fix: helm param gcr service account auth

[chen-keinan]

Description

helm param gcr service account auth

Related issues

• Close Google Container Registry / Google Artifact Registry ImagePullSecret connection problem #2073

Checklist

• I've read the guidelines for contributing to this repository.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).

[chen-keinan]

@tidusete do you know how to build the project from this PR and test it to make sure it works for you ?

[tidusete]

@chen-keinan I have been trying to make it work but without luck.
Im defining on the configmap:

  name: trivy-operator
  namespace: default
  data:
    scanJob.useGCRServiceAccount: testing

But I believe this condition trivyoperator.GetDefaultConfig().GetScanJobUseGCRServiceAccount() is always giving me true although I have defined on the trivy-operator configmap the following Key.
As soon as I forced this condition to false it worked:

if CheckGcpCrOrPrivateRegistry(c.Image) &&
                              trivyoperator.GetDefaultConfig().GetScanJobUseGCRServiceAccount() && false {

So basically the problem relays on the function trivyoperator.GetDefaultConfig().GetScanJobUseGCRServiceAccount()

From which helm version should I work on that point? Should I forward everything to the last helm version and put on top of that the container image that I'm building with your changes?

[chen-keinan]

@tidusete if you want to run from helm do the following.
steps:

• building trivy-operator binary

cd ~/<your workspace>/trivy-operator/cmd/trivy-operator
GOOS=linux GOARCH=arm64/amd64 go build -o trivy-operator

• building operator image: /trivy-operator:

mv trivy-operator ~/<your workspace>/trivy-operator/build/trivy-operator/trivy-operator

cd ~/<your workspace>/trivy-operator/build/trivy-operator

docker build -t <docker hub user>/trivy-operator:<tag> .

• publishing operator image: /trivy-operator:

docker push <docker hub user>/trivy-operator:<tag>"

update the deployment image with the one you just build and published

[chen-keinan]

@tidusete any update ?

[tidusete]

I will try to do it today

[tidusete]

Hey @chen-keinan I have been following all what you said but I have no luck.

1. building trivy-operator binary
2. building operator image: /trivy-operator
3. publishing operator image: /trivy-operator
4. Modifying the configmap:

kind: ConfigMap
name: trivy-operator
data:
  scanJob.useGCRServiceAccount: 'false'

5. Modifying the deployment of the operator and adding there my custom image...

I have the feeling that this var scanJob.useGCRServiceAccount: 'False' is not being set on the trivy operator. Is it possible? As I said before, the only way to make it work was forcing to be always false the condition:
https://github.com/aquasecurity/trivy-operator/pull/2108/files#diff-53a92550719283e3e24a05f5be379432b7015f20730b85c8803b9c0855556909R213

if CheckGcpCrOrPrivateRegistry(c.Image) &&
                              trivyoperator.GetDefaultConfig().GetScanJobUseGCRServiceAccount() && false {

[chen-keinan]

@tidusete thanks for the update, I have found the issue and added a fix to this PR, can you try again the above steps after updating the branch with latest commit

[chen-keinan]

@tidusete let me know if now it works for you and I'll merge it

[tidusete]

Will try to do it today as well

[tidusete]

Works like a charm!

[chen-keinan]

Works like a charm!

Thanks for the update, I'll merge it now.

[34fathombelow]

I see a new helm chart was published, but I believe this would require a newer appVersion to use this fix. Correct?

[chen-keinan]

@34fathombelow the fix on the PR has not yet been released, only merged , will be out with trivy-operator v0.22.0 hopefully later on this week