Skip to content

Commit

Permalink
feat: enable trivy server with self-signed certificates
Browse files Browse the repository at this point in the history 
Signed-off-by: Engin Diri <engin.diri@mail.schwarz>
  • Loading branch information
Engin Diri committed Mar 4, 2022
1 parent f4d9bea commit 50e0299
Show file tree
Hide file tree
Showing 5 changed files with 220 additions and 11 deletions.
3 changes: 3 additions & 0 deletions deploy/helm/templates/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ data:
{{- if .httpsProxy }}
trivy.httpsProxy: {{ .httpsProxy | quote }}
{{- end }}
{{- if .insecureServer }}
trivy.insecureServer: {{ .insecureServer | quote }}
{{- end }}
{{- if .noProxy }}
trivy.noProxy: {{ .noProxy | quote }}
{{- end }}
Expand Down
5 changes: 4 additions & 1 deletion deploy/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ trivy:
createConfig: true

# imageRef the Trivy image reference.
imageRef: docker.io/aquasec/trivy:0.23.0
imageRef: docker.io/aquasec/trivy:0.24.2

# mode is the Trivy client mode. Either Standalone or ClientServer. Depending
# on the active mode other settings might be applicable or required.
Expand Down Expand Up @@ -151,6 +151,9 @@ trivy:
#
# serverURL: "https://trivy.trivy:4975"

# insecureServer is the flag to enable insecure connection to the Trivy server.
#
# insecureServer: true
# serverToken is the token to authenticate Trivy client with Trivy server. Only
# applicable in ClientServer mode.
#
Expand Down
1 change: 1 addition & 0 deletions docs/integrations/vulnerability-scanners/trivy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ EOF
| `trivy.timeout` | `5m0s` | The duration to wait for scan completion |
| `trivy.serverURL` | N/A | The endpoint URL of the Trivy server. Required in `ClientServer` mode. |
| `trivy.serverTokenHeader` | `Trivy-Token` | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. |
| `trivy.insecureServer` | N/A | The Flag to enable insecure connection to the Trivy server. |
| `trivy.insecureRegistry.<id>` | N/A | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`. |
| `trivy.nonSslRegistry.<id>` | N/A | A registry without SSL. There can be multiple registries with different registry `<id>`. |
| `trivy.registry.mirror.<registry>` | N/A | Mirror for the registry `<registry>`, e.g. `trivy.registry.mirror.index.docker.io: mirror.io` would use `mirror.io` to get images originated from `index.docker.io` |
Expand Down
13 changes: 13 additions & 0 deletions pkg/plugin/trivy/plugin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ const (

keyTrivyServerURL = "trivy.serverURL"
keyTrivyServerTokenHeader = "trivy.serverTokenHeader"
keyTrivyInsecureServer = "trivy.insecureServer"
keyTrivyServerToken = "trivy.serverToken"
keyTrivyServerCustomHeaders = "trivy.serverCustomHeaders"

Expand Down Expand Up @@ -120,6 +121,11 @@ func (c Config) GetServerURL() (string, error) {
return c.GetRequiredData(keyTrivyServerURL)
}

func (c Config) GetInsecureServer() bool {
_, ok := c.Data[keyTrivyInsecureServer]
return ok
}

func (c Config) IgnoreFileExists() bool {
_, ok := c.Data[keyTrivyIgnoreFile]
return ok
Expand Down Expand Up @@ -866,6 +872,13 @@ func (p *plugin) getPodSpecForClientServerMode(ctx starboard.PluginContext, conf
return corev1.PodSpec{}, nil, err
}

if config.GetInsecureServer() {
env = append(env, corev1.EnvVar{
Name: "TRIVY_INSECURE",
Value: "true",
})
}

if config.IgnoreFileExists() {
volumes = []corev1.Volume{
{
Expand Down
209 changes: 199 additions & 10 deletions pkg/plugin/trivy/plugin_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2042,16 +2042,205 @@ CVE-2019-1543`,
},
},
{
name: "ClientServer mode with insecure registry",
name: "ClientServer mode without insecure registry",
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.serverURL": "http://trivy.trivy:4954",
"trivy.insecureRegistry.pocRegistry": "poc.myregistry.harbor.com.pl",
"trivy.resources.requests.cpu": "100m",
"trivy.resources.requests.memory": "100M",
"trivy.resources.limits.cpu": "500m",
"trivy.resources.limits.memory": "500M",
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.serverURL": "http://trivy.trivy:4954",
"trivy.resources.requests.cpu": "100m",
"trivy.resources.requests.memory": "100M",
"trivy.resources.limits.cpu": "500m",
"trivy.resources.limits.memory": "500M",
},
workloadSpec: &corev1.Pod{
TypeMeta: metav1.TypeMeta{
Kind: "Pod",
APIVersion: "v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "nginx",
Namespace: "prod-ns",
},
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "nginx",
Image: "nginx:1.16",
},
},
},
},
expectedJobSpec: corev1.PodSpec{
Affinity: starboard.LinuxNodeAffinity(),
RestartPolicy: corev1.RestartPolicyNever,
ServiceAccountName: "starboard-sa",
AutomountServiceAccountToken: pointer.BoolPtr(false),
Containers: []corev1.Container{
{
Name: "nginx",
Image: "docker.io/aquasec/trivy:0.14.0",
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Env: []corev1.EnvVar{
{
Name: "HTTP_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.httpProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "HTTPS_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.httpsProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "NO_PROXY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.noProxy",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_SEVERITY",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.severity",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_IGNORE_UNFIXED",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.ignoreUnfixed",
Optional: pointer.BoolPtr(true),
},
},
},
timeoutEnv,
{
Name: "TRIVY_SKIP_FILES",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.skipFiles",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_SKIP_DIRS",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.skipDirs",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_TOKEN_HEADER",
ValueFrom: &corev1.EnvVarSource{
ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.serverTokenHeader",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_TOKEN",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.serverToken",
Optional: pointer.BoolPtr(true),
},
},
},
{
Name: "TRIVY_CUSTOM_HEADERS",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "starboard-trivy-config",
},
Key: "trivy.serverCustomHeaders",
Optional: pointer.BoolPtr(true),
},
},
},
},
Command: []string{
"trivy",
},
Args: []string{
"--quiet",
"client",
"--format",
"json",
"--remote",
"http://trivy.trivy:4954",
"nginx:1.16",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceCPU: resource.MustParse("100m"),
corev1.ResourceMemory: resource.MustParse("100M"),
},
Limits: corev1.ResourceList{
corev1.ResourceCPU: resource.MustParse("500m"),
corev1.ResourceMemory: resource.MustParse("500M"),
},
},
},
},
},
},
{
name: "ClientServer mode with insecure server",
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.serverURL": "https://trivy.trivy:4954",
"trivy.insecureServer": "true",
"trivy.resources.requests.cpu": "100m",
"trivy.resources.requests.memory": "100M",
"trivy.resources.limits.cpu": "500m",
"trivy.resources.limits.memory": "500M",
},
workloadSpec: &corev1.Pod{
TypeMeta: metav1.TypeMeta{
Expand Down Expand Up @@ -2218,7 +2407,7 @@ CVE-2019-1543`,
"--format",
"json",
"--remote",
"http://trivy.trivy:4954",
"https://trivy.trivy:4954",
"poc.myregistry.harbor.com.pl/nginx:1.16",
},
Resources: corev1.ResourceRequirements{
Expand Down

0 comments on commit 50e0299

Please sign in to comment.