clusters/cl01tl/helm/trivy/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: trivy-operator
+  repository: https://aquasecurity.github.io/helm-charts/
+  version: 0.32.1
+digest: sha256:7e25850fc3115f52e6c65151c76668929eee6713228e935862d9f156397c2ede
+generated: "2026-03-15T17:21:41.373519-05:00"

clusters/cl01tl/helm/trivy/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: trivy
+version: 1.0.0
+description: Trivy
+keywords:
+  - trivy
+  - vulnerability
+  - monitoring
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/
+sources:
+  - https://github.com/aquasecurity/trivy
+  - https://github.com/aquasecurity/trivy-operator
+  - https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: trivy-operator
+    version: 0.32.1
+    repository: https://aquasecurity.github.io/helm-charts/
+icon: https://raw.githubusercontent.com/aquasecurity/trivy/main/docs/imgs/logo.png
+# renovate: github=aquasecurity/trivy
+appVersion: 0.32.1

clusters/cl01tl/helm/trivy/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: trivy
+  labels:
+    app.kubernetes.io/name: trivy
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/trivy/values.yaml

@@ -0,0 +1,47 @@
+trivy-operator:
+  targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
+  operator:
+    replicas: 1
+    vulnerabilityScannerEnabled: true
+    sbomGenerationEnabled: true
+    clusterSbomCacheEnabled: true
+    configAuditScannerEnabled: true
+    rbacAssessmentScannerEnabled: true
+    infraAssessmentScannerEnabled: true
+    clusterComplianceEnabled: false
+    vulnerabilityScannerScanOnlyCurrentRevisions: true
+    accessGlobalSecretsAndServiceAccount: true
+    metricsFindingsEnabled: true
+    exposedSecretScannerEnabled: true
+  serviceMonitor:
+    enabled: true
+  trivy:
+    createConfig: true
+    image:
+      registry: mirror.gcr.io
+      repository: aquasec/trivy
+      tag: 0.69.3
+    storageClassEnabled: true
+    storageClassName: ceph-block
+    storageSize: "10Gi"
+    registry:
+      mirror:
+        "registry-1.docker.io": proxy-registry-1.docker.io
+        "quay.io": proxy-quay.io
+        "registry.k8s.io": proxy-registry.k8s
+        "gcr.io": proxy-gcr.io
+        "ghcr.io": proxy-ghcr.io
+        "hub.docker": proxy-hub.docker
+    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+    slow: true
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128M
+    supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
+    server:
+      resources:
+        requests:
+          cpu: 200m
+          memory: 512Mi
+      replicas: 1