feat: add options to Helm chart to load Trivy config from custom conf…

…igmap or secret (#2174) * fix: add value to Helm Chart to load Trivy configuration from custom secret * style: fix indentation * feat: add trivy.valuesFromConfigMap * docs: add new values to configuration.md * docs: generate docs
aquasecurity · Jul 8, 2024 · 693908e · 693908e
1 parent 41ff2ce
commit 693908e
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 1 deletion.
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -185,6 +185,8 @@ Keeps security report resources updated
 | trivy.timeout | string | `"5m0s"` | timeout is the duration to wait for scan completion. |
 | trivy.useBuiltinRegoPolicies | string | `"true"` | The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from ghcr.io/aquasecurity/trivy-checks  |
 | trivy.useEmbeddedRegoPolicies | string | `"false"` | To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments. When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false. |
+| trivy.valuesFromConfigMap | string | `""` | vaulesFromConfigMap name of a ConfigMap to apply TRIVY_* environment variables. Will override Helm values. |
+| trivy.valuesFromSecret | string | `""` | valuesFromSecret name of a Secret to apply TRIVY_* environment variables. Will override Helm AND ConfigMap values. |
 | trivy.vulnType | string | `nil` | vulnType can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os) |
 | trivyOperator.additionalReportLabels | string | `""` | additionalReportLabels comma-separated representation of the labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage` |
 | trivyOperator.configAuditReportsPlugin | string | `"Trivy"` | configAuditReportsPlugin the name of the plugin that generates config audit reports. |

diff --git a/deploy/helm/templates/trivy-server/statefulset.yaml b/deploy/helm/templates/trivy-server/statefulset.yaml
@@ -87,6 +87,14 @@ spec:
                 name: trivy-operator-trivy-config
             - secretRef:
                 name: trivy-operator-trivy-config
+            {{- if .Values.trivy.valuesFromConfigMap }}
+            - configMapRef:
+                name: {{ .Values.trivy.valuesFromConfigMap }}
+            {{- end }}
+            {{- if .Values.trivy.valuesFromSecret }}
+            - secretRef:
+                name: {{ .Values.trivy.valuesFromSecret }}
+            {{- end }}
           ports:
             - name: trivy-http
               containerPort: 4954

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -595,6 +595,12 @@ trivy:
     # -- the number of replicas of the trivy-server
     replicas: 1
 
+  # -- vaulesFromConfigMap name of a ConfigMap to apply TRIVY_* environment variables. Will override Helm values.
+  valuesFromConfigMap: ""
+
+  # -- valuesFromSecret name of a Secret to apply TRIVY_* environment variables. Will override Helm AND ConfigMap values.
+  valuesFromSecret: ""
+
 compliance:
   # -- failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report
   # this limit is for preventing the report from being too large per control checks

diff --git a/docs/getting-started/installation/configuration.md b/docs/getting-started/installation/configuration.md
@@ -54,12 +54,14 @@ The values of the `OPERATOR_NAMESPACE` and `OPERATOR_TARGET_NAMESPACES` determin
 
 ## Configuration from custom ConfigMap and/or Secret
 
-When deployed with the Helm Chart, the environment variables for the Operator Configuration are applied from the `trivy-operator-config` ConfigMap. It is possible to provide a custom ConfigMap and/or Secret to override these values.
+When deployed with the Helm Chart, the environment variables for the Operator and Trivy Configuration are applied from the `trivy-operator-config` and `trivy-operator-trivy-config` ConfigMaps. It is possible to provide a custom ConfigMap and/or Secret to override these values.
 This is especially useful or even required, when configuration cannot be set through the Helm values, for example when some of the data is retrieved from external sources like Vault or other secret management systems in Cloud Provider environments.
 To apply values from a custom ConfigMap and/or Secret, the according Helm values need to be set:
 
 - `operator.valuesFromConfigMap`: The name of the ConfigMap to apply the values from. Will override the values `trivy-operator-config` ConfigMap.
 - `operator.valuesFromSecret`: The name of the Secret to apply the values from. Will override values from the `trivy-operator-config` AND `operator.valuesFromConfigMap` (if defined) ConfigMap.
+- `trivy.valuesFromConfigMap`: The name of the ConfigMap to apply the values from. Will override the values `trivy-operator-trivy-config` ConfigMap.
+- `trivy.valuesFromSecret`: The name of the Secret to apply the values from. Will override values from the `trivy-operator-trivy-config`  AND `trivy.valuesFromConfigMap` (if defined) ConfigMap.
 
 ## Example - configure namespaces to scan