update zora chart

charts/zora/Chart.yaml

@@ -17,7 +17,7 @@ name: zora
 description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg
 type: application
-version: 0.8.4-rc1
-appVersion: "v0.8.4-rc1"
+version: 0.8.4-rc2
+appVersion: "v0.8.4-rc2"
 sources:
   - https://github.com/undistro/zora

charts/zora/README.md

@@ -114,8 +114,8 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored |
 | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
 | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods |
-| scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository |
-| scan.plugins.trivy.image.tag | string | `"0.49.1"` | trivy plugin image tag |
+| scan.plugins.trivy.image.repository | string | `"ghcr.io/undistro/trivy"` | trivy plugin image repository |
+| scan.plugins.trivy.image.tag | string | `"0.49.1-3"` | trivy plugin image tag |
 | scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. |
 | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. |
 | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout |
@@ -124,7 +124,7 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
 | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods |
 | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository |
-| scan.plugins.popeye.image.tag | string | `"v0.11.3"` | popeye plugin image tag |
+| scan.plugins.popeye.image.tag | string | `"0.21.1-4"` | popeye plugin image tag |
 | scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. |
 | scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. |
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |

charts/zora/templates/NOTES.txt

@@ -15,3 +15,16 @@ Visit our documentation for in-depth information: https://zora-docs.undistro.io
 {{ if .Values.saas.workspaceID -}}
 Visit Zora Dashboard to explore your clusters and issues: {{ .Values.saas.server }}
 {{- end }}
+
+{{- $warnMisconfig := and .Values.scan.misconfiguration.schedule (include "zora.IsMisconfigScheduleMoreOftenThanHourly" .) }}
+{{- if eq $warnMisconfig "true" }}
+WARNING: The misconfiguration scan appears to be scheduled to run more frequently than hourly, you should be aware this
+         may lead to higher resource utilization and network traffic.
+{{- end }}
+
+{{- $warVuln := and .Values.scan.vulnerability.schedule (include "zora.IsVulnScheduleMoreOftenThanDaily" .) }}
+{{- if eq $warVuln "true" }}
+WARNING: The vulnerability scan appears to be scheduled to run more frequently than daily, potentially leading to
+         significant increases in networking costs and resource utilization. This is particularly relevant for
+         vulnerability scans, which involve downloading a vulnerability database and pulling images.
+{{ end }}

charts/zora/templates/_helpers.tpl

@@ -130,3 +130,22 @@ Truncate a name to a specific length
 {{- .name }}
 {{- end }}
 {{- end }}
+
+{{/* Returns true if the explicitly set misconfiguration schedule is more frequently than hourly */}}
+{{- define "zora.IsMisconfigScheduleMoreOftenThanHourly" -}}
+{{- $cron_fields := split " " .Values.scan.misconfiguration.schedule -}}
+{{- $minute := $cron_fields._0 -}}
+{{/* minute must be in range [0-59] */}}
+{{- not (mustRegexMatch "^(?:\\d|[0-5]\\d)$" $minute) -}}
+{{- end -}}
+
+{{/* Returns true if the explicitly set vulnerability schedule is more frequently than daily */}}
+{{- define "zora.IsVulnScheduleMoreOftenThanDaily" -}}
+{{- $cron_fields := split " " .Values.scan.vulnerability.schedule -}}
+{{- $minute := $cron_fields._0 -}}
+{{- $hour := $cron_fields._1 -}}
+{{/* minute and hour must be in range [0-59] */}}
+{{- $isMinuteBad := not (mustRegexMatch "^(?:\\d|[0-5]\\d)$" $minute) -}}
+{{- $isHourBad := not (mustRegexMatch "^(?:\\d|[0-5]\\d)$" $hour) -}}
+{{- or $isMinuteBad $isHourBad -}}
+{{- end -}}

charts/zora/templates/clusterscan/clusterscan.yaml

@@ -30,12 +30,17 @@ metadata:
   labels:
     zora.undistro.io/default: "true"
     {{- include "zora.labels" . | nindent 4 }}
-  name: {{ include "truncate.name" (dict "name" (printf "%s-misconfig" (include "zora.clusterName" .)) "len" 63 ) }}
-
+  {{- $misconfigScanName := include "truncate.name" (dict "name" (printf "%s-misconfig" (include "zora.clusterName" .)) "len" 63 ) }}
+  name: {{ $misconfigScanName }}
 spec:
   clusterRef:
     name: {{ include "zora.clusterName" . }}
+  {{- $currentMisconfigScan := and (.Capabilities.APIVersions.Has "zora.undistro.io/v1alpha1") (lookup "zora.undistro.io/v1alpha1" "ClusterScan" .Release.Namespace $misconfigScanName) }}
+  {{- if and $currentMisconfigScan (not .Values.scan.misconfiguration.schedule) }}
+  schedule: {{ $currentMisconfigScan.spec.schedule | quote }}
+  {{- else }}
   schedule: {{ include "zora.misconfigSchedule" . | quote }}
+  {{- end }}
   successfulScansHistoryLimit: {{ .Values.scan.misconfiguration.successfulScansHistoryLimit }}
   {{- if .Values.scan.misconfiguration.plugins }}
   plugins:
@@ -52,11 +57,17 @@ metadata:
   labels:
     zora.undistro.io/default: "true"
     {{- include "zora.labels" . | nindent 4 }}
-  name: {{ include "truncate.name" (dict "name" (printf "%s-vuln" (include "zora.clusterName" .)) "len" 63 ) }}
+  {{- $vulnScanName := include "truncate.name" (dict "name" (printf "%s-vuln" (include "zora.clusterName" .)) "len" 63 ) }}
+  name: {{ $vulnScanName }}
 spec:
   clusterRef:
     name: {{ include "zora.clusterName" . }}
+  {{- $currentVulnScan := and (.Capabilities.APIVersions.Has "zora.undistro.io/v1alpha1") (lookup "zora.undistro.io/v1alpha1" "ClusterScan" .Release.Namespace $vulnScanName) }}
+  {{- if and $currentVulnScan (not .Values.scan.vulnerability.schedule) }}
+  schedule: {{ $currentVulnScan.spec.schedule | quote }}
+  {{- else }}
   schedule: {{ include "zora.vulnSchedule" . | quote }}
+  {{- end }}
   successfulScansHistoryLimit: {{ .Values.scan.vulnerability.successfulScansHistoryLimit }}
   {{- if .Values.scan.vulnerability.plugins }}
   plugins:

charts/zora/values.yaml

@@ -207,9 +207,9 @@ scan:
       podAnnotations: {}
       image:
         # -- trivy plugin image repository
-        repository: ghcr.io/aquasecurity/trivy
+        repository: ghcr.io/undistro/trivy
         # -- trivy plugin image tag
-        tag: 0.49.1
+        tag: 0.49.1-3
       # -- List of environment variables to set in trivy container.
       env: []
       #  - name: AWS_REGION
@@ -254,7 +254,7 @@ scan:
         # -- popeye plugin image repository
         repository: ghcr.io/undistro/popeye
         # -- popeye plugin image tag
-        tag: v0.11.3
+        tag: 0.21.1-4
       # -- List of environment variables to set in popeye container.
       env: []
       # -- List of sources to populate environment variables in popeye container.