From d23fa3a027e97a051dfd9cf1f4d2b5e7b86f7199 Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Thu, 29 Dec 2022 22:04:32 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20trivy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- kubernetes/apps/kustomization.yaml | 1 + .../apps/trivy-system/kustomization.yaml | 9 +++++ kubernetes/apps/trivy-system/namespace.yaml | 7 ++++ .../trivy-operator/app/helmrelease.yaml | 38 +++++++++++++++++++ .../trivy-operator/app/kustomization.yaml | 7 ++++ .../apps/trivy-system/trivy-operator/ks.yaml | 23 +++++++++++ kubernetes/flux/repositories/helm/aqua.yaml | 10 +++++ .../flux/repositories/helm/kustomization.yaml | 1 + 8 files changed, 96 insertions(+) create mode 100644 kubernetes/apps/trivy-system/kustomization.yaml create mode 100644 kubernetes/apps/trivy-system/namespace.yaml create mode 100644 kubernetes/apps/trivy-system/trivy-operator/app/helmrelease.yaml create mode 100644 kubernetes/apps/trivy-system/trivy-operator/app/kustomization.yaml create mode 100644 kubernetes/apps/trivy-system/trivy-operator/ks.yaml create mode 100644 kubernetes/flux/repositories/helm/aqua.yaml diff --git a/kubernetes/apps/kustomization.yaml b/kubernetes/apps/kustomization.yaml index 8c2e35882..64de80994 100644 --- a/kubernetes/apps/kustomization.yaml +++ b/kubernetes/apps/kustomization.yaml @@ -11,4 +11,5 @@ resources: - ./monitoring - ./networking - ./rook-ceph + - ./trivy-system - ./volsync diff --git a/kubernetes/apps/trivy-system/kustomization.yaml b/kubernetes/apps/trivy-system/kustomization.yaml new file mode 100644 index 000000000..908f7ac08 --- /dev/null +++ b/kubernetes/apps/trivy-system/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # Pre Flux-Kustomizations + - ./namespace.yaml + # Flux-Kustomizations + - ./trivy-operator/ks.yaml diff --git a/kubernetes/apps/trivy-system/namespace.yaml b/kubernetes/apps/trivy-system/namespace.yaml new file mode 100644 index 000000000..426abe254 --- /dev/null +++ b/kubernetes/apps/trivy-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: trivy-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/trivy-system/trivy-operator/app/helmrelease.yaml b/kubernetes/apps/trivy-system/trivy-operator/app/helmrelease.yaml new file mode 100644 index 000000000..9d5d6a543 --- /dev/null +++ b/kubernetes/apps/trivy-system/trivy-operator/app/helmrelease.yaml @@ -0,0 +1,38 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: trivy-operator + namespace: trivy-system +spec: + interval: 15m + chart: + spec: + chart: trivy-operator + version: 0.9.1 + sourceRef: + kind: HelmRepository + name: aqua + namespace: flux-system + maxHistory: 3 + install: + createNamespace: true + crds: CreateReplace + remediation: + retries: 3 + upgrade: + crds: CreateReplace + remediation: + retries: 3 + values: + excludeNamespaces: "{{ .Release.Namespace }}" + operator: + replicas: 3 + scanJobsConcurrentLimit: 3 + vulnerabilityScannerScanOnlyCurrentRevisions: true + configAuditScannerScanOnlyCurrentRevisions: true + trivy: + ignoreUnfixed: true + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/trivy-system/trivy-operator/app/kustomization.yaml b/kubernetes/apps/trivy-system/trivy-operator/app/kustomization.yaml new file mode 100644 index 000000000..63d5cfc22 --- /dev/null +++ b/kubernetes/apps/trivy-system/trivy-operator/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: trivy-system +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/trivy-system/trivy-operator/ks.yaml b/kubernetes/apps/trivy-system/trivy-operator/ks.yaml new file mode 100644 index 000000000..1fd9e269c --- /dev/null +++ b/kubernetes/apps/trivy-system/trivy-operator/ks.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: cluster-apps-trivy-operator + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + path: ./kubernetes/apps/trivy-system/trivy-operator/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + name: trivy-operator + namespace: trivy-system + interval: 30m + retryInterval: 1m + timeout: 3m diff --git a/kubernetes/flux/repositories/helm/aqua.yaml b/kubernetes/flux/repositories/helm/aqua.yaml new file mode 100644 index 000000000..ec96e18a9 --- /dev/null +++ b/kubernetes/flux/repositories/helm/aqua.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrepository_v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: aqua + namespace: flux-system +spec: + interval: 2h + url: https://aquasecurity.github.io/helm-charts/ diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index d2922488c..9faf7ecdc 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./aqua.yaml - ./backube.yaml - ./bitnami.yaml - ./bjw-s.yaml