update zora chart

charts/zora/Chart.yaml

@@ -17,7 +17,7 @@ name: zora
 description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg
 type: application
-version: 0.8.0
-appVersion: "v0.8.0"
+version: 0.8.1-rc1
+appVersion: "v0.8.1-rc1"
 sources:
   - https://github.com/undistro/zora

charts/zora/README.md

@@ -1,6 +1,6 @@
 # Zora Helm Chart
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.0](https://img.shields.io/badge/AppVersion-v0.8.0-informational?style=flat-square&color=3CA9DD)
+![Version: 0.8.1-rc1](https://img.shields.io/badge/Version-0.8.1--rc1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.1-rc1](https://img.shields.io/badge/AppVersion-v0.8.1--rc1-informational?style=flat-square&color=3CA9DD)
 
 A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 
@@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update
 helm repo update undistro
 helm upgrade --install zora undistro/zora \
   -n zora-system \
-  --version 0.8.0 \
+  --version 0.8.1-rc1 \
   --create-namespace \
   --wait \
   --set clusterName="$(kubectl config current-context)"
@@ -103,21 +103,27 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.vulnerability.plugins | list | `["trivy"]` | Vulnerability scanners plugins |
 | scan.worker.image.repository | string | `"ghcr.io/undistro/zora/worker"` | worker image repository |
 | scan.worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
+| scan.plugins.annotations | object | `{}` | Annotations added to the plugin service account |
 | scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container |
+| scan.plugins.marvin.podAnnotations | object | `{}` | Annotations added to the marvin pods |
 | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository |
 | scan.plugins.marvin.image.tag | string | `"v0.2.1"` | marvin plugin image tag |
 | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported |
 | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored |
 | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
+| scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods |
 | scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository |
 | scan.plugins.trivy.image.tag | string | `"0.48.2"` | trivy plugin image tag |
 | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml |
 | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
+| scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods |
 | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository |
-| scan.plugins.popeye.image.tag | string | `"pr252"` | popeye plugin image tag |
+| scan.plugins.popeye.image.tag | string | `"v0.11.3"` | popeye plugin image tag |
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
 | kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag |
 | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |
+| httpsProxy | string | `""` | HTTPS proxy URL |
+| noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

charts/zora/crds/zora.undistro.io_plugins.yaml

@@ -58,6 +58,12 @@ spec:
           spec:
             description: PluginSpec defines the desired state of Plugin
             properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                description: Annotations to set in plugin and worker containers. Cannot
+                  be updated.
+                type: object
               args:
                 description: 'Arguments to the entrypoint. The docker image''s CMD
                   is used if this is not provided. Variable references $(VAR_NAME)

charts/zora/templates/operator/deployment.yaml

@@ -59,6 +59,13 @@ spec:
           securityContext:
             {{- toYaml .Values.operator.rbacProxy.securityContext | nindent 12 }}
         - name: manager
+          {{- if .Values.httpsProxy }}
+          env:
+            - name: HTTPS_PROXY
+              value: {{ .Values.httpsProxy | quote }}
+            - name: NO_PROXY
+              value: {{ .Values.noProxy | quote }}
+          {{- end }}
           command:
             - /manager
           args:
@@ -74,6 +81,9 @@ spec:
             - --worker-image={{ printf "%s:%s" .Values.scan.worker.image.repository (.Values.scan.worker.image.tag | default .Chart.AppVersion) }}
             - --cronjob-clusterrolebinding-name=zora-plugins-rolebinding
             - --cronjob-serviceaccount-name=zora-plugins
+{{- if .Values.scan.plugins.annotations}}
+            - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }}
+{{- end }}
             - --saas-workspace-id={{ .Values.saas.workspaceID }}
             - --saas-server={{ .Values.saas.server }}
             - --version={{ .Chart.Version }}

charts/zora/templates/plugins/marvin.yaml

@@ -30,6 +30,10 @@ spec:
     runAsNonRoot: true
     readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
+  {{- if .Values.scan.plugins.marvin.podAnnotations }}
+  annotations:
+    {{- toYaml .Values.scan.plugins.marvin.podAnnotations | nindent 4 }}
+  {{- end }}
   command:
     - /bin/sh
     - -c

charts/zora/templates/plugins/popeye.yaml

@@ -34,6 +34,10 @@ spec:
   securityContext:
     runAsNonRoot: true
     allowPrivilegeEscalation: false
+  {{- if .Values.scan.plugins.popeye.podAnnotations }}
+  annotations:
+    {{- toYaml .Values.scan.plugins.popeye.podAnnotations | nindent 4 }}
+  {{- end }}
   command:
     - /bin/sh
     - -c

charts/zora/templates/plugins/trivy.yaml

@@ -31,6 +31,16 @@ spec:
   env:
     - name: TRIVY_IGNORE_VULN_DESCRIPTIONS
       value: {{ .Values.scan.plugins.trivy.ignoreDescriptions | quote }}
+    {{- if .Values.httpsProxy }}
+    - name: HTTPS_PROXY
+      value: {{ .Values.httpsProxy | quote }}
+    - name: NO_PROXY
+      value: {{ .Values.noProxy | quote }}
+    {{- end }}
+  {{- if .Values.scan.plugins.trivy.podAnnotations }}
+  annotations:
+    {{- toYaml .Values.scan.plugins.trivy.podAnnotations | nindent 4 }}
+  {{- end }}
   command:
     - /bin/sh
     - -c

charts/zora/values.yaml

@@ -175,6 +175,8 @@ scan:
       # -- Overrides the image tag whose default is the chart appVersion
       tag: ""
   plugins:
+    # -- Annotations added to the plugin service account
+    annotations: {}
     marvin:
       # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container
       resources:
@@ -184,6 +186,8 @@ scan:
         limits:
           cpu: 500m
           memory: 500Mi
+      # -- Annotations added to the marvin pods
+      podAnnotations: {}
       image:
         # -- marvin plugin image repository
         repository: ghcr.io/undistro/marvin
@@ -197,6 +201,8 @@ scan:
       ignoreDescriptions: false
       # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container
       resources: {}
+      # -- Annotations added to the trivy pods
+      podAnnotations: {}
       image:
         # -- trivy plugin image repository
         repository: ghcr.io/aquasecurity/trivy
@@ -221,11 +227,13 @@ scan:
         limits:
           cpu: 500m
           memory: 500Mi
+      # -- Annotations added to the popeye pods
+      podAnnotations: {}
       image:
         # -- popeye plugin image repository
         repository: ghcr.io/undistro/popeye
         # -- popeye plugin image tag
-        tag: pr252
+        tag: v0.11.3
 
 kubexnsImage:
   # -- kubexns image repository
@@ -235,3 +243,8 @@ kubexnsImage:
 
 # -- Custom checks ConfigMap name
 customChecksConfigMap: zora-custom-checks
+
+# -- HTTPS proxy URL
+httpsProxy: ""
+# -- Comma-separated list of URL patterns to be excluded from going through the proxy
+noProxy: kubernetes.default.svc.*,127.0.0.1,localhost