Change from starboard to trivy-operator (#933)

CHANGELOG.md

@@ -15,6 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Changed
 
 - [#928](https://github.com/XenitAB/terraform-modules/pull/928) Enable Node TTL by default.
+- [#933](https://github.com/XenitAB/terraform-modules/pull/933) Change from starboard to trivy-operator.
 
 ## 2023.02.1
 

modules/aws/eks/README.md

@@ -26,8 +26,8 @@
 | <a name="module_external_dns"></a> [external\_dns](#module\_external\_dns) | ../irsa | n/a |
 | <a name="module_prometheus"></a> [prometheus](#module\_prometheus) | ../irsa | n/a |
 | <a name="module_promtail"></a> [promtail](#module\_promtail) | ../irsa | n/a |
-| <a name="module_starboard_ecr"></a> [starboard\_ecr](#module\_starboard\_ecr) | ../irsa | n/a |
 | <a name="module_trivy_ecr"></a> [trivy\_ecr](#module\_trivy\_ecr) | ../irsa | n/a |
+| <a name="module_trivy_operator_ecr"></a> [trivy\_operator\_ecr](#module\_trivy\_operator\_ecr) | ../irsa | n/a |
 | <a name="module_velero"></a> [velero](#module\_velero) | ../irsa | n/a |
 
 ## Resources
@@ -52,7 +52,7 @@
 | [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.starboard_ecr_read_only](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.trivy_ecr_read_only](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.xenit_proxy_certificate](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/region) | data source |
@@ -74,7 +74,7 @@
 | <a name="input_name"></a> [name](#input\_name) | Common name for the environment | `string` | n/a | yes |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Prefix to add to unique names such as S3 buckets and IAM roles | `string` | `"xks"` | no |
 | <a name="input_node_group_role_arn"></a> [node\_group\_role\_arn](#input\_node\_group\_role\_arn) | IAM role to attach to EKS node groups | `string` | n/a | yes |
-| <a name="input_starboard_enabled"></a> [starboard\_enabled](#input\_starboard\_enabled) | Should starboard be enaled | `bool` | `false` | no |
+| <a name="input_trivy_enabled"></a> [trivy\_enabled](#input\_trivy\_enabled) | Should trivy be enaled | `bool` | `true` | no |
 | <a name="input_velero_config"></a> [velero\_config](#input\_velero\_config) | Configuration for Velero | <pre>object({<br>    s3_bucket_id  = string<br>    s3_bucket_arn = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
@@ -87,5 +87,5 @@
 | <a name="output_kube_config"></a> [kube\_config](#output\_kube\_config) | Kube config for the created EKS cluster |
 | <a name="output_prometheus_config"></a> [prometheus\_config](#output\_prometheus\_config) | Configuration for Prometheus |
 | <a name="output_promtail_config"></a> [promtail\_config](#output\_promtail\_config) | Configuration for Promtail |
-| <a name="output_starboard_config"></a> [starboard\_config](#output\_starboard\_config) | Configuration for Starboard |
+| <a name="output_trivy_config"></a> [trivy\_config](#output\_trivy\_config) | Configuration for Trivy |
 | <a name="output_velero_config"></a> [velero\_config](#output\_velero\_config) | Configuration for Velero |

modules/aws/eks/iam.tf

@@ -210,7 +210,7 @@ module "promtail" {
   policy_json_create         = true
 }
 
-data "aws_iam_policy_document" "starboard_ecr_read_only" {
+data "aws_iam_policy_document" "trivy_ecr_read_only" {
   statement {
     effect = "Allow"
     actions = [
@@ -223,13 +223,13 @@ data "aws_iam_policy_document" "starboard_ecr_read_only" {
   }
 }
 
-module "starboard_ecr" {
+module "trivy_operator_ecr" {
   source = "../irsa"
 
   for_each = {
-    for s in ["starboard"] :
+    for s in ["trivy"] :
     s => s
-    if var.starboard_enabled
+    if var.trivy_enabled
   }
 
   name = "${var.name_prefix}-${data.aws_region.current.name}-${var.environment}-${var.name}${var.eks_name_suffix}-starboard-ecr"
@@ -239,9 +239,9 @@ module "starboard_ecr" {
       arn = aws_iam_openid_connect_provider.this.arn
     }
   ]
-  kubernetes_namespace       = "starboard-operator"
-  kubernetes_service_account = "starboard-operator"
-  policy_json                = data.aws_iam_policy_document.starboard_ecr_read_only.json
+  kubernetes_namespace       = "trivy"
+  kubernetes_service_account = "trivy-operator"
+  policy_json                = data.aws_iam_policy_document.trivy_ecr_read_only.json
   policy_json_create         = true
 }
 
@@ -251,7 +251,7 @@ module "trivy_ecr" {
   for_each = {
     for s in ["trivy"] :
     s => s
-    if var.starboard_enabled
+    if var.trivy_enabled
   }
 
   name = "${var.name_prefix}-${data.aws_region.current.name}-${var.environment}-${var.name}${var.eks_name_suffix}-trivy-ecr"
@@ -261,9 +261,9 @@ module "trivy_ecr" {
       arn = aws_iam_openid_connect_provider.this.arn
     }
   ]
-  kubernetes_namespace       = "starboard-operator"
+  kubernetes_namespace       = "trivy"
   kubernetes_service_account = "trivy"
-  policy_json                = data.aws_iam_policy_document.starboard_ecr_read_only.json
+  policy_json                = data.aws_iam_policy_document.trivy_ecr_read_only.json
   policy_json_create         = true
 }
 

modules/aws/eks/outputs.tf

@@ -57,10 +57,10 @@ output "promtail_config" {
   }
 }
 
-output "starboard_config" {
-  description = "Configuration for Starboard"
+output "trivy_config" {
+  description = "Configuration for Trivy"
   value = {
-    starboard_role_arn = module.starboard_ecr["starboard"].role_arn
-    trivy_role_arn     = module.trivy_ecr["trivy"].role_arn
+    trivy_operator_role_arn = module.trivy_operator_ecr["trivy"].role_arn
+    trivy_role_arn          = module.trivy_ecr["trivy"].role_arn
   }
 }

modules/aws/eks/variables.tf

@@ -98,9 +98,8 @@ variable "enabled_cluster_log_types" {
   default     = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
 }
 
-variable "starboard_enabled" {
-  description = "Should starboard be enaled"
+variable "trivy_enabled" {
+  description = "Should trivy be enaled"
   type        = bool
-  default     = false
+  default     = true
 }
-

modules/kubernetes/README.md

@@ -25,7 +25,7 @@ This directory contains all the Kubernetes Terraform modules.
 - [`ingress-healthz`](ingress-healthz/README.md)
 - [`linkerd`](linkerd/README.md)
 - [`cluster-autoscaler`](cluster-autoscaler/README.md)
-- [`starboard`](starboard/README.md)
+- [`trivy`](trivy/README.md)
 - [`vpa`](vpa/README.md)
 - [`grafana-agent`](grafana-agent/README.md)
 - [`node-local-dns`](node-local-dns/README.md)

modules/kubernetes/aks-core/README.md

@@ -58,8 +58,8 @@ This module is used to create AKS clusters.
 | <a name="module_prometheus_crd"></a> [prometheus\_crd](#module\_prometheus\_crd) | ../../kubernetes/helm-crd | n/a |
 | <a name="module_promtail"></a> [promtail](#module\_promtail) | ../../kubernetes/promtail | n/a |
 | <a name="module_reloader"></a> [reloader](#module\_reloader) | ../../kubernetes/reloader | n/a |
-| <a name="module_starboard"></a> [starboard](#module\_starboard) | ../../kubernetes/starboard | n/a |
-| <a name="module_starboard_crd"></a> [starboard\_crd](#module\_starboard\_crd) | ../../kubernetes/helm-crd | n/a |
+| <a name="module_trivy"></a> [trivy](#module\_trivy) | ../../kubernetes/trivy | n/a |
+| <a name="module_trivy_crd"></a> [trivy\_crd](#module\_trivy\_crd) | ../../kubernetes/helm-crd | n/a |
 | <a name="module_velero"></a> [velero](#module\_velero) | ../../kubernetes/velero | n/a |
 | <a name="module_vpa"></a> [vpa](#module\_vpa) | ../../kubernetes/vpa | n/a |
 | <a name="module_vpa_crd"></a> [vpa\_crd](#module\_vpa\_crd) | ../../kubernetes/helm-crd | n/a |
@@ -75,8 +75,8 @@ This module is used to create AKS clusters.
 | [kubernetes_cluster_role.get_vpa](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role.helm_release](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role.list_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource |
-| [kubernetes_cluster_role.starboard_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role.top](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role.trivy_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role_binding.cluster_admin](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role_binding) | resource |
 | [kubernetes_cluster_role_binding.cluster_view](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role_binding) | resource |
 | [kubernetes_cluster_role_binding.edit_list_ns](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role_binding) | resource |
@@ -90,8 +90,8 @@ This module is used to create AKS clusters.
 | [kubernetes_role_binding.custom_resource_edit](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource |
 | [kubernetes_role_binding.edit](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource |
 | [kubernetes_role_binding.helm_release](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource |
-| [kubernetes_role_binding.starboard_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource |
 | [kubernetes_role_binding.top](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource |
+| [kubernetes_role_binding.trivy_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource |
 | [kubernetes_role_binding.view](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource |
 | [kubernetes_role_binding.vpa](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource |
 | [kubernetes_storage_class.zrs_premium](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/storage_class) | resource |
@@ -151,10 +151,10 @@ This module is used to create AKS clusters.
 | <a name="input_promtail_config"></a> [promtail\_config](#input\_promtail\_config) | Configuration for promtail | <pre>object({<br>    azure_key_vault_name = string<br>    identity = object({<br>      client_id   = string<br>      resource_id = string<br>      tenant_id   = string<br>    })<br>    loki_address        = string<br>    excluded_namespaces = list(string)<br>  })</pre> | <pre>{<br>  "azure_key_vault_name": "",<br>  "excluded_namespaces": [],<br>  "identity": {<br>    "client_id": "",<br>    "resource_id": "",<br>    "tenant_id": ""<br>  },<br>  "loki_address": ""<br>}</pre> | no |
 | <a name="input_promtail_enabled"></a> [promtail\_enabled](#input\_promtail\_enabled) | Should promtail be enabled | `bool` | `false` | no |
 | <a name="input_reloader_enabled"></a> [reloader\_enabled](#input\_reloader\_enabled) | Should Reloader be enabled | `bool` | `true` | no |
-| <a name="input_starboard_config"></a> [starboard\_config](#input\_starboard\_config) | Configuration for starboard | <pre>object({<br>    client_id   = string<br>    resource_id = string<br>  })</pre> | n/a | yes |
-| <a name="input_starboard_enabled"></a> [starboard\_enabled](#input\_starboard\_enabled) | Should Starboard be enabled | `bool` | `true` | no |
-| <a name="input_starboard_volume_claim_storage_class_name"></a> [starboard\_volume\_claim\_storage\_class\_name](#input\_starboard\_volume\_claim\_storage\_class\_name) | Configuration for starboard volume claim storage class name | `string` | `"managed-csi-zrs"` | no |
 | <a name="input_subscription_name"></a> [subscription\_name](#input\_subscription\_name) | The commonName for the subscription | `string` | n/a | yes |
+| <a name="input_trivy_config"></a> [trivy\_config](#input\_trivy\_config) | Configuration for trivy | <pre>object({<br>    client_id   = string<br>    resource_id = string<br>  })</pre> | n/a | yes |
+| <a name="input_trivy_enabled"></a> [trivy\_enabled](#input\_trivy\_enabled) | Should trivy be enabled | `bool` | `true` | no |
+| <a name="input_trivy_volume_claim_storage_class_name"></a> [trivy\_volume\_claim\_storage\_class\_name](#input\_trivy\_volume\_claim\_storage\_class\_name) | Configuration for trivy volume claim storage class name | `string` | `"managed-csi-zrs"` | no |
 | <a name="input_velero_config"></a> [velero\_config](#input\_velero\_config) | Velero configuration | <pre>object({<br>    azure_storage_account_name      = string<br>    azure_storage_account_container = string<br>    identity = object({<br>      client_id   = string<br>      resource_id = string<br>    })<br>  })</pre> | n/a | yes |
 | <a name="input_velero_enabled"></a> [velero\_enabled](#input\_velero\_enabled) | Should Velero be enabled | `bool` | `false` | no |
 | <a name="input_vpa_enabled"></a> [vpa\_enabled](#input\_vpa\_enabled) | Should VPA be enabled | `bool` | `true` | no |

modules/kubernetes/aks-core/k8s-cluster-role.tf

@@ -62,15 +62,15 @@ resource "kubernetes_cluster_role" "top" {
   }
 }
 
-resource "kubernetes_cluster_role" "starboard_reports" {
+resource "kubernetes_cluster_role" "trivy_reports" {
   for_each = {
-    for s in ["starboard"] :
+    for s in ["trivy"] :
     s => s
-    if var.starboard_enabled
+    if var.trivy_enabled
   }
 
   metadata {
-    name = "starboard-reports"
+    name = "trivy-reports"
     labels = {
       "xkf.xenit.io/kind" = "platform"
     }

modules/kubernetes/aks-core/k8s-role-binding.tf

@@ -117,15 +117,15 @@ resource "kubernetes_role_binding" "top" {
   }
 }
 
-resource "kubernetes_role_binding" "starboard_reports" {
+resource "kubernetes_role_binding" "trivy_reports" {
   for_each = {
     for ns in var.namespaces :
     ns.name => ns
-    if var.starboard_enabled
+    if var.trivy_enabled
   }
 
   metadata {
-    name      = "${each.value.name}-starboard-reports"
+    name      = "${each.value.name}-trivy-reports"
     namespace = kubernetes_namespace.tenant[each.key].metadata[0].name
 
     labels = {
@@ -136,7 +136,7 @@ resource "kubernetes_role_binding" "starboard_reports" {
   role_ref {
     api_group = "rbac.authorization.k8s.io"
     kind      = "ClusterRole"
-    name      = kubernetes_cluster_role.starboard_reports["starboard"].metadata[0].name
+    name      = kubernetes_cluster_role.trivy_reports["trivy"].metadata[0].name
   }
   subject {
     api_group = "rbac.authorization.k8s.io"

modules/kubernetes/aks-core/modules.tf

@@ -15,7 +15,7 @@ locals {
     "linkerd",
     "linkerd-cni",
     "reloader",
-    "starboard-operator",
+    "trivy",
     "tigera-operator",
     "velero",
     "grafana-agent",
@@ -522,7 +522,7 @@ module "prometheus" {
   csi_secrets_store_provider_azure_enabled = var.csi_secrets_store_provider_azure_enabled
   aad_pod_identity_enabled                 = var.aad_pod_identity_enabled
   azad_kube_proxy_enabled                  = var.azad_kube_proxy_enabled
-  starboard_enabled                        = var.starboard_enabled
+  trivy_enabled                            = var.trivy_enabled
   vpa_enabled                              = var.vpa_enabled
   node_local_dns_enabled                   = var.node_local_dns_enabled
   grafana_agent_enabled                    = var.grafana_agent_enabled
@@ -576,30 +576,30 @@ module "promtail" {
   }
 }
 
-# starboard
-module "starboard_crd" {
+# trivy
+module "trivy_crd" {
   source = "../../kubernetes/helm-crd"
 
   chart_repository = "https://aquasecurity.github.io/helm-charts/"
-  chart_name       = "starboard-operator"
-  chart_version    = "0.9.1"
+  chart_name       = "trivy-operator"
+  chart_version    = "0.11.0"
 }
 
-module "starboard" {
-  depends_on = [module.opa_gatekeeper, module.starboard_crd]
+module "trivy" {
+  depends_on = [module.opa_gatekeeper, module.trivy_crd]
 
   for_each = {
-    for s in ["starboard"] :
+    for s in ["trivy"] :
     s => s
-    if var.starboard_enabled
+    if var.trivy_enabled
   }
 
-  source = "../../kubernetes/starboard"
+  source = "../../kubernetes/trivy"
 
   cloud_provider                  = "azure"
-  client_id                       = var.starboard_config.client_id
-  resource_id                     = var.starboard_config.resource_id
-  volume_claim_storage_class_name = var.starboard_volume_claim_storage_class_name
+  client_id                       = var.trivy_config.client_id
+  resource_id                     = var.trivy_config.resource_id
+  volume_claim_storage_class_name = var.trivy_volume_claim_storage_class_name
 }
 
 # vpa

modules/kubernetes/aks-core/variables.tf

@@ -453,21 +453,21 @@ variable "linkerd_enabled" {
   default     = false
 }
 
-variable "starboard_enabled" {
-  description = "Should Starboard be enabled"
+variable "trivy_enabled" {
+  description = "Should trivy be enabled"
   type        = bool
   default     = true
 }
 
 
-variable "starboard_volume_claim_storage_class_name" {
-  description = "Configuration for starboard volume claim storage class name"
+variable "trivy_volume_claim_storage_class_name" {
+  description = "Configuration for trivy volume claim storage class name"
   type        = string
   default     = "managed-csi-zrs"
 }
 
-variable "starboard_config" {
-  description = "Configuration for starboard"
+variable "trivy_config" {
+  description = "Configuration for trivy"
   type = object({
     client_id   = string
     resource_id = string