add trivy

clusters/cl01tl/monitoring/trivy/trivy/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+name: trivy
+version: 1.0.0
+description: Trivy
+keywords:
+  - trivy
+  - vulnerability
+  - monitoring
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/5cffa529-4c2e-4126-99eb-cc4aeb5a49b3
+sources:
+  - https://github.com/aquasecurity/trivy
+  - https://github.com/aquasecurity/trivy-operator
+  - https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: trivy-operator
+    version: 0.28.1
+    repository: https://aquasecurity.github.io/helm-charts/
+icon: https://raw.githubusercontent.com/aquasecurity/trivy/main/docs/imgs/logo.png
+appVersion: v0.26.1

clusters/cl01tl/monitoring/trivy/trivy/values.yaml

@@ -0,0 +1,113 @@
+trivy-operator:
+  targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
+  operator:
+    replicas: 1
+    vulnerabilityScannerEnabled: true
+    sbomGenerationEnabled: false
+    clusterSbomCacheEnabled: false
+    configAuditScannerEnabled: false
+    rbacAssessmentScannerEnabled: false
+    infraAssessmentScannerEnabled: false
+    clusterComplianceEnabled: false
+  serviceMonitor:
+    enabled: true
+  trivy:
+    createConfig: true
+    image:
+      registry: mirror.gcr.io
+      repository: aquasec/trivy
+      tag: 0.62.1
+    storageClassEnabled: true
+    storageClassName: ceph-block
+    storageSize: "5Gi"
+    registry:
+      mirror:
+        "registry-1.docker.io": proxy-registry-1.docker.io
+        "quay.io": proxy-quay.io
+        "registry.k8s.io": proxy-registry.k8s
+        "gcr.io": proxy-gcr.io
+        "ghcr.io": proxy-ghcr.io
+        "hub.docker": proxy-hub.docker
+    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+    slow: true
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128M
+    supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
+    server:
+      resources:
+        requests:
+          cpu: 200m
+          memory: 512Mi
+      replicas: 1
+  compliance:
+    reportType: summary
+    cron: 0 5 * * *
+    specs:
+      - k8s-cis-1.23
+      - k8s-nsa-1.0
+      - k8s-pss-baseline-0.1
+      - k8s-pss-restricted-0.1
+  volumeMounts:
+    - mountPath: /tmp
+      name: cache-policies
+      readOnly: false
+  volumes:
+    - name: cache-policies
+      emptyDir: {}
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+  nodeCollector:
+    volumeMounts:
+      - name: var-lib-etcd
+        mountPath: /var/lib/etcd
+        readOnly: true
+      - name: var-lib-kubelet
+        mountPath: /var/lib/kubelet
+        readOnly: true
+      - name: var-lib-kube-scheduler
+        mountPath: /var/lib/kube-scheduler
+        readOnly: true
+      - name: var-lib-kube-controller-manager
+        mountPath: /var/lib/kube-controller-manager
+        readOnly: true
+      - name: etc-systemd
+        mountPath: /etc/systemd
+        readOnly: true
+      - name: lib-systemd
+        mountPath: /lib/systemd/
+        readOnly: true
+      - name: etc-kubernetes
+        mountPath: /etc/kubernetes
+        readOnly: true
+      - name: etc-cni-netd
+        mountPath: /etc/cni/net.d/
+        readOnly: true
+    volumes:
+      - name: var-lib-etcd
+        hostPath:
+          path: /var/lib/etcd
+      - name: var-lib-kubelet
+        hostPath:
+          path: /var/lib/kubelet
+      - name: var-lib-kube-scheduler
+        hostPath:
+          path: /var/lib/kube-scheduler
+      - name: var-lib-kube-controller-manager
+        hostPath:
+          path: /var/lib/kube-controller-manager
+      - name: etc-systemd
+        hostPath:
+          path: /etc/systemd
+      - name: lib-systemd
+        hostPath:
+          path: /lib/systemd
+      - name: etc-kubernetes
+        hostPath:
+          path: /etc/kubernetes
+      - name: etc-cni-netd
+        hostPath:
+          path: /etc/cni/net.d/