chore(trivy): Rename properties to configure resource requirements an…

…d limits (#649) Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
aquasecurity · Aug 2, 2021 · c6e099e · c6e099e
1 parent 3613d41
commit c6e099e
Show file tree

Hide file tree

Showing 7 changed files with 105 additions and 104 deletions.
diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml
@@ -36,24 +36,23 @@ data:
   trivy.serverURL: "{{ .Values.trivy.serverURL }}"
   {{- end }}
   {{- with .Values.trivy.resources }}
-    {{- with .request }}
+    {{- with .requests }}
       {{- if .cpu }}
-  trivy.resources.request.cpu: {{ .cpu }}
+  trivy.resources.requests.cpu: {{ .cpu }}
       {{- end }}
       {{- if hasKey . "memory" }}
-  trivy.resources.request.memory: {{ .memory }}
+  trivy.resources.requests.memory: {{ .memory }}
       {{- end }}
     {{- end }}
-    {{- with .limit }}
+    {{- with .limits }}
       {{- if .cpu }}
-  trivy.resources.limit.cpu: {{ .cpu }}
+  trivy.resources.limits.cpu: {{ .cpu }}
       {{- end }}
       {{- if .memory }}
-  trivy.resources.limit.memory: {{ .memory }}
+  trivy.resources.limits.memory: {{ .memory }}
       {{- end }}
     {{- end }}
   {{- end }}
-
 ---
 apiVersion: v1
 kind: Secret

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -92,12 +92,12 @@ trivy:
   httpsProxy:
   noProxy:
   severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-#k8s resource requests and limits
+  # resources resource requests and limits
   resources:
-    request:
+    requests:
       cpu: 100m
       memory: 100M
-    limit:
+    limits:
       cpu: 500m
       memory: 500M
 

diff --git a/deploy/static/05-starboard-operator.config.yaml b/deploy/static/05-starboard-operator.config.yaml
@@ -30,10 +30,10 @@ data:
   trivy.imageRef: docker.io/aquasec/trivy:0.16.0
   trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
   trivy.mode: Standalone
-  trivy.resources.request.cpu: 100m
-  trivy.resources.request.memory: 100M
-  trivy.resources.limit.cpu: 500m
-  trivy.resources.limit.memory: 500M
+  trivy.resources.requests.cpu: 100m
+  trivy.resources.requests.memory: 100M
+  trivy.resources.limits.cpu: 500m
+  trivy.resources.limits.memory: 500M
 ---
 apiVersion: v1
 kind: ConfigMap

diff --git a/docs/integrations/vulnerability-scanners/trivy.md b/docs/integrations/vulnerability-scanners/trivy.md
@@ -1,3 +1,5 @@
+# Trivy
+
 ## Standalone
 
 The default configuration settings enable Trivy `vulnerabilityReports.scanner` in [`Standalone`][trivy-standalone]
@@ -76,6 +78,34 @@ EOF
 
 ![](./../../images/design/trivy-clientserver.png)
 
+## Settings
+
+| CONFIGMAP KEY                      | DEFAULT                                                | DESCRIPTION |
+| ---------------------------------- | ------------------------------------------------------ | ----------- |
+| `trivy.imageRef`                   | `docker.io/aquasec/trivy:0.16.0`                       | Trivy image reference |
+| `trivy.mode`                       | `Standalone`                                           | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. |
+| `trivy.severity`                   | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`                     | A comma separated list of severity levels reported by Trivy |
+| `trivy.ignoreUnfixed`              | N/A                                                    | Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it. |
+| `trivy.skipFiles`                  | N/A                                                    | A comma separated list of file paths for Trivy to skip traversal. |
+| `trivy.skipDirs`                   | N/A                                                    | A comma separated list of directories for Trivy to skip traversal. |
+| `trivy.ignoreFile`                 | N/A                                                    | It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy. |
+| `trivy.serverURL`                  | N/A                                                    | The endpoint URL of the Trivy server. Required in `ClientServer` mode. |
+| `trivy.serverTokenHeader`          | `Trivy-Token`                                          | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. |
+| `trivy.insecureRegistry.<id>`      | N/A                                                    | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`. |
+| `trivy.httpProxy`                  | N/A                                                    | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. |
+| `trivy.httpsProxy`                 | N/A                                                    | The HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. |
+| `trivy.noProxy`                    | N/A                                                    | A comma separated list of IPs and domain names that are not subject to proxy settings. |
+| `trivy.resources.requests.cpu`     | `100m`                                                 | The minimum amount of CPU required to run Trivy scanner pod. |
+| `trivy.resources.requests.memory`  | `100M`                                                 | The minimum amount of memory required to run Trivy scanner pod. |
+| `trivy.resources.limits.cpu`       | `500m`                                                 | The maximum amount of CPU allowed to run Trivy scanner pod. |
+| `trivy.resources.limits.memory`    | `500M`                                                 | The maximum amount of memory allowed to run Trivy scanner pod. |
+
+| SECRET KEY                  | DESCRIPTION |
+| --------------------------- | ----------- |
+| `trivy.githubToken`         | The GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in `Standalone` mode. |
+| `trivy.serverToken`         | The token to authenticate Trivy client with Trivy server. Only applicable in `ClientServer` mode. |
+| `trivy.serverCustomHeaders` | A comma-separated list of custom HTTP headers sent by Trivy client to Trivy server. Only applicable in `ClientServer` mode. |
+
 [trivy-standalone]: https://aquasecurity.github.io/trivy/latest/modes/standalone/
 [emptyDir-volume]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
 [gh-rate-limiting]: https://docs.github.com/en/free-pro-team@latest/rest/overview/resources-in-the-rest-api#rate-limiting

diff --git a/docs/settings.md b/docs/settings.md
@@ -60,23 +60,6 @@ The following tables list available configuration settings with their default va
 | ---------------------------------- | ------------------------------------------------------ | ----------- |
 | `vulnerabilityReports.scanner`     | `Trivy`                                                | The name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`. |
 | `configAuditReports.scanner`       | `Polaris`                                              | The name of the plugin that generates config audit reports. Either `Polaris` or `Conftest`. |
-| `trivy.httpProxy`                  | N/A                                                    | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. |
-| `trivy.httpsProxy`                 | N/A                                                    | The HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. |
-| `trivy.noProxy`                    | N/A                                                    | A comma separated list of IPs and domain names that are not subject to proxy settings. |
-| `trivy.severity`                   | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`                     | A comma separated list of severity levels reported by Trivy |
-| `trivy.imageRef`                   | `docker.io/aquasec/trivy:0.16.0`                       | Trivy image reference |
-| `trivy.mode`                       | `Standalone`                                           | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. |
-| `trivy.ignoreUnfixed`              | N/A                                                    | Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it. |
-| `trivy.skipFiles`                  | N/A                                                    | A comma separated list of file paths for Trivy to skip traversal. |
-| `trivy.skipDirs`                   | N/A                                                    | A comma separated list of directories for Trivy to skip traversal. |
-| `trivy.ignoreFile`                 | N/A                                                    | It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy. |
-| `trivy.serverURL`                  | N/A                                                    | The endpoint URL of the Trivy server. Required in `ClientServer` mode. |
-| `trivy.serverTokenHeader`          | `Trivy-Token`                                          | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. |
-| `trivy.insecureRegistry.<id>`      | N/A                                                    | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`. |
-| `trivy.resources.request.cpu`      | `100m`                                                 | The minimum amount of CPU required to run Trivy scanner pod. |
-| `trivy.resources.request.memory`   | `100M`                                                 | The minimum amount of memory required to run Trivy scanner pod. |
-| `trivy.resources.limit.cpu`        | `500m`                                                 | The maximum amount of CPU allowed to run Trivy scanner pod. |
-| `trivy.resources.limit.memory`     | `500M`                                                 | The maximum amount of memory allowed to run Trivy scanner pod. |
 | `aqua.imageRef`                    | `docker.io/aquasec/scanner:5.3`                        | Aqua scanner image reference. The tag determines the version of the `scanner` binary executable and it must be compatible with version of Aqua console. |
 | `aqua.serverURL`                   | N/A                                                    | The endpoint URL of Aqua management console |
 | `kube-bench.imageRef`              | `docker.io/aquasec/kube-bench:0.6.3`                   | kube-bench image reference |
@@ -94,9 +77,6 @@ The following tables list available configuration settings with their default va
 
 | SECRET KEY                  | DESCRIPTION |
 | --------------------------- | ----------- |
-| `trivy.githubToken`         | The GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in `Standalone` mode. |
-| `trivy.serverToken`         | The token to authenticate Trivy client with Trivy server. Only applicable in `ClientServer` mode. |
-| `trivy.serverCustomHeaders` | A comma-separated list of custom HTTP headers sent by Trivy client to Trivy server. Only applicable in `ClientServer` mode. |
 | `aqua.username`             | Aqua management console username |
 | `aqua.password`             | Aqua management console password |
 

diff --git a/pkg/plugin/trivy/plugin.go b/pkg/plugin/trivy/plugin.go
@@ -43,10 +43,10 @@ const (
 	keyTrivyServerToken         = "trivy.serverToken"
 	keyTrivyServerCustomHeaders = "trivy.serverCustomHeaders"
 
-	keyTrivyResourcesRequestsCPU    = "trivy.resources.request.cpu"
-	keyTrivyResourcesRequestsMemory = "trivy.resources.request.memory"
-	keyTrivyResourcesLimitCPU       = "trivy.resources.limit.cpu"
-	keyTrivyResourcesLimitMemory    = "trivy.resources.limit.memory"
+	keyResourcesRequestsCPU    = "trivy.resources.requests.cpu"
+	keyResourcesRequestsMemory = "trivy.resources.requests.memory"
+	keyResourcesLimitsCPU      = "trivy.resources.limits.cpu"
+	keyResourcesLimitsMemory   = "trivy.resources.limits.memory"
 )
 
 // Mode describes mode in which Trivy client operates.
@@ -112,22 +112,22 @@ func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error) {
 		Limits:   corev1.ResourceList{},
 	}
 
-	err := c.setResourceLimit(keyTrivyResourcesRequestsCPU, &requirements.Requests, corev1.ResourceCPU)
+	err := c.setResourceLimit(keyResourcesRequestsCPU, &requirements.Requests, corev1.ResourceCPU)
 	if err != nil {
 		return requirements, err
 	}
 
-	err = c.setResourceLimit(keyTrivyResourcesRequestsMemory, &requirements.Requests, corev1.ResourceMemory)
+	err = c.setResourceLimit(keyResourcesRequestsMemory, &requirements.Requests, corev1.ResourceMemory)
 	if err != nil {
 		return requirements, err
 	}
 
-	err = c.setResourceLimit(keyTrivyResourcesLimitCPU, &requirements.Limits, corev1.ResourceCPU)
+	err = c.setResourceLimit(keyResourcesLimitsCPU, &requirements.Limits, corev1.ResourceCPU)
 	if err != nil {
 		return requirements, err
 	}
 
-	err = c.setResourceLimit(keyTrivyResourcesLimitMemory, &requirements.Limits, corev1.ResourceMemory)
+	err = c.setResourceLimit(keyResourcesLimitsMemory, &requirements.Limits, corev1.ResourceMemory)
 	if err != nil {
 		return requirements, err
 	}
@@ -175,10 +175,10 @@ func (p *plugin) Init(ctx starboard.PluginContext) error {
 			keyTrivySeverity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 			keyTrivyMode:     string(Standalone),
 
-			keyTrivyResourcesRequestsCPU:    "100m",
-			keyTrivyResourcesRequestsMemory: "100M",
-			keyTrivyResourcesLimitCPU:       "500m",
-			keyTrivyResourcesLimitMemory:    "500M",
+			keyResourcesRequestsCPU:    "100m",
+			keyResourcesRequestsMemory: "100M",
+			keyResourcesLimitsCPU:      "500m",
+			keyResourcesLimitsMemory:   "500M",
 		},
 	})
 }