Skip to content

Commit

Permalink
feat(helm): Add HTTPS_PROXY and NO_PROXY settings for Trivy (#443)
Browse files Browse the repository at this point in the history 
Resolves: #442
  • Loading branch information
@bgoareguer
bgoareguer committed Mar 23, 2021
1 parent b9e778c commit c836618
Show file tree
Hide file tree
Showing 5 changed files with 176 additions and 3 deletions.
4 changes: 2 additions & 2 deletions deploy/helm/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ data:
{{- if eq .Values.trivy.mode "ClientServer" }}
trivy.serverURL: "{{ .Values.trivy.serverURL }}"
{{- end }}
{{- if eq .Values.trivy.mode "Standalone" }}
trivy.httpProxy: "{{ .Values.trivy.httpProxy }}"
{{- end }}
trivy.httpsProxy: "{{ .Values.trivy.httpsProxy }}"
trivy.noProxy: "{{ .Values.trivy.noProxy }}"
trivy.severity: "{{ .Values.trivy.severity }}"
{{- end }}
{{- if .Values.kubeBench.enabled }}
Expand Down
2 changes: 2 additions & 0 deletions deploy/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ trivy:
mode: Standalone
serverURL:
httpProxy:
httpsProxy:
noProxy:
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

kubeBench:
Expand Down
4 changes: 3 additions & 1 deletion docs/settings.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,9 @@ The following tables list available configuration settings with their default va
| CONFIGMAP KEY | DEFAULT | DESCRIPTION |
| ------------------------------ | ------------------------------------------------------ | ----------- |
| `vulnerabilityReports.scanner` | `Trivy` | The name of the scanner that generates vulnerability reports. Either `Trivy` or `Aqua`. |
| `trivy.httpProxy` | N/A | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. Only applicable in `Standalone` mode. |
| `trivy.httpProxy` | N/A | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. |
| `trivy.httpsProxy` | N/A | The HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. |
| `trivy.noProxy` | N/A | A comma separated list of IPs and domain names that are not subject to proxy settings. |
| `trivy.severity` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | A comma separated list of severity levels reported by Trivy |
| `trivy.imageRef` | `docker.io/aquasec/trivy:0.16.0` | Trivy image reference |
| `trivy.mode` | `Standalone` | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. |
Expand Down
84 changes: 84 additions & 0 deletions pkg/plugin/trivy/plugin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,30 @@ func (s *scanner) getPodSpecForStandaloneMode(spec corev1.PodSpec, credentials m
},
},
},
{
Name: "HTTPS_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.httpsProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "NO_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.noProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "GITHUB_TOKEN",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -194,6 +218,30 @@ func (s *scanner) getPodSpecForStandaloneMode(spec corev1.PodSpec, credentials m
},
},
},
{
Name: "HTTPS_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.httpsProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "NO_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.noProxy",
Optional: pointer.BoolPtr(true),
},
},
},
}

if _, ok := credentials[c.Name]; ok && secret != nil {
Expand Down Expand Up @@ -317,6 +365,42 @@ func (s *scanner) getPodSpecForClientServerMode(spec corev1.PodSpec, credentials
for _, container := range spec.Containers {

env := []corev1.EnvVar{
{
Name: "HTTP_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.httpProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "HTTPS_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.httpsProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "NO_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.noProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_SEVERITY",
ValueFrom: &corev1.EnvVarSource{
Expand Down
85 changes: 85 additions & 0 deletions pkg/plugin/trivy/plugin_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,31 @@ func TestScanner_GetScanJobSpec(t *testing.T) {
},
},
},
{
Name: "HTTPS_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.httpsProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "NO_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.noProxy",
Optional: pointer.BoolPtr(true),
},
},
},

{
Name: "GITHUB_TOKEN",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -140,6 +165,30 @@ func TestScanner_GetScanJobSpec(t *testing.T) {
},
},
},
{
Name: "HTTPS_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.httpsProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "NO_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.noProxy",
Optional: pointer.BoolPtr(true),
},
},
},
},
Command: []string{
"trivy",
Expand Down Expand Up @@ -212,6 +261,42 @@ func TestScanner_GetScanJobSpec(t *testing.T) {
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Env: []corev1.EnvVar{
{
Name: "HTTP_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.httpProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "HTTPS_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.httpsProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "NO_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: starboard.ConfigMapName,
},
Key: "trivy.noProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_SEVERITY",
ValueFrom: &corev1.EnvVarSource{
Expand Down

0 comments on commit c836618

Please sign in to comment.