223 lines
8.2 KiB
YAML
223 lines
8.2 KiB
YAML
{{- if .Values.trivy.enabled }}
|
|
{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }}
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: {{ template "harbor.trivy" . }}
|
|
labels:
|
|
{{ include "harbor.labels" . | indent 4 }}
|
|
component: trivy
|
|
spec:
|
|
replicas: {{ .Values.trivy.replicas }}
|
|
serviceName: {{ template "harbor.trivy" . }}
|
|
selector:
|
|
matchLabels:
|
|
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
component: trivy
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{ include "harbor.labels" . | indent 8 }}
|
|
component: trivy
|
|
{{- if .Values.trivy.podLabels }}
|
|
{{ toYaml .Values.trivy.podLabels | indent 8 }}
|
|
{{- end }}
|
|
annotations:
|
|
checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }}
|
|
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
|
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
|
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
|
checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }}
|
|
{{- end }}
|
|
{{- if .Values.trivy.podAnnotations }}
|
|
{{ toYaml .Values.trivy.podAnnotations | indent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.trivy.serviceAccountName }}
|
|
serviceAccountName: {{ .Values.trivy.serviceAccountName }}
|
|
{{- end }}
|
|
securityContext:
|
|
runAsUser: 10000
|
|
fsGroup: 10000
|
|
automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }}
|
|
{{- with .Values.trivy.topologySpreadConstraints}}
|
|
topologySpreadConstraints:
|
|
{{- range . }}
|
|
- {{ . | toYaml | indent 8 | trim }}
|
|
labelSelector:
|
|
matchLabels:
|
|
{{ include "harbor.matchLabels" $ | indent 12 }}
|
|
component: trivy
|
|
{{- end }}
|
|
{{- end }}
|
|
containers:
|
|
- name: trivy
|
|
image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }}
|
|
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
securityContext:
|
|
privileged: false
|
|
allowPrivilegeEscalation: false
|
|
env:
|
|
{{- if has "trivy" .Values.proxy.components }}
|
|
- name: HTTP_PROXY
|
|
value: "{{ .Values.proxy.httpProxy }}"
|
|
- name: HTTPS_PROXY
|
|
value: "{{ .Values.proxy.httpsProxy }}"
|
|
- name: NO_PROXY
|
|
value: "{{ template "harbor.noProxy" . }}"
|
|
{{- end }}
|
|
- name: "SCANNER_LOG_LEVEL"
|
|
value: {{ .Values.logLevel | quote }}
|
|
- name: "SCANNER_TRIVY_CACHE_DIR"
|
|
value: "/home/scanner/.cache/trivy"
|
|
- name: "SCANNER_TRIVY_REPORTS_DIR"
|
|
value: "/home/scanner/.cache/reports"
|
|
- name: "SCANNER_TRIVY_DEBUG_MODE"
|
|
value: {{ .Values.trivy.debugMode | quote }}
|
|
- name: "SCANNER_TRIVY_VULN_TYPE"
|
|
value: {{ .Values.trivy.vulnType | quote }}
|
|
- name: "SCANNER_TRIVY_TIMEOUT"
|
|
value: {{ .Values.trivy.timeout | quote }}
|
|
- name: "SCANNER_TRIVY_GITHUB_TOKEN"
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "harbor.trivy" . }}
|
|
key: gitHubToken
|
|
- name: "SCANNER_TRIVY_SEVERITY"
|
|
value: {{ .Values.trivy.severity | quote }}
|
|
- name: "SCANNER_TRIVY_IGNORE_UNFIXED"
|
|
value: {{ .Values.trivy.ignoreUnfixed | default false | quote }}
|
|
- name: "SCANNER_TRIVY_SKIP_UPDATE"
|
|
value: {{ .Values.trivy.skipUpdate | default false | quote }}
|
|
- name: "SCANNER_TRIVY_OFFLINE_SCAN"
|
|
value: {{ .Values.trivy.offlineScan | default false | quote }}
|
|
- name: "SCANNER_TRIVY_SECURITY_CHECKS"
|
|
value: {{ .Values.trivy.securityCheck | quote }}
|
|
- name: "SCANNER_TRIVY_INSECURE"
|
|
value: {{ .Values.trivy.insecure | default false | quote }}
|
|
- name: SCANNER_API_SERVER_ADDR
|
|
value: ":{{ template "harbor.trivy.containerPort" . }}"
|
|
{{- if .Values.internalTLS.enabled }}
|
|
- name: INTERNAL_TLS_ENABLED
|
|
value: "true"
|
|
- name: SCANNER_API_SERVER_TLS_KEY
|
|
value: /etc/harbor/ssl/trivy/tls.key
|
|
- name: SCANNER_API_SERVER_TLS_CERTIFICATE
|
|
value: /etc/harbor/ssl/trivy/tls.crt
|
|
{{- end }}
|
|
- name: "SCANNER_REDIS_URL"
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "harbor.trivy" . }}
|
|
key: redisURL
|
|
- name: "SCANNER_STORE_REDIS_URL"
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "harbor.trivy" . }}
|
|
key: redisURL
|
|
- name: "SCANNER_JOB_QUEUE_REDIS_URL"
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "harbor.trivy" . }}
|
|
key: redisURL
|
|
{{- with .Values.trivy.extraEnvVars }}
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
ports:
|
|
- name: api-server
|
|
containerPort: {{ template "harbor.trivy.containerPort" . }}
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /home/scanner/.cache
|
|
subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }}
|
|
readOnly: false
|
|
{{- if .Values.internalTLS.enabled }}
|
|
- name: trivy-internal-certs
|
|
mountPath: /etc/harbor/ssl/trivy
|
|
{{- end }}
|
|
{{- if .Values.caBundleSecretName }}
|
|
{{ include "harbor.caBundleVolumeMount" . | indent 10 }}
|
|
{{- end }}
|
|
livenessProbe:
|
|
httpGet:
|
|
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
path: /probe/healthy
|
|
port: api-server
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 10
|
|
readinessProbe:
|
|
httpGet:
|
|
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
path: /probe/ready
|
|
port: api-server
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 3
|
|
resources:
|
|
{{ toYaml .Values.trivy.resources | indent 12 }}
|
|
{{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }}
|
|
volumes:
|
|
{{- if .Values.internalTLS.enabled }}
|
|
- name: trivy-internal-certs
|
|
secret:
|
|
secretName: {{ template "harbor.internalTLS.trivy.secretName" . }}
|
|
{{- end }}
|
|
{{- if .Values.caBundleSecretName }}
|
|
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
|
{{- end }}
|
|
{{- if not .Values.persistence.enabled }}
|
|
- name: "data"
|
|
emptyDir: {}
|
|
{{- else if $trivy.existingClaim }}
|
|
- name: "data"
|
|
persistentVolumeClaim:
|
|
claimName: {{ $trivy.existingClaim }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.trivy.nodeSelector }}
|
|
nodeSelector:
|
|
{{ toYaml . | indent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.trivy.affinity }}
|
|
affinity:
|
|
{{ toYaml . | indent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.trivy.tolerations }}
|
|
tolerations:
|
|
{{ toYaml . | indent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.trivy.priorityClassName }}
|
|
priorityClassName: {{ .Values.trivy.priorityClassName }}
|
|
{{- end }}
|
|
{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }}
|
|
volumeClaimTemplates:
|
|
- metadata:
|
|
name: data
|
|
labels:
|
|
{{ include "harbor.labels" . | indent 8 }}
|
|
annotations:
|
|
{{- range $key, $value := $trivy.annotations }}
|
|
{{ $key }}: {{ $value | quote }}
|
|
{{- end }}
|
|
spec:
|
|
accessModes: [{{ $trivy.accessMode | quote }}]
|
|
{{- if $trivy.storageClass }}
|
|
{{- if (eq "-" $trivy.storageClass) }}
|
|
storageClassName: ""
|
|
{{- else }}
|
|
storageClassName: "{{ $trivy.storageClass }}"
|
|
{{- end }}
|
|
{{- end }}
|
|
resources:
|
|
requests:
|
|
storage: {{ $trivy.size | quote }}
|
|
{{- end }}
|
|
{{- end }}
|