From 58f4a8a29b6ff6144e437feb6782893c43d2f9db Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Wed, 4 Jun 2025 21:37:59 -0500 Subject: [PATCH] add trivy --- .../cl01tl/applications/libation/values.yaml | 2 +- .../cl01tl/applications/roundcube/values.yaml | 2 +- .../cl01tl/monitoring/trivy/trivy/Chart.yaml | 22 ++++ .../cl01tl/monitoring/trivy/trivy/values.yaml | 113 ++++++++++++++++++ clusters/cl01tl/platform/gitea/values.yaml | 74 ------------ .../kubernetes-cloudflare-ddns/values.yaml | 2 +- clusters/cl01tl/services/talos/values.yaml | 2 +- 7 files changed, 139 insertions(+), 78 deletions(-) create mode 100644 clusters/cl01tl/monitoring/trivy/trivy/Chart.yaml create mode 100644 clusters/cl01tl/monitoring/trivy/trivy/values.yaml diff --git a/clusters/cl01tl/applications/libation/values.yaml b/clusters/cl01tl/applications/libation/values.yaml index c64f18690..936257f75 100644 --- a/clusters/cl01tl/applications/libation/values.yaml +++ b/clusters/cl01tl/applications/libation/values.yaml @@ -6,7 +6,7 @@ libation: suspend: false concurrencyPolicy: Forbid timeZone: US/Central - schedule: "0 * * * *" + schedule: "30 4 * * *" startingDeadlineSeconds: 90 successfulJobsHistory: 3 failedJobsHistory: 3 diff --git a/clusters/cl01tl/applications/roundcube/values.yaml b/clusters/cl01tl/applications/roundcube/values.yaml index 415116ccc..50cf7a831 100644 --- a/clusters/cl01tl/applications/roundcube/values.yaml +++ b/clusters/cl01tl/applications/roundcube/values.yaml @@ -75,7 +75,7 @@ roundcube: suspend: false concurrencyPolicy: Forbid timeZone: US/Central - schedule: 0 4 * * * + schedule: 30 4 * * * startingDeadlineSeconds: 90 successfulJobsHistory: 3 failedJobsHistory: 3 diff --git a/clusters/cl01tl/monitoring/trivy/trivy/Chart.yaml b/clusters/cl01tl/monitoring/trivy/trivy/Chart.yaml new file mode 100644 index 000000000..c191346c2 --- /dev/null +++ b/clusters/cl01tl/monitoring/trivy/trivy/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +name: trivy +version: 1.0.0 +description: Trivy +keywords: + - trivy + - vulnerability + - monitoring + - kubernetes +home: https://wiki.alexlebens.dev/s/5cffa529-4c2e-4126-99eb-cc4aeb5a49b3 +sources: + - https://github.com/aquasecurity/trivy + - https://github.com/aquasecurity/trivy-operator + - https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm +maintainers: + - name: alexlebens +dependencies: + - name: trivy-operator + version: 0.28.1 + repository: https://aquasecurity.github.io/helm-charts/ +icon: https://raw.githubusercontent.com/aquasecurity/trivy/main/docs/imgs/logo.png +appVersion: v0.26.1 diff --git a/clusters/cl01tl/monitoring/trivy/trivy/values.yaml b/clusters/cl01tl/monitoring/trivy/trivy/values.yaml new file mode 100644 index 000000000..a30fcfb82 --- /dev/null +++ b/clusters/cl01tl/monitoring/trivy/trivy/values.yaml @@ -0,0 +1,113 @@ +trivy-operator: + targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" + operator: + replicas: 1 + vulnerabilityScannerEnabled: true + sbomGenerationEnabled: false + clusterSbomCacheEnabled: false + configAuditScannerEnabled: false + rbacAssessmentScannerEnabled: false + infraAssessmentScannerEnabled: false + clusterComplianceEnabled: false + serviceMonitor: + enabled: true + trivy: + createConfig: true + image: + registry: mirror.gcr.io + repository: aquasec/trivy + tag: 0.62.1 + storageClassEnabled: true + storageClassName: ceph-block + storageSize: "5Gi" + registry: + mirror: + "registry-1.docker.io": proxy-registry-1.docker.io + "quay.io": proxy-quay.io + "registry.k8s.io": proxy-registry.k8s + "gcr.io": proxy-gcr.io + "ghcr.io": proxy-ghcr.io + "hub.docker": proxy-hub.docker + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + slow: true + resources: + requests: + cpu: 100m + memory: 128M + supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota" + server: + resources: + requests: + cpu: 200m + memory: 512Mi + replicas: 1 + compliance: + reportType: summary + cron: 0 5 * * * + specs: + - k8s-cis-1.23 + - k8s-nsa-1.0 + - k8s-pss-baseline-0.1 + - k8s-pss-restricted-0.1 + volumeMounts: + - mountPath: /tmp + name: cache-policies + readOnly: false + volumes: + - name: cache-policies + emptyDir: {} + resources: + requests: + cpu: 100m + memory: 128Mi + nodeCollector: + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + readOnly: true + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + readOnly: true + - name: var-lib-kube-scheduler + mountPath: /var/lib/kube-scheduler + readOnly: true + - name: var-lib-kube-controller-manager + mountPath: /var/lib/kube-controller-manager + readOnly: true + - name: etc-systemd + mountPath: /etc/systemd + readOnly: true + - name: lib-systemd + mountPath: /lib/systemd/ + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + - name: etc-cni-netd + mountPath: /etc/cni/net.d/ + readOnly: true + volumes: + - name: var-lib-etcd + hostPath: + path: /var/lib/etcd + - name: var-lib-kubelet + hostPath: + path: /var/lib/kubelet + - name: var-lib-kube-scheduler + hostPath: + path: /var/lib/kube-scheduler + - name: var-lib-kube-controller-manager + hostPath: + path: /var/lib/kube-controller-manager + - name: etc-systemd + hostPath: + path: /etc/systemd + - name: lib-systemd + hostPath: + path: /lib/systemd + - name: etc-kubernetes + hostPath: + path: /etc/kubernetes + - name: etc-cni-netd + hostPath: + path: /etc/cni/net.d/ diff --git a/clusters/cl01tl/platform/gitea/values.yaml b/clusters/cl01tl/platform/gitea/values.yaml index a927a7269..e23eaf64c 100644 --- a/clusters/cl01tl/platform/gitea/values.yaml +++ b/clusters/cl01tl/platform/gitea/values.yaml @@ -151,80 +151,6 @@ gitea: enabled: false mariadb: enabled: false -# renovate: -# global: -# fullnameOverride: gitea-renovate -# controllers: -# renovate: -# type: cronjob -# cronjob: -# suspend: false -# concurrencyPolicy: Forbid -# timeZone: US/Central -# schedule: "0 4 * * *" -# startingDeadlineSeconds: 90 -# successfulJobsHistory: 3 -# failedJobsHistory: 3 -# backoffLimit: 3 -# parallelism: 1 -# containers: -# main: -# image: -# repository: renovate/renovate -# tag: 40 -# pullPolicy: IfNotPresent -# env: -# - name: RENOVATE_PLATFORM -# value: gitea -# - name: RENOVATE_AUTODISCOVER -# value: 'true' -# - name: RENOVATE_ONBOARDING -# value: 'true' -# - name: RENOVATE_BASE_DIR -# value: /tmp/renovate -# - name: RENOVATE_PERSIST_REPO_DATA -# value: true -# - name: RENOVATE_REPOSITORY_CACHE -# value: true -# - name: RENOVATE_REDIS_URL -# value: redis://gitea-renovate-valkey-primary.gitea:6379 -# - name: LOG_LEVEL -# value: info -# envFrom: -# - secretRef: -# name: gitea-renovate-secret -# resources: -# requests: -# cpu: 100m -# memory: 128Mi -# persistence: -# base: -# storageClass: ceph-block -# accessMode: ReadWriteOnce -# size: 5Gi -# retain: true -# advancedMounts: -# renovate: -# main: -# - path: /tmp/renovate -# readOnly: false -# ssh: -# enabled: true -# type: secret -# name: gitea-renovate-ssh-secret -# advancedMounts: -# renovate: -# main: -# - path: /home/ubuntu/.ssh -# readOnly: true -# mountPropagation: None -# cache: -# type: emptyDir -# advancedMounts: -# renovate: -# main: -# - path: /tmp/renovate/cache -# readOnly: false backup: global: fullnameOverride: gitea-backup diff --git a/clusters/cl01tl/services/kubernetes-cloudflare-ddns/values.yaml b/clusters/cl01tl/services/kubernetes-cloudflare-ddns/values.yaml index 9486411c8..f7a64f73d 100644 --- a/clusters/cl01tl/services/kubernetes-cloudflare-ddns/values.yaml +++ b/clusters/cl01tl/services/kubernetes-cloudflare-ddns/values.yaml @@ -6,7 +6,7 @@ kubernetes-cloudflare-ddns: suspend: false concurrencyPolicy: Forbid timeZone: US/Central - schedule: "0 0 * * *" + schedule: "30 4 * * *" startingDeadlineSeconds: 90 successfulJobsHistory: 3 failedJobsHistory: 3 diff --git a/clusters/cl01tl/services/talos/values.yaml b/clusters/cl01tl/services/talos/values.yaml index ffff409b3..673a8535e 100644 --- a/clusters/cl01tl/services/talos/values.yaml +++ b/clusters/cl01tl/services/talos/values.yaml @@ -13,7 +13,7 @@ etcd-backup: suspend: false concurrencyPolicy: Forbid timeZone: US/Central - schedule: "0 0 * * *" + schedule: "0 2 * * *" startingDeadlineSeconds: 90 successfulJobsHistory: 3 failedJobsHistory: 3