add trivy

clusters/cl01tl/applications/libation/values.yaml

@@ -6,7 +6,7 @@ libation:
         suspend: false
         concurrencyPolicy: Forbid
         timeZone: US/Central
-        schedule: "0 * * * *"
+        schedule: "30 4 * * *"
         startingDeadlineSeconds: 90
         successfulJobsHistory: 3
         failedJobsHistory: 3

clusters/cl01tl/applications/roundcube/values.yaml

@@ -75,7 +75,7 @@ roundcube:
         suspend: false
         concurrencyPolicy: Forbid
         timeZone: US/Central
-        schedule: 0 4 * * *
+        schedule: 30 4 * * *
         startingDeadlineSeconds: 90
         successfulJobsHistory: 3
         failedJobsHistory: 3

clusters/cl01tl/monitoring/trivy/trivy/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+name: trivy
+version: 1.0.0
+description: Trivy
+keywords:
+  - trivy
+  - vulnerability
+  - monitoring
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/5cffa529-4c2e-4126-99eb-cc4aeb5a49b3
+sources:
+  - https://github.com/aquasecurity/trivy
+  - https://github.com/aquasecurity/trivy-operator
+  - https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: trivy-operator
+    version: 0.28.1
+    repository: https://aquasecurity.github.io/helm-charts/
+icon: https://raw.githubusercontent.com/aquasecurity/trivy/main/docs/imgs/logo.png
+appVersion: v0.26.1

clusters/cl01tl/monitoring/trivy/trivy/values.yaml

@@ -0,0 +1,113 @@
+trivy-operator:
+  targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
+  operator:
+    replicas: 1
+    vulnerabilityScannerEnabled: true
+    sbomGenerationEnabled: false
+    clusterSbomCacheEnabled: false
+    configAuditScannerEnabled: false
+    rbacAssessmentScannerEnabled: false
+    infraAssessmentScannerEnabled: false
+    clusterComplianceEnabled: false
+  serviceMonitor:
+    enabled: true
+  trivy:
+    createConfig: true
+    image:
+      registry: mirror.gcr.io
+      repository: aquasec/trivy
+      tag: 0.62.1
+    storageClassEnabled: true
+    storageClassName: ceph-block
+    storageSize: "5Gi"
+    registry:
+      mirror:
+        "registry-1.docker.io": proxy-registry-1.docker.io
+        "quay.io": proxy-quay.io
+        "registry.k8s.io": proxy-registry.k8s
+        "gcr.io": proxy-gcr.io
+        "ghcr.io": proxy-ghcr.io
+        "hub.docker": proxy-hub.docker
+    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+    slow: true
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128M
+    supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
+    server:
+      resources:
+        requests:
+          cpu: 200m
+          memory: 512Mi
+      replicas: 1
+  compliance:
+    reportType: summary
+    cron: 0 5 * * *
+    specs:
+      - k8s-cis-1.23
+      - k8s-nsa-1.0
+      - k8s-pss-baseline-0.1
+      - k8s-pss-restricted-0.1
+  volumeMounts:
+    - mountPath: /tmp
+      name: cache-policies
+      readOnly: false
+  volumes:
+    - name: cache-policies
+      emptyDir: {}
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+  nodeCollector:
+    volumeMounts:
+      - name: var-lib-etcd
+        mountPath: /var/lib/etcd
+        readOnly: true
+      - name: var-lib-kubelet
+        mountPath: /var/lib/kubelet
+        readOnly: true
+      - name: var-lib-kube-scheduler
+        mountPath: /var/lib/kube-scheduler
+        readOnly: true
+      - name: var-lib-kube-controller-manager
+        mountPath: /var/lib/kube-controller-manager
+        readOnly: true
+      - name: etc-systemd
+        mountPath: /etc/systemd
+        readOnly: true
+      - name: lib-systemd
+        mountPath: /lib/systemd/
+        readOnly: true
+      - name: etc-kubernetes
+        mountPath: /etc/kubernetes
+        readOnly: true
+      - name: etc-cni-netd
+        mountPath: /etc/cni/net.d/
+        readOnly: true
+    volumes:
+      - name: var-lib-etcd
+        hostPath:
+          path: /var/lib/etcd
+      - name: var-lib-kubelet
+        hostPath:
+          path: /var/lib/kubelet
+      - name: var-lib-kube-scheduler
+        hostPath:
+          path: /var/lib/kube-scheduler
+      - name: var-lib-kube-controller-manager
+        hostPath:
+          path: /var/lib/kube-controller-manager
+      - name: etc-systemd
+        hostPath:
+          path: /etc/systemd
+      - name: lib-systemd
+        hostPath:
+          path: /lib/systemd
+      - name: etc-kubernetes
+        hostPath:
+          path: /etc/kubernetes
+      - name: etc-cni-netd
+        hostPath:
+          path: /etc/cni/net.d/

clusters/cl01tl/platform/gitea/values.yaml

@@ -151,80 +151,6 @@ gitea:
     enabled: false
   mariadb:
     enabled: false
-# renovate:
-#   global:
-#     fullnameOverride: gitea-renovate
-#   controllers:
-#     renovate:
-#       type: cronjob
-#       cronjob:
-#         suspend: false
-#         concurrencyPolicy: Forbid
-#         timeZone: US/Central
-#         schedule: "0 4 * * *"
-#         startingDeadlineSeconds: 90
-#         successfulJobsHistory: 3
-#         failedJobsHistory: 3
-#         backoffLimit: 3
-#         parallelism: 1
-#       containers:
-#         main:
-#           image:
-#             repository: renovate/renovate
-#             tag: 40
-#             pullPolicy: IfNotPresent
-#           env:
-#             - name: RENOVATE_PLATFORM
-#               value: gitea
-#             - name: RENOVATE_AUTODISCOVER
-#               value: 'true'
-#             - name: RENOVATE_ONBOARDING
-#               value: 'true'
-#             - name: RENOVATE_BASE_DIR
-#               value: /tmp/renovate
-#             - name: RENOVATE_PERSIST_REPO_DATA
-#               value: true
-#             - name: RENOVATE_REPOSITORY_CACHE
-#               value: true
-#             - name: RENOVATE_REDIS_URL
-#               value: redis://gitea-renovate-valkey-primary.gitea:6379
-#             - name: LOG_LEVEL
-#               value: info
-#           envFrom:
-#             - secretRef:
-#                 name: gitea-renovate-secret
-#           resources:
-#             requests:
-#               cpu: 100m
-#               memory: 128Mi
-#   persistence:
-#     base:
-#       storageClass: ceph-block
-#       accessMode: ReadWriteOnce
-#       size: 5Gi
-#       retain: true
-#       advancedMounts:
-#         renovate:
-#           main:
-#             - path: /tmp/renovate
-#               readOnly: false
-#     ssh:
-#       enabled: true
-#       type: secret
-#       name: gitea-renovate-ssh-secret
-#       advancedMounts:
-#         renovate:
-#           main:
-#             - path: /home/ubuntu/.ssh
-#               readOnly: true
-#               mountPropagation: None
-#     cache:
-#       type: emptyDir
-#       advancedMounts:
-#         renovate:
-#           main:
-#             - path: /tmp/renovate/cache
-#               readOnly: false
 backup:
   global:
     fullnameOverride: gitea-backup

clusters/cl01tl/services/kubernetes-cloudflare-ddns/values.yaml

@@ -6,7 +6,7 @@ kubernetes-cloudflare-ddns:
         suspend: false
         concurrencyPolicy: Forbid
         timeZone: US/Central
-        schedule: "0 0 * * *"
+        schedule: "30 4 * * *"
         startingDeadlineSeconds: 90
         successfulJobsHistory: 3
         failedJobsHistory: 3

clusters/cl01tl/services/talos/values.yaml

@@ -13,7 +13,7 @@ etcd-backup:
         suspend: false
         concurrencyPolicy: Forbid
         timeZone: US/Central
-        schedule: "0 0 * * *"
+        schedule: "0 2 * * *"
         startingDeadlineSeconds: 90
         successfulJobsHistory: 3
         failedJobsHistory: 3