update zora chart

undistro · Jun 6, 2024 · 481c5e8 · 481c5e8
1 parent 06b2e80
commit 481c5e8
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 5 deletions.
diff --git a/charts/zora/Chart.yaml b/charts/zora/Chart.yaml
@@ -17,7 +17,7 @@ name: zora
 description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg
 type: application
-version: 0.9.1
-appVersion: "v0.9.1"
+version: 0.9.2
+appVersion: "v0.9.2"
 sources:
  - https://github.com/undistro/zora
diff --git a/charts/zora/README.md b/charts/zora/README.md
@@ -1,6 +1,6 @@
 # Zora Helm Chart
 
-![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.9.1](https://img.shields.io/badge/AppVersion-v0.9.1-informational?style=flat-square&color=3CA9DD)
+![Version: 0.9.2](https://img.shields.io/badge/Version-0.9.2-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.9.2](https://img.shields.io/badge/AppVersion-v0.9.2-informational?style=flat-square&color=3CA9DD)
 
 A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 
@@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update
 helm repo update undistro
 helm upgrade --install zora undistro/zora \
  -n zora-system \
- --version 0.9.1 \
+ --version 0.9.2 \
  --create-namespace \
  --wait \
  --set clusterName="$(kubectl config current-context)"
@@ -124,6 +124,7 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout |
 | scan.plugins.trivy.insecure | bool | `false` | Allow insecure server connections for Trivy |
 | scan.plugins.trivy.persistence.enabled | bool | `true` | Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim |
+| scan.plugins.trivy.persistence.fsGroup | int | `0` | Specifies the fsGroup to use when mounting the persistent volume |
 | scan.plugins.trivy.persistence.accessMode | string | `"ReadWriteOnce"` | [Persistence access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) |
 | scan.plugins.trivy.persistence.storageClass | string | `""` | [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class |
 | scan.plugins.trivy.persistence.storageRequest | string | `"1Gi"` | Persistence storage size |

diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml
@@ -104,6 +104,7 @@ spec:
  - --cronjob-clusterrolebinding-name=zora-plugins-rolebinding
  - --cronjob-serviceaccount-name=zora-plugins
  - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-cache{{- end }}
+ - --trivy-db-fsgroup={{ .Values.scan.plugins.trivy.persistence.fsGroup }}
 {{- if .Values.scan.plugins.annotations}}
  - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }}
 {{- end }}

diff --git a/charts/zora/templates/plugins/trivy-job.yaml b/charts/zora/templates/plugins/trivy-job.yaml
@@ -21,6 +21,8 @@ spec:
  ttlSecondsAfterFinished: 0
  template:
  spec:
+ securityContext:
+ fsGroup: 0
  volumes:
  - name: trivy-db
  persistentVolumeClaim:
@@ -52,7 +54,7 @@ spec:
  --download-java-db-only \
  {{- end }}
  --download-db-only \
- && chgrp -R 0 /tmp/trivy-cache/* && chmod -R g+rwX /tmp/trivy-cache/*
+ && chgrp -R {{ .Values.scan.plugins.trivy.persistence.fsGroup }} /tmp/trivy-cache/* && chmod -R g+rwX /tmp/trivy-cache/*
  env:
  - name: SSL_CERT_DIR
  value: "/etc/ssl/:/run/secrets/kubernetes.io/serviceaccount/"

diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml
@@ -238,6 +238,8 @@ scan:
  persistence:
  # -- Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim
  enabled: true
+ # -- Specifies the fsGroup to use when mounting the persistent volume
+ fsGroup: 0
  # -- [Persistence access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
  accessMode: ReadWriteOnce
  # -- [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class