chore(chart-deps): update trivy-operator to version 0.29.0

chart/chart-index/Chart.yaml

@@ -109,7 +109,7 @@ dependencies:
     version: 15.7.25
     repository: https://charts.bitnami.com/bitnami
   - name: trivy-operator
-    version: 0.25.0
+    version: 0.29.0
     repository: https://aquasecurity.github.io/helm-charts/
   - name: velero
     version: 5.4.1

charts/trivy-operator/Chart.yaml

@@ -1,31 +1,12 @@
 apiVersion: v2
-name: trivy-operator
+appVersion: 0.27.0
 description: Keeps security report resources updated
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.25.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.23.0
-
-# kubeVersion: A SemVer range of compatible Kubernetes versions (optional)
-
 keywords:
-  - aquasecurity
-  - trivyoperator
-  - trivy
-# home: https://github.com/aquasecurity/trivy-operator
+- aquasecurity
+- trivyoperator
+- trivy
+name: trivy-operator
 sources:
-  - https://github.com/aquasecurity/trivy-operator
-# maintainers: # (optional)
-#   - name: The maintainers name (required for each maintainer)
-#     email: The maintainers email (optional for each maintainer)
-#     url: A URL for the maintainer (optional for each maintainer)
-# icon: A URL to an SVG or PNG image to be used as an icon (optional).
-# annotations:
-#   example: A list of annotations keyed by name (optional).
+- https://github.com/aquasecurity/trivy-operator
+type: application
+version: 0.29.0

charts/trivy-operator/README.md

@@ -1,6 +1,6 @@
 # trivy-operator
 
-![Version: 0.25.0](https://img.shields.io/badge/Version-0.25.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.23.0](https://img.shields.io/badge/AppVersion-0.23.0-informational?style=flat-square)
+![Version: 0.29.0](https://img.shields.io/badge/Version-0.29.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square)
 
 Keeps security report resources updated
 
@@ -13,14 +13,17 @@ Keeps security report resources updated
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | affinity set the operator affinity |
+| alternateReportStorage | object | `{"enabled":false,"mountPath":"/mnt/data/trivy-operator","podSecurityContext":{"fsGroup":10000,"runAsUser":10000},"storage":"10Gi","volumeName":"trivy-operator-pvc"}` | alternateReportStorage is the flag to enable alternate storage for all trivy reports (crds) in the form json files inside of a persistent volume |
 | automountServiceAccountToken | bool | `true` | automountServiceAccountToken the flag to enable automount for service account token |
 | compliance.cron | string | `"0 */6 * * *"` | cron this flag control the cron interval for compliance report generation |
 | compliance.failEntriesLimit | int | `10` | failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report this limit is for preventing the report from being too large per control checks |
 | compliance.reportType | string | `"summary"` | reportType this flag control the type of report generated (summary or all) |
 | compliance.specs | list | `["k8s-cis-1.23","k8s-nsa-1.0","k8s-pss-baseline-0.1","k8s-pss-restricted-0.1"]` | specs is a list of compliance specs to be used by the cluster compliance scanner  - k8s-cis-1.23  - k8s-nsa-1.0  - k8s-pss-baseline-0.1  - k8s-pss-restricted-0.1  - eks-cis-1.4  - rke2-cis-1.24 |
 | excludeNamespaces | string | `""` | excludeNamespaces is a comma separated list of namespaces (or glob patterns) to be excluded from scanning. Only applicable in the all namespaces install mode, i.e. when the targetNamespaces values is a blank string. |
+| extraEnv | list | `[]` | extraEnv is a list of extra environment variables for the trivy-operator. |
 | fullnameOverride | string | `""` | fullnameOverride override operator full name |
 | global | object | `{"image":{"registry":""}}` | global values provide a centralized configuration for 'image.registry', reducing the potential for errors. If left blank, the chart will default to the individually set 'image.registry' values |
+| hostAliases | list | `[]` | hostAliases for `deployment` (TrivyOperator) and `statefulset` (TrivyServer) |
 | image.pullPolicy | string | `"IfNotPresent"` | pullPolicy set the operator pullPolicy |
 | image.pullSecrets | list | `[]` | pullSecrets set the operator pullSecrets |
 | image.registry | string | `"mirror.gcr.io"` |  |
@@ -127,13 +130,15 @@ Keeps security report resources updated
 | trivy.additionalVulnerabilityReportFields | string | `""` | additionalVulnerabilityReportFields is a comma separated list of additional fields which can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath and PackageType |
 | trivy.clientServerSkipUpdate | bool | `false` | clientServerSkipUpdate is the flag to enable skip databases update for Trivy client. Only applicable in ClientServer mode. |
 | trivy.command | string | `"image"` | command. One of `image`, `filesystem` or `rootfs` scanning, depending on the target type required for the scan. For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured to run as the root user (runAsUser = 0). |
+| trivy.configFile | string | `nil` | configFile can be used to tell Trivy to use specific options available only in the config file (e.g. Mirror registries). |
 | trivy.createConfig | bool | `true` | createConfig indicates whether to create config objects |
 | trivy.dbRegistry | string | `"mirror.gcr.io"` |  |
 | trivy.dbRepository | string | `"aquasec/trivy-db"` |  |
 | trivy.dbRepositoryInsecure | string | `"false"` | The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)  |
 | trivy.dbRepositoryPassword | string | `nil` | The password for dbRepository authentication  |
 | trivy.dbRepositoryUsername | string | `nil` | The username for dbRepository authentication  |
 | trivy.debug | bool | `false` | debug One of `true` or `false`. Enables debug mode. |
+| trivy.existingSecret | bool | `false` | existingSecret if a secret containing gitHubToken, serverToken or serverCustomHeaders has been created outside the chart (e.g external-secrets, sops, etc...). Keys must be at least one of the following: trivy.githubToken, trivy.serverToken, trivy.serverCustomHeaders Overrides trivy.gitHubToken, trivy.serverToken, trivy.serverCustomHeaders values. Note: The secret has to be named "trivy-operator-trivy-config". |
 | trivy.externalRegoPoliciesEnabled | bool | `false` | The Flag to enable the usage of external rego policies config-map, this should be used when the user wants to use their own rego policies  |
 | trivy.filesystemScanCacheDir | string | `"/var/trivyoperator/trivy-db"` | filesystemScanCacheDir the flag to set custom path for trivy filesystem scan `cache-dir` parameter. Only applicable in filesystem scan mode. |
 | trivy.githubToken | string | `nil` | githubToken is the GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in Standalone mode. |
@@ -145,7 +150,7 @@ Keeps security report resources updated
 | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) |
 | trivy.image.registry | string | `"mirror.gcr.io"` | registry of the Trivy image |
 | trivy.image.repository | string | `"aquasec/trivy"` | repository of the Trivy image |
-| trivy.image.tag | string | `"0.57.1"` | tag version of the Trivy image |
+| trivy.image.tag | string | `"0.63.0"` | tag version of the Trivy image |
 | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. |
 | trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem |
 | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. |
@@ -195,7 +200,7 @@ Keeps security report resources updated
 | trivyOperator.policiesConfig | string | `""` | policiesConfig Custom Rego Policies to be used by the config audit scanner See https://github.com/aquasecurity/trivy-operator/blob/main/docs/tutorials/writing-custom-configuration-audit-policies.md for more details. |
 | trivyOperator.reportRecordFailedChecksOnly | bool | `true` | reportRecordFailedChecksOnly flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment) |
 | trivyOperator.reportResourceLabels | string | `""` | reportResourceLabels comma-separated scanned resource labels which the user wants to include in the Prometheus metrics report. Example: `owner,app` |
-| trivyOperator.scanJobAffinity | list | `[]` | scanJobAffinity affinity to be applied to the scanner pods and node-collector |
+| trivyOperator.scanJobAffinity | object | `{}` | scanJobAffinity affinity to be applied to the scanner pods and node-collector |
 | trivyOperator.scanJobAnnotations | string | `""` | scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner jobs and pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scanner jobs and pods with the annotations `foo: bar` and `env: stage` |
 | trivyOperator.scanJobAutomountServiceAccountToken | bool | `false` | scanJobAutomountServiceAccountToken the flag to enable automount for service account token on scan job |
 | trivyOperator.scanJobCompressLogs | bool | `true` | scanJobCompressLogs control whether scanjob output should be compressed or plain |
@@ -207,6 +212,7 @@ Keeps security report resources updated
 | trivyOperator.scanJobPodTemplateLabels | string | `""` | scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage` |
 | trivyOperator.scanJobPodTemplatePodSecurityContext | object | `{}` | scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner and node collector pods to be amended with. Example:   RunAsUser: 10000   RunAsGroup: 10000   RunAsNonRoot: true |
 | trivyOperator.scanJobTolerations | list | `[]` | scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints |
+| trivyOperator.scanJobsInSameNamespace | bool | `false` | scanJobsInSameNamespace control whether to run vulnerability scan jobs in same namespace of workload |
 | trivyOperator.skipInitContainers | bool | `false` | skipInitContainers when this flag is set to true, the initContainers will be skipped for the scanner and node collector pods |
 | trivyOperator.skipResourceByLabels | string | `""` | skipResourceByLabels comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels |
 | trivyOperator.useGCRServiceAccount | bool | `true` | useGCRServiceAccount the flag to enable the usage of GCR service account for scanning images in GCR |

charts/trivy-operator/templates/configmaps/operator.yaml

@@ -66,6 +66,7 @@ data:
   {{- end }}
   {{- if or .Values.operator.vulnerabilityScannerEnabled .Values.operator.exposedSecretScannerEnabled .Values.operator.scannerReportTTL }}
   vulnerabilityReports.scanner: {{ .Values.trivyOperator.vulnerabilityReportsPlugin | quote }}
+  vulnerabilityReports.scanJobsInSameNamespace: {{ .Values.trivyOperator.scanJobsInSameNamespace | quote }}
   {{- end }}
   {{- if .Values.operator.configAuditScannerEnabled }}
   configAuditReports.scanner: {{ .Values.trivyOperator.configAuditReportsPlugin | quote }}

charts/trivy-operator/templates/configmaps/trivy-operator-config.yaml

@@ -5,6 +5,9 @@ metadata:
   namespace: {{ include "trivy-operator.namespace" . }}
   labels: {{- include "trivy-operator.labels" . | nindent 4 }}
 data:
+  {{- if .Values.alternateReportStorage.enabled }}
+  trivy.reportDir: "{{ .Values.alternateReportStorage.mountPath }}"
+  {{- end }}
   OPERATOR_LOG_DEV_MODE: {{ .Values.operator.logDevMode | quote }}
   OPERATOR_SCAN_JOB_TTL: {{ .Values.operator.scanJobTTL | quote }}
   OPERATOR_SCAN_JOB_TIMEOUT: {{ .Values.operator.scanJobTimeout | quote }}

charts/trivy-operator/templates/configmaps/trivy.yaml

@@ -128,6 +128,7 @@ data:
   TRIVY_DEBUG: {{ .Values.trivy.debug | quote }}
   TRIVY_SKIP_DB_UPDATE: "false"
   TRIVY_DB_REPOSITORY: "{{ .Values.trivy.dbRegistry }}/{{ .Values.trivy.dbRepository }}"
+  TRIVY_JAVA_DB_REPOSITORY: "{{ .Values.trivy.javaDbRegistry }}/{{ .Values.trivy.javaDbRepository }}"
   TRIVY_INSECURE: "{{ .Values.operator.builtInServerRegistryInsecure }}"
   {{- end }}
 {{- end }}

charts/trivy-operator/templates/deployment.yaml

@@ -6,7 +6,7 @@ metadata:
   {{- with .Values.operator.annotations }}
   annotations: {{- toYaml . | nindent 4 }}
   {{- end }}
-  labels: 
+  labels:
     {{- include "trivy-operator.labels" . | nindent 4 }}
     {{- with .Values.operator.labels }}
       {{- toYaml . | nindent 4 }}
@@ -31,6 +31,10 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.hostAliases }}
+      hostAliases:
+        {{- toYaml .Values.hostAliases | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ include "trivy-operator.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       containers:
@@ -50,6 +54,15 @@ spec:
               value: {{ tpl .Values.targetWorkloads . | quote }}
             - name: OPERATOR_SERVICE_ACCOUNT
               value: {{ include "trivy-operator.serviceAccountName" . | quote }}
+            {{- with .Values.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- if .Values.alternateReportStorage.enabled }}
+            - name: OPERATOR_ALTERNATE_REPORT_STORAGE_ENABLED
+              value: "true"
+            - name: OPERATOR_ALTERNATE_REPORT_STORAGE_DIR
+              value: {{ .Values.alternateReportStorage.mountPath | quote }}
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: trivy-operator-config
@@ -91,15 +104,38 @@ spec:
           {{- with .Values.volumeMounts }}
           volumeMounts: {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if .Values.alternateReportStorage.enabled }}
+          {{- if not .Values.volumeMounts }}
+          volumeMounts:
+          {{- end }}
+            - name: {{ .Values.alternateReportStorage.volumeName }}
+              mountPath: {{ .Values.alternateReportStorage.mountPath }}
+          {{- end }}
       {{- with .Values.image.pullSecrets }}
       imagePullSecrets: {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if or (not (empty .Values.podSecurityContext)) .Values.alternateReportStorage.enabled }}
+      securityContext:
       {{- with .Values.podSecurityContext }}
-      securityContext: {{- toYaml . | nindent 8 }}
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      # ── but only add runAsUser/fsGroup if alternateReportStorage is on ─────────
+      {{- if .Values.alternateReportStorage.enabled }}
+        runAsUser: {{ .Values.alternateReportStorage.podSecurityContext.runAsUser }}
+        fsGroup:   {{ .Values.alternateReportStorage.podSecurityContext.fsGroup }}
+      {{- end }}
       {{- end }}
       {{- with .Values.volumes }}
       volumes: {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.alternateReportStorage.enabled }}
+      {{- if not .Values.volumes }}
+      volumes:
+      {{- end }}
+        - name: {{ .Values.alternateReportStorage.volumeName }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.alternateReportStorage.volumeName }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector: {{- toYaml . | nindent 8 }}
       {{- end }}

charts/trivy-operator/templates/pvc.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.alternateReportStorage.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Values.alternateReportStorage.volumeName }}
+  namespace: trivy-system
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.alternateReportStorage.storage }}
+{{- end }}

charts/trivy-operator/templates/rbac/role.yaml

@@ -23,4 +23,5 @@ rules:
       - create
       - get
       - delete
+      - update
 {{- end }}

charts/trivy-operator/templates/specs/eks-cis-1.4.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: 0.23.0
+    app.kubernetes.io/version: 0.27.0
     app.kubernetes.io/managed-by: kubectl
 spec:
   cron: {{ .Values.compliance.cron | quote }}

charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: 0.23.0
+    app.kubernetes.io/version: 0.27.0
     app.kubernetes.io/managed-by: kubectl
 spec:
   cron: {{ .Values.compliance.cron | quote }}

charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: 0.23.0
+    app.kubernetes.io/version: 0.27.0
     app.kubernetes.io/managed-by: kubectl
 spec:
   cron: {{ .Values.compliance.cron | quote}}

charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: 0.23.0
+    app.kubernetes.io/version: 0.27.0
     app.kubernetes.io/managed-by: kubectl
 spec:
   cron: {{ .Values.compliance.cron | quote}}

charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: 0.23.0
+    app.kubernetes.io/version: 0.27.0
     app.kubernetes.io/managed-by: kubectl
 spec:
   cron: {{ .Values.compliance.cron | quote}}

charts/trivy-operator/templates/specs/rke2-cis-1.24.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: 0.23.0
+    app.kubernetes.io/version: 0.27.0
     app.kubernetes.io/managed-by: kubectl
 spec:
   cron: {{ .Values.compliance.cron | quote}}

charts/trivy-operator/templates/trivy-server/statefulset.yaml

@@ -46,6 +46,10 @@ spec:
         app.kubernetes.io/name: trivy-server
         app.kubernetes.io/instance: trivy-server
     spec:
+      {{- if .Values.hostAliases }}
+      hostAliases:
+        {{- toYaml .Values.hostAliases | nindent 8 }}
+      {{- end }}
       {{- with .Values.trivy.priorityClassName }}
       priorityClassName: {{ . }}
       {{- end }}