From baea4c282dbd25a7a63ed7175c9f1f195e037d66 Mon Sep 17 00:00:00 2001 From: OlleLarsson Date: Wed, 19 Feb 2025 10:56:18 +0100 Subject: [PATCH] apps: helm/trivy-operator 0.26.0 The helm chart defaults to trivy-operator version v0.24.0 --- .../aquasecurity/trivy-operator/Chart.yaml | 4 +-- .../aquasecurity/trivy-operator/README.md | 5 +-- .../templates/configmaps/trivy.yaml | 1 + .../trivy-operator/templates/deployment.yaml | 5 ++- .../templates/specs/eks-cis-1.4.yaml | 2 +- .../templates/specs/k8s-cis-1.23.yaml | 2 +- .../templates/specs/k8s-nsa-1.0.yaml | 2 +- .../templates/specs/k8s-pss-baseline-0.1.yaml | 2 +- .../specs/k8s-pss-restricted-0.1.yaml | 2 +- .../templates/specs/rke2-cis-1.24.yaml | 2 +- .../aquasecurity/trivy-operator/values.yaml | 33 ++++++++++--------- helmfile.d/upstream/index.yaml | 2 +- .../values/falco/falco-common.yaml.gotmpl | 4 +-- 13 files changed, 37 insertions(+), 29 deletions(-) diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/Chart.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/Chart.yaml index d3da7e0f5..997cbf8c1 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/Chart.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.23.0 +appVersion: 0.24.0 description: Keeps security report resources updated keywords: - aquasecurity @@ -9,4 +9,4 @@ name: trivy-operator sources: - https://github.com/aquasecurity/trivy-operator type: application -version: 0.25.0 +version: 0.26.0 diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/README.md b/helmfile.d/upstream/aquasecurity/trivy-operator/README.md index c94bbcf6c..d37870f5d 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/README.md +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/README.md @@ -1,6 +1,6 @@ # trivy-operator -![Version: 0.25.0](https://img.shields.io/badge/Version-0.25.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.23.0](https://img.shields.io/badge/AppVersion-0.23.0-informational?style=flat-square) +![Version: 0.26.0](https://img.shields.io/badge/Version-0.26.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.24.0](https://img.shields.io/badge/AppVersion-0.24.0-informational?style=flat-square) Keeps security report resources updated @@ -19,6 +19,7 @@ Keeps security report resources updated | compliance.reportType | string | `"summary"` | reportType this flag control the type of report generated (summary or all) | | compliance.specs | list | `["k8s-cis-1.23","k8s-nsa-1.0","k8s-pss-baseline-0.1","k8s-pss-restricted-0.1"]` | specs is a list of compliance specs to be used by the cluster compliance scanner - k8s-cis-1.23 - k8s-nsa-1.0 - k8s-pss-baseline-0.1 - k8s-pss-restricted-0.1 - eks-cis-1.4 - rke2-cis-1.24 | | excludeNamespaces | string | `""` | excludeNamespaces is a comma separated list of namespaces (or glob patterns) to be excluded from scanning. Only applicable in the all namespaces install mode, i.e. when the targetNamespaces values is a blank string. | +| extraEnv | list | `[]` | extraEnv is a list of extra environment variables for the trivy-operator. | | fullnameOverride | string | `""` | fullnameOverride override operator full name | | global | object | `{"image":{"registry":""}}` | global values provide a centralized configuration for 'image.registry', reducing the potential for errors. If left blank, the chart will default to the individually set 'image.registry' values | | image.pullPolicy | string | `"IfNotPresent"` | pullPolicy set the operator pullPolicy | @@ -145,7 +146,7 @@ Keeps security report resources updated | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) | | trivy.image.registry | string | `"mirror.gcr.io"` | registry of the Trivy image | | trivy.image.repository | string | `"aquasec/trivy"` | repository of the Trivy image | -| trivy.image.tag | string | `"0.57.1"` | tag version of the Trivy image | +| trivy.image.tag | string | `"0.59.1"` | tag version of the Trivy image | | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. | | trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem | | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. | diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/trivy.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/trivy.yaml index 3af9786e3..498eee3f5 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/trivy.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/trivy.yaml @@ -128,6 +128,7 @@ data: TRIVY_DEBUG: {{ .Values.trivy.debug | quote }} TRIVY_SKIP_DB_UPDATE: "false" TRIVY_DB_REPOSITORY: "{{ .Values.trivy.dbRegistry }}/{{ .Values.trivy.dbRepository }}" + TRIVY_JAVA_DB_REPOSITORY: "{{ .Values.trivy.javaDbRegistry }}/{{ .Values.trivy.javaDbRepository }}" TRIVY_INSECURE: "{{ .Values.operator.builtInServerRegistryInsecure }}" {{- end }} {{- end }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/deployment.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/deployment.yaml index 509bf1345..0a17e4ba0 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/deployment.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/deployment.yaml @@ -6,7 +6,7 @@ metadata: {{- with .Values.operator.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} - labels: + labels: {{- include "trivy-operator.labels" . | nindent 4 }} {{- with .Values.operator.labels }} {{- toYaml . | nindent 4 }} @@ -50,6 +50,9 @@ spec: value: {{ tpl .Values.targetWorkloads . | quote }} - name: OPERATOR_SERVICE_ACCOUNT value: {{ include "trivy-operator.serviceAccountName" . | quote }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} envFrom: - configMapRef: name: trivy-operator-config diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/eks-cis-1.4.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/eks-cis-1.4.yaml index 7da6d3fdb..dd58f7634 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/eks-cis-1.4.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/eks-cis-1.4.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.24.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-cis-1.23.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-cis-1.23.yaml index a3c68b638..1959905e3 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-cis-1.23.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-cis-1.23.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.24.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-nsa-1.0.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-nsa-1.0.yaml index 9798749f7..5006222e7 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-nsa-1.0.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-nsa-1.0.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.24.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml index 36624e481..9dd3231d9 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.24.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml index 3f263ea9d..7cf92e29b 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.24.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/rke2-cis-1.24.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/rke2-cis-1.24.yaml index 0ad2a959a..bdce62a7c 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/rke2-cis-1.24.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/rke2-cis-1.24.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/version: 0.24.0 app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/values.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/values.yaml index af34eef59..23d76ff79 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/values.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/values.yaml @@ -20,6 +20,9 @@ targetNamespaces: "" # mode, i.e. when the targetNamespaces values is a blank string. excludeNamespaces: "" +# -- extraEnv is a list of extra environment variables for the trivy-operator. +extraEnv: [] + # -- targetWorkloads is a comma seperated list of Kubernetes workload resources # to be included in the vulnerability and config-audit scans # if left blank, all workload resources will be scanned @@ -340,7 +343,7 @@ trivy: # -- repository of the Trivy image repository: aquasec/trivy # -- tag version of the Trivy image - tag: 0.57.1 + tag: 0.59.1 # -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace imagePullSecret: ~ @@ -636,7 +639,7 @@ serviceAccount: podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 +# fsGroup: 2000 # -- securityContext security context securityContext: @@ -659,16 +662,17 @@ volumes: emptyDir: {} resources: {} - # -- We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi +# -- We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + # -- nodeSelector set the operator nodeSelector nodeSelector: {} @@ -681,7 +685,7 @@ affinity: {} # -- priorityClassName set the operator priorityClassName priorityClassName: "" - # -- automountServiceAccountToken the flag to enable automount for service account token +# -- automountServiceAccountToken the flag to enable automount for service account token automountServiceAccountToken: true policiesBundle: @@ -691,7 +695,7 @@ policiesBundle: repository: aquasec/trivy-checks # -- tag version of the policies bundle tag: 1 - # -- registryUser is the user for the registry + # -- registryUser is the user for the registry registryUser: ~ # -- registryPassword is the password for the registry registryPassword: ~ @@ -703,7 +707,6 @@ policiesBundle: # -- insecure is the flag to enable insecure connection to the policy bundle registry insecure: false - nodeCollector: # -- useNodeSelector determine if to use nodeSelector (by auto detecting node name) with node-collector scan job useNodeSelector: true diff --git a/helmfile.d/upstream/index.yaml b/helmfile.d/upstream/index.yaml index e91c27720..dcaa6d353 100644 --- a/helmfile.d/upstream/index.yaml +++ b/helmfile.d/upstream/index.yaml @@ -36,7 +36,7 @@ repositories: nvidia: https://helm.ngc.nvidia.com/nvidia charts: - aquasecurity/trivy-operator: 0.25.0 + aquasecurity/trivy-operator: 0.26.0 bitnami/fluentd: 7.1.1 bitnami/thanos: 15.0.5 diff --git a/helmfile.d/values/falco/falco-common.yaml.gotmpl b/helmfile.d/values/falco/falco-common.yaml.gotmpl index ef78484b1..370fa7c14 100644 --- a/helmfile.d/values/falco/falco-common.yaml.gotmpl +++ b/helmfile.d/values/falco/falco-common.yaml.gotmpl @@ -161,8 +161,8 @@ customRules: - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook - - mirror.ghcr.io/aquasecurity/node-collector - - mirror.ghcr.io/aquasecurity/trivy-operator + - mirror.gcr.io/aquasec/node-collector + - mirror.gcr.io/aquasec/trivy-operator - ghcr.io/dexidp/dex - ghcr.io/elastisys/argocd-managed-namespaces-manager - ghcr.io/elastisys/calico-accountant