Custom Policies Bundle insecure

[rickymulder]

{"level":"error","ts":"2024-05-24T22:59:55Z","msg":"Reconciler error","controller":"job","controllerGroup":"batch","controllerKind":"Job","Job":{"name":"scan-vulnerabilityreport-7b8cdcb8cb","namespace":"NS"},"namespace":"NS","name":"scan-vulnerabilityreport-7b8cdcb8cb","reconcileID":"7a235024-1ae6-4df5-8504-87753c7d0da6","error":"unexpected end of JSON input","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:222"}
{"level":"error","ts":"2024-05-24T23:00:00Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* Get \"https://myregistry:5050/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority\n\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPolicies\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:61\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).loadPolicies\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:144\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).Hash\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:114\ngithub.com/aquasecurity/trivy-operator/pkg/configauditreport/controller.(*ResourceController).SetupWithManager.(*ResourceController).reconcileResource.func1\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/configauditreport/controller/resource.go:208\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/reconcile/reconcile.go:113\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:222"}

Helm Config:

policiesBundle:
  registry: myregistry:5050/aquasecurity
  repository: trivy-checks
  existingSecret: true # External secrets

oras copy:

$ oras cp ghcr.io/aquasecurity/trivy-checks:0 myregistry:5050/aquasecurity/trivy-checks:0 --to-oci-layout
Copying fb7d260c2ad2 bundle.tar.gz
Copied  fb7d260c2ad2 bundle.tar.gz
Copied [registry] ghcr.io/aquasecurity/trivy-checks:0 => [oci-layout] myregistry:5050/aquasecurity/trivy-checks:0
Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e

Can we support insecure the same as we do for the dbRepository?
https://github.com/aquasecurity/trivy-operator/blob/main/deploy/helm/values.yaml#L536

Or better yet, allow us to provide custom CA Bundles for verification?

[Maayanchik]

any substitute to that in the meantime? cannot seem to make it work via helmchart in any way :\

[chen-keinan]

@rickymulder sure, sound reasonable
@Maayanchik a workaround will be to use embedded policies instead of downloading

[Maayanchik]

@chen-keinan Thank you! I tried, but am still facing some issues.
I get an error "stat externalPolicies: file does not exist"
I'm assuming i'm supposed to manually add the policies somehow but cannot figure out how and where exactly?

[chen-keinan]

@chen-keinan Thank you! I tried, but am still facing some issues. I get an error "stat externalPolicies: file does not exist" I'm assuming i'm supposed to manually add the policies somehow but cannot figure out how and where exactly?

Thanks for update checking

Are you running latest trivy-operator ?

[Maayanchik]

@chen-keinan believe so, 0.22.1, but I'll check again if there's a newer version.
Update: seems there is a 0.22.4, will try using it and update :)

[chen-keinan]

@chen-keinan believe so, 0.22.1, but I'll check again if there's a newer version. Update: seems there is a 0.22.4, will try using it and update :)

Note: the latest version is trivy-opeartor helm chart v0.23.1 please use it.

[Maayanchik]

@chen-keinan Hi! took me a little while as i am working in an air-gapped environment, but i managed to deploy it using trivy-operator helm chart v0.23.1 and it seems to be working so far!
thank you so much for your help, but i must ask, how does enabling "useEmbeddedRegoPolicies" affect trivy? does it not use the policies, or does it still use them as long as i mention the correct vars for my environment under "policiesBundle"?

[chen-keinan]

@chen-keinan Hi! took me a little while as i am working in an air-gapped environment, but i managed to deploy it using trivy-operator helm chart v0.23.1! thank you so much for your help, but i must ask, how does enabling "useEmbeddedRegoPolicies" affect trivy? does it not use the policies, or does it still use them as long as i mention the correct vars for my environment under "policiesBundle"?

it do use the policies but its not updated on a daily basis its depend on go lib dependency which updated on demand in oppose to trivy-check package which is updated on daily basis so if a new policy is added you should get it within the next day

[rickymulder]

I'm offended this was just closed. It's literally so easy. I even wrote the code to apply the option for insecure. I'll push a related MR later today

[chen-keinan]

I'm offended this was just closed. It's literally so easy. I even wrote the code to apply the option for insecure. I'll push a related MR later today

@rickymulder I wasn't aware you were working on it. If you had mentioned that you wanted to handle it, I wouldn't have implemented it. I thought it was urgent enough to get it done.

The issue was closed as I merged PR #2100, which fixes it. If you want to pick up another issue, feel free to do so. I can provide advice if needed.

[rickymulder]

Oh wow I didn't even see the MR! Ha, whoops.

[AndreasDavour]

@Maayanchik I'm working on an air-gapped installation myself and have some issues. Is there a way to get in touch and compare notes? I'm not a github expert so I'm not sure how to do it, and just hoped pinging you here might work.