update zora chart

undistro · Apr 3, 2024 · ec26ceb · ec26ceb
1 parent 4265759
commit ec26ceb
Show file tree

Hide file tree

Showing 7 changed files with 115 additions and 4 deletions.
diff --git a/charts/zora/Chart.yaml b/charts/zora/Chart.yaml
@@ -17,7 +17,7 @@ name: zora
 description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg
 type: application
-version: 0.8.4-rc3
-appVersion: "v0.8.4-rc3"
+version: 0.8.4-rc4
+appVersion: "v0.8.4-rc4"
 sources:
  - https://github.com/undistro/zora
diff --git a/charts/zora/README.md b/charts/zora/README.md
@@ -1,6 +1,6 @@
 # Zora Helm Chart
 
-![Version: 0.8.4-rc3](https://img.shields.io/badge/Version-0.8.4--rc3-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.4-rc3](https://img.shields.io/badge/AppVersion-v0.8.4--rc3-informational?style=flat-square&color=3CA9DD)
+![Version: 0.8.4-rc4](https://img.shields.io/badge/Version-0.8.4--rc4-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.4-rc4](https://img.shields.io/badge/AppVersion-v0.8.4--rc4-informational?style=flat-square&color=3CA9DD)
 
 A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 
@@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update
 helm repo update undistro
 helm upgrade --install zora undistro/zora \
  -n zora-system \
- --version 0.8.4-rc3 \
+ --version 0.8.4-rc4 \
  --create-namespace \
  --wait \
  --set clusterName="$(kubectl config current-context)"
@@ -120,6 +120,11 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. |
 | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout |
 | scan.plugins.trivy.insecure | bool | `false` | Allow insecure server connections for Trivy |
+| scan.plugins.trivy.persistence.enabled | bool | `true` | Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim |
+| scan.plugins.trivy.persistence.accessMode | string | `"ReadWriteOnce"` | Persistence access mode |
+| scan.plugins.trivy.persistence.storageClass | string | `""` | Persistence storage class. Let it empty for default storage class |
+| scan.plugins.trivy.persistence.storageRequest | string | `"1Gi"` | Persistence storage size |
+| scan.plugins.trivy.persistence.downloadJavaDB | bool | `false` | Specifies whether Java vulnerability database should be downloaded on helm install/upgrade |
 | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml |
 | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
 | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods |

diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml
@@ -81,6 +81,7 @@ spec:
  - --worker-image={{ printf "%s:%s" .Values.scan.worker.image.repository (.Values.scan.worker.image.tag | default .Chart.AppVersion) }}
  - --cronjob-clusterrolebinding-name=zora-plugins-rolebinding
  - --cronjob-serviceaccount-name=zora-plugins
+ - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db{{- else }}""{{- end }}
 {{- if .Values.scan.plugins.annotations}}
  - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }}
 {{- end }}

diff --git a/charts/zora/templates/plugins/trivy-job.yaml b/charts/zora/templates/plugins/trivy-job.yaml
@@ -0,0 +1,63 @@
+# Copyright 2024 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.scan.plugins.trivy.persistence.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: trivy-download-db
+spec:
+ ttlSecondsAfterFinished: 0
+ template:
+ spec:
+ volumes:
+ - name: trivy-db
+ persistentVolumeClaim:
+ claimName: trivy-db
+ containers:
+ - name: trivy-download-db
+ image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ volumeMounts:
+ - mountPath: /tmp/trivy-cache
+ name: trivy-db
+ command:
+ - /bin/sh
+ - -c
+ - |
+ time trivy image \
+ --debug \
+ --no-progress \
+ --cache-dir=/tmp/trivy-cache \
+ {{- if .Values.scan.plugins.trivy.insecure }}
+ --insecure \
+ {{- end }}
+ {{- if .Values.scan.plugins.trivy.persistence.downloadJavaDB }}
+ --download-java-db-only \
+ {{- end }}
+ --download-db-only
+ env:
+ - name: SSL_CERT_DIR
+ value: "/etc/ssl/:/run/secrets/kubernetes.io/serviceaccount/"
+ {{- if .Values.httpsProxy }}
+ - name: HTTPS_PROXY
+ value: {{ .Values.httpsProxy | quote }}
+ - name: NO_PROXY
+ value: {{ .Values.noProxy | quote }}
+ {{- end }}
+ restartPolicy: OnFailure
+{{- end }}
diff --git a/charts/zora/templates/plugins/trivy-pvc.yaml b/charts/zora/templates/plugins/trivy-pvc.yaml
@@ -0,0 +1,29 @@
+# Copyright 2024 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.scan.plugins.trivy.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: trivy-db
+spec:
+ {{- if .Values.scan.plugins.trivy.persistence.storageClass }}
+ storageClassName: {{ .Values.scan.plugins.trivy.persistence.storageClass | quote }}
+ {{- end }}
+ accessModes:
+ - {{ .Values.scan.plugins.trivy.persistence.accessMode }}
+ resources:
+ requests:
+ storage: {{ .Values.scan.plugins.trivy.persistence.storageRequest | quote }}
+{{- end }}
diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml
@@ -28,6 +28,7 @@ spec:
  mountCustomChecksVolume: false
  securityContext:
  allowPrivilegeEscalation: false
+ privileged: false
  {{- with .Values.scan.plugins.trivy.envFrom }}
  envFrom:
  {{- toYaml . | nindent 4}}

diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml
@@ -229,6 +229,18 @@ scan:
  # -- Allow insecure server connections for Trivy
  insecure: false
 
+ persistence:
+ # -- Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim
+ enabled: true
+ # -- Persistence access mode
+ accessMode: ReadWriteOnce
+ # -- Persistence storage class. Let it empty for default storage class
+ storageClass: ""
+ # -- Persistence storage size
+ storageRequest: 1Gi
+ # -- Specifies whether Java vulnerability database should be downloaded on helm install/upgrade
+ downloadJavaDB: false
+
  popeye:
  # -- Specifies whether the following resources should be skipped by `popeye` scans.
  # 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces;