Update Trivy Plugin and fix UI Source Type mapping

Signed-off-by: Frank Jogeleit <[email protected]>
kyverno · Jan 20, 2025 · 018a054 · 018a054
1 parent 54da9ba
commit 018a054
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 5 deletions.
diff --git a/charts/policy-reporter/configs/trivy-plugin.tmpl b/charts/policy-reporter/configs/trivy-plugin.tmpl
@@ -18,3 +18,6 @@ core:
   basicAuth:
     username: {{ .Values.basicAuth.username }}
     password: {{ .Values.basicAuth.password }}
+
+trivy:
+  dbDir: /db
diff --git a/charts/policy-reporter/configs/ui.tmpl b/charts/policy-reporter/configs/ui.tmpl
@@ -45,16 +45,32 @@ customBoards:
     {{- end -}}
 {{- end }}
 
+{{- $trivy := false -}}
+{{- range .Values.ui.sources }}
+    {{- if eq .name "Trivy Vulnerability" -}}
+      {{- $trivy = true -}}
+    {{- end -}}
+{{- end }}
+
 sources:
 {{- if not $kyverno }}
   - name: kyverno
-    chartType: result
+    type: result
     exceptions: false
     excludes:
       results:
       - warn
       - error
 {{- end }}
+{{- if and (not $trivy) .Values.plugin.trivy.enabled }}
+  - name: Trivy Vulnerability
+    type: severity
+    exceptions: false
+    excludes:
+      results:
+      - pass
+      - skip
+{{- end }}
 {{- with .Values.ui.sources }}
   {{- toYaml . | nindent 2 }}
 {{- end }}

diff --git a/charts/policy-reporter/templates/plugins/trivy/deployment.yaml b/charts/policy-reporter/templates/plugins/trivy/deployment.yaml
@@ -39,6 +39,23 @@ spec:
       securityContext:
         {{- toYaml .Values.plugin.trivy.podSecurityContext | nindent 8 }}
       {{- end }}
+      initContainers:
+        - name: trivy-db
+          image: "{{ .Values.plugin.trivy.cli.image.registry }}/{{ .Values.plugin.trivy.cli.image.repository }}:{{ .Values.plugin.trivy.cli.image.tag }}"
+          args:
+          - --cache-dir
+          - /
+          - image
+          - --download-db-only
+          securityContext:
+          {{- if .Values.plugin.trivy.securityContext }}
+            {{- toYaml .Values.plugin.trivy.securityContext | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+          - name: db
+            mountPath: /db
+          - name: tmp
+            mountPath: /tmp
       containers:
         - name: policy-reporter-trivy-plugin
           {{- if .Values.plugin.trivy.securityContext }}
@@ -70,6 +87,8 @@ spec:
             mountPath: /app/config.yaml
             subPath: config.yaml
             readOnly: true
+          - name: db
+            mountPath: /db
           {{- with .Values.plugin.trivy.extraVolumes.volumeMounts }}
           {{ toYaml . | nindent 10 | trim }}
           {{- end }}
@@ -86,6 +105,18 @@ spec:
         secret:
           secretName: {{ include "trivy-plugin.fullname" . }}-config
           optional: true
+      - name: db
+        {{- with .Values.plugin.trivy.dbVolume }}
+          {{- toYaml . | nindent 8 }}
+        {{- else }}
+        emptyDir: {}
+        {{- end }}
+      - name: tmp
+        {{- with .Values.plugin.trivy.tmpVolume }}
+          {{- toYaml . | nindent 8 }}
+        {{- else }}
+        emptyDir: {}
+        {{- end }}
       {{- with .Values.plugin.trivy.extraVolumes.volumes }}
       {{ toYaml . | nindent 6 | trim }}
       {{- end }}

diff --git a/charts/policy-reporter/values.yaml b/charts/policy-reporter/values.yaml
@@ -946,7 +946,7 @@ ui:
   # -- kyverno specific UI confiurations
   # - name: kyverno
   # -- show results per category, other option: severity
-  #  chartType: result
+  #  type: result
   # -- enabled action button to generate PolicyExceptions from the UI
   #  exceptions: false
   # -- exclude results or (cluster)kinds per source
@@ -1155,7 +1155,7 @@ plugin:
       # -- (string) Image PullPolicy
       pullPolicy: IfNotPresent
       # -- (string) Image tag
-      tag: "0.4.0"
+      tag: "0.4.1"
 
     # -- Deployment replica count
     replicaCount: 1
@@ -1349,7 +1349,7 @@ plugin:
       volumes: []
 
   trivy:
-      # -- (bool) Enable Trivy Operator Plugin
+    # -- (bool) Enable Trivy Operator Plugin
     enabled: false
     image:
       # -- (string) Image registry
@@ -1360,7 +1360,29 @@ plugin:
       pullPolicy: IfNotPresent
         # -- (string) Image tag
         # Defaults to `Chart.AppVersion` if omitted
-      tag: "0.2.0"
+      tag: "0.3.1"
+
+    cli:
+      image:
+        # -- (string) Image registry
+        registry: ghcr.io
+          # -- (string) Image repository
+        repository: aquasecurity/trivy
+          # -- (string) Image PullPolicy
+        pullPolicy: IfNotPresent
+          # -- (string) Image tag
+          # Defaults to `Chart.AppVersion` if omitted
+        tag: "0.58.2"
+
+    # -- If set the volume for dbVolume is freely configurable below "- name: dbVolume". If no value is set an emptyDir is used.
+    dbVolume: {}
+    # emptyDir:
+    #   sizeLimit: 10Mi
+
+    # -- If set the volume for tmpVolume is freely configurable below "- name: tmpVolume". If no value is set an emptyDir is used.
+    tmpVolume: {}
+    # emptyDir:
+    #   sizeLimit: 10Mi
 
     # -- Deployment replica count
     replicaCount: 1