update zora chart

charts/zora/Chart.yaml

@@ -17,7 +17,7 @@ name: zora
 description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg
 type: application
-version: 0.8.1
-appVersion: "v0.8.1"
+version: 0.8.2-rc1
+appVersion: "v0.8.2-rc1"
 sources:
   - https://github.com/undistro/zora

charts/zora/README.md

@@ -1,6 +1,6 @@
 # Zora Helm Chart
 
-![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.1](https://img.shields.io/badge/AppVersion-v0.8.1-informational?style=flat-square&color=3CA9DD)
+![Version: 0.8.2-rc1](https://img.shields.io/badge/Version-0.8.2--rc1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.2-rc1](https://img.shields.io/badge/AppVersion-v0.8.2--rc1-informational?style=flat-square&color=3CA9DD)
 
 A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 
@@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update
 helm repo update undistro
 helm upgrade --install zora undistro/zora \
   -n zora-system \
-  --version 0.8.1 \
+  --version 0.8.2-rc1 \
   --create-namespace \
   --wait \
   --set clusterName="$(kubectl config current-context)"
@@ -108,17 +108,23 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.marvin.podAnnotations | object | `{}` | Annotations added to the marvin pods |
 | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository |
 | scan.plugins.marvin.image.tag | string | `"v0.2.1"` | marvin plugin image tag |
+| scan.plugins.marvin.env | list | `[]` | List of environment variables to set in marvin container. |
+| scan.plugins.marvin.envFrom | list | `[]` | List of sources to populate environment variables in marvin container. |
 | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported |
 | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored |
 | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
 | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods |
 | scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository |
 | scan.plugins.trivy.image.tag | string | `"0.48.2"` | trivy plugin image tag |
+| scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. |
+| scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. |
 | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml |
 | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
 | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods |
 | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository |
 | scan.plugins.popeye.image.tag | string | `"v0.11.3"` | popeye plugin image tag |
+| scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. |
+| scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. |
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
 | kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag |
 | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |

charts/zora/templates/_helpers.tpl

@@ -84,7 +84,7 @@ Create the name of the service account to use in Operator
 {{- end }}
 
 {{- define "zora.clusterName" }}
-{{- regexReplaceAll "\\W+" (required "`clusterName` is required." .Values.clusterName) "-" }}
+{{- include "truncate.name" (dict "name" (regexReplaceAll "\\W+" (required "`clusterName` is required." .Values.clusterName) "-") "len" 63 ) }}
 {{- end }}
 
 {{- define "zora.hourlySchedule" }}
@@ -113,3 +113,20 @@ Create the name of the service account to use in Operator
 {{- define "zora.vulnSchedule" }}
 {{- default (include "zora.dailySchedule" .) .Values.scan.vulnerability.schedule }}
 {{- end }}
+
+{{/*
+Truncate a name to a specific length
+@param .name the name of the component
+@param .len the maximum length to return
+*/}}
+{{- define "truncate.name" }}
+{{- if gt (len .name) .len }}
+{{- $maxLen := int (sub .len 3) }}
+{{- $suffixLen := int (div $maxLen 2) }}
+{{- $prefixLen := int (sub $maxLen $suffixLen) }}
+{{- $suffixStart := int (sub (len .name) $suffixLen) }}
+{{- printf "%s---%s" (substr 0 $prefixLen .name) (substr $suffixStart (len .name) .name) }}
+{{- else }}
+{{- .name }}
+{{- end }}
+{{- end }}

charts/zora/templates/clusterscan/clusterscan.yaml

@@ -30,7 +30,8 @@ metadata:
   labels:
     zora.undistro.io/default: "true"
     {{- include "zora.labels" . | nindent 4 }}
-  name: {{ include "zora.clusterName" . }}-misconfig
+  name: {{ include "truncate.name" (dict "name" (printf "%s-misconfig" (include "zora.clusterName" .)) "len" 63 ) }}
+
 spec:
   clusterRef:
     name: {{ include "zora.clusterName" . }}
@@ -51,7 +52,7 @@ metadata:
   labels:
     zora.undistro.io/default: "true"
     {{- include "zora.labels" . | nindent 4 }}
-  name: {{ include "zora.clusterName" . }}-vuln
+  name: {{ include "truncate.name" (dict "name" (printf "%s-vuln" (include "zora.clusterName" .)) "len" 63 ) }}
 spec:
   clusterRef:
     name: {{ include "zora.clusterName" . }}

charts/zora/templates/plugins/marvin.yaml

@@ -30,6 +30,14 @@ spec:
     runAsNonRoot: true
     readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
+  {{- with .Values.scan.plugins.marvin.envFrom }}
+  envFrom:
+    {{- toYaml . | nindent 4}}
+  {{- end }}
+  {{- with .Values.scan.plugins.marvin.env }}
+  env:
+    {{- toYaml . | nindent 4}}
+  {{- end }}
   {{- if .Values.scan.plugins.marvin.podAnnotations }}
   annotations:
     {{- toYaml .Values.scan.plugins.marvin.podAnnotations | nindent 4 }}

charts/zora/templates/plugins/popeye.yaml

@@ -25,12 +25,21 @@ spec:
   resources:
     {{- toYaml .Values.scan.plugins.popeye.resources | nindent 4 }}
   {{- end }}
-{{- if .Values.scan.plugins.popeye.skipInternalResources }}
+  {{- if or .Values.scan.plugins.popeye.skipInternalResources .Values.scan.plugins.popeye.envFrom }}
   envFrom:
+  {{- end }}
+  {{- if or .Values.scan.plugins.popeye.skipInternalResources }}
     - configMapRef:
         name: popeye-config
         optional: true
-{{- end }}
+  {{- end }}
+    {{- with .Values.scan.plugins.popeye.envFrom }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.scan.plugins.popeye.env }}
+  env:
+    {{- toYaml . | nindent 4}}
+  {{- end }}
   securityContext:
     runAsNonRoot: true
     allowPrivilegeEscalation: false

charts/zora/templates/plugins/trivy.yaml

@@ -28,9 +28,16 @@ spec:
   mountCustomChecksVolume: false
   securityContext:
     allowPrivilegeEscalation: false
+  {{- with .Values.scan.plugins.trivy.envFrom }}
+  envFrom:
+    {{- toYaml . | nindent 4}}
+  {{- end }}
   env:
     - name: TRIVY_IGNORE_VULN_DESCRIPTIONS
       value: {{ .Values.scan.plugins.trivy.ignoreDescriptions | quote }}
+    {{- with .Values.scan.plugins.trivy.env }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
     {{- if .Values.httpsProxy }}
     - name: HTTPS_PROXY
       value: {{ .Values.httpsProxy | quote }}

charts/zora/values.yaml

@@ -193,6 +193,10 @@ scan:
         repository: ghcr.io/undistro/marvin
         # -- marvin plugin image tag
         tag: v0.2.1
+      # -- List of environment variables to set in marvin container.
+      env: []
+      # -- List of sources to populate environment variables in marvin container.
+      envFrom: []
 
     trivy:
       # -- Specifies whether only fixed vulnerabilities should be reported
@@ -208,6 +212,20 @@ scan:
         repository: ghcr.io/aquasecurity/trivy
         # -- trivy plugin image tag
         tag: 0.48.2
+      # -- List of environment variables to set in trivy container.
+      env: []
+      #  - name: AWS_REGION
+      #    value: us-east-1
+      #  - name: TRIVY_PASSWORD
+      #    valueFrom:
+      #      secretKeyRef:
+      #        key: TRIVY_PASSWORD
+      #        name: trivy-password
+
+      # -- List of sources to populate environment variables in trivy container.
+      envFrom: []
+      #  - secretRef:
+      #      name: trivy-credentials
     popeye:
       # -- Specifies whether the following resources should be skipped by `popeye` scans.
       # 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces;
@@ -234,6 +252,10 @@ scan:
         repository: ghcr.io/undistro/popeye
         # -- popeye plugin image tag
         tag: v0.11.3
+      # -- List of environment variables to set in popeye container.
+      env: []
+      # -- List of sources to populate environment variables in popeye container.
+      envFrom: []
 
 kubexnsImage:
   # -- kubexns image repository