From 6110cd9e1601b7d1513125f2ede798d8febf2a9e Mon Sep 17 00:00:00 2001 From: undistrobot Date: Mon, 19 Feb 2024 17:17:23 +0000 Subject: [PATCH] update zora chart --- charts/zora/Chart.yaml | 4 ++-- charts/zora/README.md | 10 +++++++-- charts/zora/templates/_helpers.tpl | 19 +++++++++++++++- .../templates/clusterscan/clusterscan.yaml | 5 +++-- charts/zora/templates/plugins/marvin.yaml | 8 +++++++ charts/zora/templates/plugins/popeye.yaml | 13 +++++++++-- charts/zora/templates/plugins/trivy.yaml | 7 ++++++ charts/zora/values.yaml | 22 +++++++++++++++++++ 8 files changed, 79 insertions(+), 9 deletions(-) diff --git a/charts/zora/Chart.yaml b/charts/zora/Chart.yaml index 26f7eb8..6645cbd 100644 --- a/charts/zora/Chart.yaml +++ b/charts/zora/Chart.yaml @@ -17,7 +17,7 @@ name: zora description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg type: application -version: 0.8.1 -appVersion: "v0.8.1" +version: 0.8.2-rc1 +appVersion: "v0.8.2-rc1" sources: - https://github.com/undistro/zora diff --git a/charts/zora/README.md b/charts/zora/README.md index b1d0b72..0231a7f 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -1,6 +1,6 @@ # Zora Helm Chart -![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.1](https://img.shields.io/badge/AppVersion-v0.8.1-informational?style=flat-square&color=3CA9DD) +![Version: 0.8.2-rc1](https://img.shields.io/badge/Version-0.8.2--rc1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.2-rc1](https://img.shields.io/badge/AppVersion-v0.8.2--rc1-informational?style=flat-square&color=3CA9DD) A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. @@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update helm repo update undistro helm upgrade --install zora undistro/zora \ -n zora-system \ - --version 0.8.1 \ + --version 0.8.2-rc1 \ --create-namespace \ --wait \ --set clusterName="$(kubectl config current-context)" @@ -108,17 +108,23 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.marvin.podAnnotations | object | `{}` | Annotations added to the marvin pods | | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository | | scan.plugins.marvin.image.tag | string | `"v0.2.1"` | marvin plugin image tag | +| scan.plugins.marvin.env | list | `[]` | List of environment variables to set in marvin container. | +| scan.plugins.marvin.envFrom | list | `[]` | List of sources to populate environment variables in marvin container. | | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported | | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored | | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container | | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods | | scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository | | scan.plugins.trivy.image.tag | string | `"0.48.2"` | trivy plugin image tag | +| scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. | +| scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. | | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml | | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods | | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository | | scan.plugins.popeye.image.tag | string | `"v0.11.3"` | popeye plugin image tag | +| scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. | +| scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. | | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository | | kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag | | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name | diff --git a/charts/zora/templates/_helpers.tpl b/charts/zora/templates/_helpers.tpl index 1900e6f..4eac105 100644 --- a/charts/zora/templates/_helpers.tpl +++ b/charts/zora/templates/_helpers.tpl @@ -84,7 +84,7 @@ Create the name of the service account to use in Operator {{- end }} {{- define "zora.clusterName" }} -{{- regexReplaceAll "\\W+" (required "`clusterName` is required." .Values.clusterName) "-" }} +{{- include "truncate.name" (dict "name" (regexReplaceAll "\\W+" (required "`clusterName` is required." .Values.clusterName) "-") "len" 63 ) }} {{- end }} {{- define "zora.hourlySchedule" }} @@ -113,3 +113,20 @@ Create the name of the service account to use in Operator {{- define "zora.vulnSchedule" }} {{- default (include "zora.dailySchedule" .) .Values.scan.vulnerability.schedule }} {{- end }} + +{{/* +Truncate a name to a specific length +@param .name the name of the component +@param .len the maximum length to return +*/}} +{{- define "truncate.name" }} +{{- if gt (len .name) .len }} +{{- $maxLen := int (sub .len 3) }} +{{- $suffixLen := int (div $maxLen 2) }} +{{- $prefixLen := int (sub $maxLen $suffixLen) }} +{{- $suffixStart := int (sub (len .name) $suffixLen) }} +{{- printf "%s---%s" (substr 0 $prefixLen .name) (substr $suffixStart (len .name) .name) }} +{{- else }} +{{- .name }} +{{- end }} +{{- end }} diff --git a/charts/zora/templates/clusterscan/clusterscan.yaml b/charts/zora/templates/clusterscan/clusterscan.yaml index ec45a4c..c7764c9 100644 --- a/charts/zora/templates/clusterscan/clusterscan.yaml +++ b/charts/zora/templates/clusterscan/clusterscan.yaml @@ -30,7 +30,8 @@ metadata: labels: zora.undistro.io/default: "true" {{- include "zora.labels" . | nindent 4 }} - name: {{ include "zora.clusterName" . }}-misconfig + name: {{ include "truncate.name" (dict "name" (printf "%s-misconfig" (include "zora.clusterName" .)) "len" 63 ) }} + spec: clusterRef: name: {{ include "zora.clusterName" . }} @@ -51,7 +52,7 @@ metadata: labels: zora.undistro.io/default: "true" {{- include "zora.labels" . | nindent 4 }} - name: {{ include "zora.clusterName" . }}-vuln + name: {{ include "truncate.name" (dict "name" (printf "%s-vuln" (include "zora.clusterName" .)) "len" 63 ) }} spec: clusterRef: name: {{ include "zora.clusterName" . }} diff --git a/charts/zora/templates/plugins/marvin.yaml b/charts/zora/templates/plugins/marvin.yaml index 6993cbb..0394b13 100644 --- a/charts/zora/templates/plugins/marvin.yaml +++ b/charts/zora/templates/plugins/marvin.yaml @@ -30,6 +30,14 @@ spec: runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false + {{- with .Values.scan.plugins.marvin.envFrom }} + envFrom: + {{- toYaml . | nindent 4}} + {{- end }} + {{- with .Values.scan.plugins.marvin.env }} + env: + {{- toYaml . | nindent 4}} + {{- end }} {{- if .Values.scan.plugins.marvin.podAnnotations }} annotations: {{- toYaml .Values.scan.plugins.marvin.podAnnotations | nindent 4 }} diff --git a/charts/zora/templates/plugins/popeye.yaml b/charts/zora/templates/plugins/popeye.yaml index dc01e61..4d9e35b 100644 --- a/charts/zora/templates/plugins/popeye.yaml +++ b/charts/zora/templates/plugins/popeye.yaml @@ -25,12 +25,21 @@ spec: resources: {{- toYaml .Values.scan.plugins.popeye.resources | nindent 4 }} {{- end }} -{{- if .Values.scan.plugins.popeye.skipInternalResources }} + {{- if or .Values.scan.plugins.popeye.skipInternalResources .Values.scan.plugins.popeye.envFrom }} envFrom: + {{- end }} + {{- if or .Values.scan.plugins.popeye.skipInternalResources }} - configMapRef: name: popeye-config optional: true -{{- end }} + {{- end }} + {{- with .Values.scan.plugins.popeye.envFrom }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.scan.plugins.popeye.env }} + env: + {{- toYaml . | nindent 4}} + {{- end }} securityContext: runAsNonRoot: true allowPrivilegeEscalation: false diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml index c11d84f..8b78474 100644 --- a/charts/zora/templates/plugins/trivy.yaml +++ b/charts/zora/templates/plugins/trivy.yaml @@ -28,9 +28,16 @@ spec: mountCustomChecksVolume: false securityContext: allowPrivilegeEscalation: false + {{- with .Values.scan.plugins.trivy.envFrom }} + envFrom: + {{- toYaml . | nindent 4}} + {{- end }} env: - name: TRIVY_IGNORE_VULN_DESCRIPTIONS value: {{ .Values.scan.plugins.trivy.ignoreDescriptions | quote }} + {{- with .Values.scan.plugins.trivy.env }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- if .Values.httpsProxy }} - name: HTTPS_PROXY value: {{ .Values.httpsProxy | quote }} diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index f10d21b..c2f40b9 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -193,6 +193,10 @@ scan: repository: ghcr.io/undistro/marvin # -- marvin plugin image tag tag: v0.2.1 + # -- List of environment variables to set in marvin container. + env: [] + # -- List of sources to populate environment variables in marvin container. + envFrom: [] trivy: # -- Specifies whether only fixed vulnerabilities should be reported @@ -208,6 +212,20 @@ scan: repository: ghcr.io/aquasecurity/trivy # -- trivy plugin image tag tag: 0.48.2 + # -- List of environment variables to set in trivy container. + env: [] + # - name: AWS_REGION + # value: us-east-1 + # - name: TRIVY_PASSWORD + # valueFrom: + # secretKeyRef: + # key: TRIVY_PASSWORD + # name: trivy-password + + # -- List of sources to populate environment variables in trivy container. + envFrom: [] + # - secretRef: + # name: trivy-credentials popeye: # -- Specifies whether the following resources should be skipped by `popeye` scans. # 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; @@ -234,6 +252,10 @@ scan: repository: ghcr.io/undistro/popeye # -- popeye plugin image tag tag: v0.11.3 + # -- List of environment variables to set in popeye container. + env: [] + # -- List of sources to populate environment variables in popeye container. + envFrom: [] kubexnsImage: # -- kubexns image repository