: hello annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml index 48c3763c2..718a47b88 100644 --- a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml @@ -7,7 +7,8 @@ metadata: generation: 1 labels: app.kubernetes.io/managed-by: trivy-operator - resource-spec-hash: + annotation.resource-spec-hash: + annotation.controller-uid: annotation.trivy-operator.resource.kind: CronJob annotation.trivy-operator.resource.name: hello annotation.trivy-operator.resource.namespace: default @@ -18,17 +19,17 @@ spec: completionMode: NonIndexed completions: 1 parallelism: 1 + manualSelector: true selector: matchLabels: - controller-uid: + annotation.controller-uid: suspend: false template: metadata: labels: app.kubernetes.io/managed-by: trivy-operator - controller-uid: - job-name: scan-vulnerabilityreport-fcd85fd57 - resource-spec-hash: + annotation.controller-uid: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: CronJob annotation.trivy-operator.resource.name: hello annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/daemonset-configauditreport-expected.yaml b/tests/envtest/testdata/fixture/daemonset-configauditreport-expected.yaml index 5627eea46..be7b0d8be 100644 --- a/tests/envtest/testdata/fixture/daemonset-configauditreport-expected.yaml +++ b/tests/envtest/testdata/fixture/daemonset-configauditreport-expected.yaml @@ -5,7 +5,7 @@ metadata: generation: 1 labels: plugin-config-hash: - resource-spec-hash: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: DaemonSet annotation.trivy-operator.resource.name: fluentd-elasticsearch annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml index ebab4ffe8..91312602d 100644 --- a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml @@ -7,7 +7,8 @@ metadata: generation: 1 labels: app.kubernetes.io/managed-by: trivy-operator - resource-spec-hash: + annotation.resource-spec-hash: + annotation.controller-uid: annotation.trivy-operator.resource.kind: DaemonSet annotation.trivy-operator.resource.name: fluentd-elasticsearch annotation.trivy-operator.resource.namespace: default @@ -18,17 +19,17 @@ spec: completionMode: NonIndexed completions: 1 parallelism: 1 + manualSelector: true selector: matchLabels: - controller-uid: + annotation.controller-uid: suspend: false template: metadata: labels: app.kubernetes.io/managed-by: trivy-operator - controller-uid: - job-name: scan-vulnerabilityreport-6556c475f8 - resource-spec-hash: + annotation.controller-uid: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: DaemonSet annotation.trivy-operator.resource.name: fluentd-elasticsearch annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/job-configauditreport-expected.yaml b/tests/envtest/testdata/fixture/job-configauditreport-expected.yaml index f0a9e250d..d804ebdde 100644 --- a/tests/envtest/testdata/fixture/job-configauditreport-expected.yaml +++ b/tests/envtest/testdata/fixture/job-configauditreport-expected.yaml @@ -5,7 +5,7 @@ metadata: generation: 1 labels: plugin-config-hash: - resource-spec-hash: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: Job annotation.trivy-operator.resource.name: pi annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/job-expected-scan.yaml b/tests/envtest/testdata/fixture/job-expected-scan.yaml index 286250e98..82ee061ce 100644 --- a/tests/envtest/testdata/fixture/job-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/job-expected-scan.yaml @@ -7,7 +7,8 @@ metadata: generation: 1 labels: app.kubernetes.io/managed-by: trivy-operator - resource-spec-hash: + annotation.resource-spec-hash: + annotation.controller-uid: annotation.trivy-operator.resource.kind: Job annotation.trivy-operator.resource.name: pi annotation.trivy-operator.resource.namespace: default @@ -18,17 +19,17 @@ spec: completionMode: NonIndexed completions: 1 parallelism: 1 + manualSelector: true selector: matchLabels: - controller-uid: + annotation.controller-uid: suspend: false template: metadata: labels: app.kubernetes.io/managed-by: trivy-operator - controller-uid: - job-name: scan-vulnerabilityreport-5664bcd7b8 - resource-spec-hash: + annotation.controller-uid: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: Job annotation.trivy-operator.resource.name: pi annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/pod-configauditreport-expected.yaml b/tests/envtest/testdata/fixture/pod-configauditreport-expected.yaml index 77e57d585..91e930b90 100644 --- a/tests/envtest/testdata/fixture/pod-configauditreport-expected.yaml +++ b/tests/envtest/testdata/fixture/pod-configauditreport-expected.yaml @@ -5,7 +5,7 @@ metadata: generation: 1 labels: plugin-config-hash: - resource-spec-hash: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: Pod annotation.trivy-operator.resource.name: my-pod annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/pod-expected-scan.yaml b/tests/envtest/testdata/fixture/pod-expected-scan.yaml index 378dde27c..47b6fe9ad 100644 --- a/tests/envtest/testdata/fixture/pod-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/pod-expected-scan.yaml @@ -7,7 +7,8 @@ metadata: generation: 1 labels: app.kubernetes.io/managed-by: trivy-operator - resource-spec-hash: + annotation.resource-spec-hash: + annotation.controller-uid: annotation.trivy-operator.resource.kind: Pod annotation.trivy-operator.resource.name: my-pod annotation.trivy-operator.resource.namespace: default @@ -18,17 +19,17 @@ spec: completionMode: NonIndexed completions: 1 parallelism: 1 + manualSelector: true selector: matchLabels: - controller-uid: + annotation.controller-uid: suspend: false template: metadata: labels: app.kubernetes.io/managed-by: trivy-operator - controller-uid: - job-name: scan-vulnerabilityreport-648f669b9c - resource-spec-hash: + annotation.controller-uid: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: Pod annotation.trivy-operator.resource.name: my-pod annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/replicaset-configauditreport-expected.yaml b/tests/envtest/testdata/fixture/replicaset-configauditreport-expected.yaml index e6d43ef24..fdcf4e76e 100644 --- a/tests/envtest/testdata/fixture/replicaset-configauditreport-expected.yaml +++ b/tests/envtest/testdata/fixture/replicaset-configauditreport-expected.yaml @@ -5,7 +5,7 @@ metadata: generation: 1 labels: plugin-config-hash: - resource-spec-hash: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: ReplicaSet annotation.trivy-operator.resource.name: wordpress-84bbf6f4dd annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml index 2e3063711..7fb5c251d 100644 --- a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml @@ -7,7 +7,8 @@ metadata: generation: 1 labels: app.kubernetes.io/managed-by: trivy-operator - resource-spec-hash: + annotation.resource-spec-hash: + annotation.controller-uid: annotation.trivy-operator.resource.kind: ReplicaSet annotation.trivy-operator.resource.name: wordpress-84bbf6f4dd annotation.trivy-operator.resource.namespace: default @@ -18,17 +19,17 @@ spec: completionMode: NonIndexed completions: 1 parallelism: 1 + manualSelector: true selector: matchLabels: - controller-uid: + annotation.controller-uid: suspend: false template: metadata: labels: app.kubernetes.io/managed-by: trivy-operator - controller-uid: - job-name: scan-vulnerabilityreport-5668c4b796 - resource-spec-hash: + annotation.controller-uid: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: ReplicaSet annotation.trivy-operator.resource.name: wordpress-84bbf6f4dd annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/replicationcontroller-configauditreport-expected.yaml b/tests/envtest/testdata/fixture/replicationcontroller-configauditreport-expected.yaml index 277d02216..23bb37095 100644 --- a/tests/envtest/testdata/fixture/replicationcontroller-configauditreport-expected.yaml +++ b/tests/envtest/testdata/fixture/replicationcontroller-configauditreport-expected.yaml @@ -5,7 +5,7 @@ metadata: generation: 1 labels: plugin-config-hash: - resource-spec-hash: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: ReplicationController annotation.trivy-operator.resource.name: nginx annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml index b79925e25..c7be4f075 100644 --- a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml @@ -7,7 +7,8 @@ metadata: generation: 1 labels: app.kubernetes.io/managed-by: trivy-operator - resource-spec-hash: + annotation.resource-spec-hash: + annotation.controller-uid: annotation.trivy-operator.resource.kind: ReplicationController annotation.trivy-operator.resource.name: nginx annotation.trivy-operator.resource.namespace: default @@ -18,17 +19,17 @@ spec: completionMode: NonIndexed completions: 1 parallelism: 1 + manualSelector: true selector: matchLabels: - controller-uid: + annotation.controller-uid: suspend: false template: metadata: labels: app.kubernetes.io/managed-by: trivy-operator - controller-uid: - job-name: scan-vulnerabilityreport-5dfc565d7b - resource-spec-hash: + annotation.controller-uid: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: ReplicationController annotation.trivy-operator.resource.name: nginx annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml index 3e3a4438a..722301658 100644 --- a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml @@ -7,7 +7,8 @@ metadata: generation: 1 labels: app.kubernetes.io/managed-by: trivy-operator - resource-spec-hash: + annotation.resource-spec-hash: + annotation.controller-uid: annotation.trivy-operator.resource.kind: StatefulSet annotation.trivy-operator.resource.name: web annotation.trivy-operator.resource.namespace: default @@ -18,17 +19,17 @@ spec: completionMode: NonIndexed completions: 1 parallelism: 1 + manualSelector: true selector: matchLabels: - controller-uid: + annotation.controller-uid: suspend: false template: metadata: labels: app.kubernetes.io/managed-by: trivy-operator - controller-uid: - job-name: scan-vulnerabilityreport-85bdb4586d - resource-spec-hash: + annotation.controller-uid: + annotation.resource-spec-hash: annotation.trivy-operator.resource.kind: StatefulSet annotation.trivy-operator.resource.name: web annotation.trivy-operator.resource.namespace: default diff --git a/tests/envtest/testdata/fixture/vulnerability-ttl.yaml b/tests/envtest/testdata/fixture/vulnerability-ttl.yaml index c99eef54e..8b2d5045f 100644 --- a/tests/envtest/testdata/fixture/vulnerability-ttl.yaml +++ b/tests/envtest/testdata/fixture/vulnerability-ttl.yaml @@ -7,7 +7,7 @@ metadata: creationTimestamp: 2022-12-08T15:50:37Z generation: 1 labels: - resource-spec-hash: 65df6ff459 + annotation.resource-spec-hash: 65df6ff459 plugin-config-hash: 659b7b9c47 annotation.trivy-operator.container.name: coredns annotation.trivy-operator.resource.kind: ReplicaSet