From cab1a42c8bc63b1d2ec7ecdb08899724d9c56ec9 Mon Sep 17 00:00:00 2001 From: Edvin N Date: Tue, 14 Feb 2023 14:19:00 +0100 Subject: [PATCH] Change from starboard to trivy-operator (#933) --- CHANGELOG.md | 1 + modules/aws/eks/README.md | 8 ++-- modules/aws/eks/iam.tf | 20 ++++----- modules/aws/eks/outputs.tf | 8 ++-- modules/aws/eks/variables.tf | 7 ++- modules/kubernetes/README.md | 2 +- modules/kubernetes/aks-core/README.md | 14 +++--- .../kubernetes/aks-core/k8s-cluster-role.tf | 8 ++-- .../kubernetes/aks-core/k8s-role-binding.tf | 8 ++-- modules/kubernetes/aks-core/modules.tf | 28 ++++++------ modules/kubernetes/aks-core/variables.tf | 12 ++--- modules/kubernetes/eks-core/README.md | 12 ++--- .../kubernetes/eks-core/k8s-cluster-role.tf | 8 ++-- .../kubernetes/eks-core/k8s-role-binding.tf | 8 ++-- modules/kubernetes/eks-core/modules.tf | 24 +++++----- modules/kubernetes/eks-core/variables.tf | 12 ++--- .../falco/templates/falco-values.yaml.tpl | 2 +- modules/kubernetes/prometheus/README.md | 2 +- .../prometheus-extras/templates/monitors.yaml | 6 +-- .../charts/prometheus-extras/values.yaml | 2 +- modules/kubernetes/prometheus/main.tf | 2 +- .../templates/values-extras.yaml.tpl | 2 +- modules/kubernetes/prometheus/variables.tf | 4 +- .../kubernetes/{starboard => trivy}/README.md | 18 ++++---- .../charts/trivy-extras/.helmignore | 0 .../charts/trivy-extras/Chart.yaml | 0 .../trivy-extras/templates/_helpers.tpl | 0 .../templates/azure-identity.yaml | 0 .../charts/trivy-extras/values.yaml | 0 .../kubernetes/{starboard => trivy}/main.tf | 44 +++++++++---------- .../{starboard => trivy}/outputs.tf | 0 .../templates/starboard-exporter-values.yaml | 0 .../templates/trivy-operator-values.yaml.tpl} | 19 ++++---- .../templates/trivy-values.yaml.tpl | 0 .../{starboard => trivy}/variables.tf | 6 +-- validation/kubernetes/aks-core/main.tf | 4 +- validation/kubernetes/eks-core/main.tf | 8 ++-- .../kubernetes/{starboard => trivy}/main.tf | 4 +- 38 files changed, 152 insertions(+), 151 deletions(-) rename modules/kubernetes/{starboard => trivy}/README.md (72%) rename modules/kubernetes/{starboard => trivy}/charts/trivy-extras/.helmignore (100%) rename modules/kubernetes/{starboard => trivy}/charts/trivy-extras/Chart.yaml (100%) rename modules/kubernetes/{starboard => trivy}/charts/trivy-extras/templates/_helpers.tpl (100%) rename modules/kubernetes/{starboard => trivy}/charts/trivy-extras/templates/azure-identity.yaml (100%) rename modules/kubernetes/{starboard => trivy}/charts/trivy-extras/values.yaml (100%) rename modules/kubernetes/{starboard => trivy}/main.tf (64%) rename modules/kubernetes/{starboard => trivy}/outputs.tf (100%) rename modules/kubernetes/{starboard => trivy}/templates/starboard-exporter-values.yaml (100%) rename modules/kubernetes/{starboard/templates/starboard-values.yaml.tpl => trivy/templates/trivy-operator-values.yaml.tpl} (68%) rename modules/kubernetes/{starboard => trivy}/templates/trivy-values.yaml.tpl (100%) rename modules/kubernetes/{starboard => trivy}/variables.tf (79%) rename validation/kubernetes/{starboard => trivy}/main.tf (68%) diff --git a/CHANGELOG.md b/CHANGELOG.md index afc4ee580..ca312517c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Changed - [#928](https://github.com/XenitAB/terraform-modules/pull/928) Enable Node TTL by default. +- [#933](https://github.com/XenitAB/terraform-modules/pull/933) Change from starboard to trivy-operator. ## 2023.02.1 diff --git a/modules/aws/eks/README.md b/modules/aws/eks/README.md index ee553d11e..85e85d73c 100644 --- a/modules/aws/eks/README.md +++ b/modules/aws/eks/README.md @@ -26,8 +26,8 @@ | [external\_dns](#module\_external\_dns) | ../irsa | n/a | | [prometheus](#module\_prometheus) | ../irsa | n/a | | [promtail](#module\_promtail) | ../irsa | n/a | -| [starboard\_ecr](#module\_starboard\_ecr) | ../irsa | n/a | | [trivy\_ecr](#module\_trivy\_ecr) | ../irsa | n/a | +| [trivy\_operator\_ecr](#module\_trivy\_operator\_ecr) | ../irsa | n/a | | [velero](#module\_velero) | ../irsa | n/a | ## Resources @@ -52,7 +52,7 @@ | [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.starboard_ecr_read_only](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.trivy_ecr_read_only](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.xenit_proxy_certificate](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/region) | data source | @@ -74,7 +74,7 @@ | [name](#input\_name) | Common name for the environment | `string` | n/a | yes | | [name\_prefix](#input\_name\_prefix) | Prefix to add to unique names such as S3 buckets and IAM roles | `string` | `"xks"` | no | | [node\_group\_role\_arn](#input\_node\_group\_role\_arn) | IAM role to attach to EKS node groups | `string` | n/a | yes | -| [starboard\_enabled](#input\_starboard\_enabled) | Should starboard be enaled | `bool` | `false` | no | +| [trivy\_enabled](#input\_trivy\_enabled) | Should trivy be enaled | `bool` | `true` | no | | [velero\_config](#input\_velero\_config) | Configuration for Velero | 
object({
    s3_bucket_id  = string
    s3_bucket_arn = string
  })
| n/a | yes | ## Outputs @@ -87,5 +87,5 @@ | [kube\_config](#output\_kube\_config) | Kube config for the created EKS cluster | | [prometheus\_config](#output\_prometheus\_config) | Configuration for Prometheus | | [promtail\_config](#output\_promtail\_config) | Configuration for Promtail | -| [starboard\_config](#output\_starboard\_config) | Configuration for Starboard | +| [trivy\_config](#output\_trivy\_config) | Configuration for Trivy | | [velero\_config](#output\_velero\_config) | Configuration for Velero | diff --git a/modules/aws/eks/iam.tf b/modules/aws/eks/iam.tf index b99879af6..c14b629f2 100644 --- a/modules/aws/eks/iam.tf +++ b/modules/aws/eks/iam.tf @@ -210,7 +210,7 @@ module "promtail" { policy_json_create = true } -data "aws_iam_policy_document" "starboard_ecr_read_only" { +data "aws_iam_policy_document" "trivy_ecr_read_only" { statement { effect = "Allow" actions = [ @@ -223,13 +223,13 @@ data "aws_iam_policy_document" "starboard_ecr_read_only" { } } -module "starboard_ecr" { +module "trivy_operator_ecr" { source = "../irsa" for_each = { - for s in ["starboard"] : + for s in ["trivy"] : s => s - if var.starboard_enabled + if var.trivy_enabled } name = "${var.name_prefix}-${data.aws_region.current.name}-${var.environment}-${var.name}${var.eks_name_suffix}-starboard-ecr" @@ -239,9 +239,9 @@ module "starboard_ecr" { arn = aws_iam_openid_connect_provider.this.arn } ] - kubernetes_namespace = "starboard-operator" - kubernetes_service_account = "starboard-operator" - policy_json = data.aws_iam_policy_document.starboard_ecr_read_only.json + kubernetes_namespace = "trivy" + kubernetes_service_account = "trivy-operator" + policy_json = data.aws_iam_policy_document.trivy_ecr_read_only.json policy_json_create = true } @@ -251,7 +251,7 @@ module "trivy_ecr" { for_each = { for s in ["trivy"] : s => s - if var.starboard_enabled + if var.trivy_enabled } name = "${var.name_prefix}-${data.aws_region.current.name}-${var.environment}-${var.name}${var.eks_name_suffix}-trivy-ecr" @@ -261,9 +261,9 @@ module "trivy_ecr" { arn = aws_iam_openid_connect_provider.this.arn } ] - kubernetes_namespace = "starboard-operator" + kubernetes_namespace = "trivy" kubernetes_service_account = "trivy" - policy_json = data.aws_iam_policy_document.starboard_ecr_read_only.json + policy_json = data.aws_iam_policy_document.trivy_ecr_read_only.json policy_json_create = true } diff --git a/modules/aws/eks/outputs.tf b/modules/aws/eks/outputs.tf index 28bd27ef7..9a67117b2 100644 --- a/modules/aws/eks/outputs.tf +++ b/modules/aws/eks/outputs.tf @@ -57,10 +57,10 @@ output "promtail_config" { } } -output "starboard_config" { - description = "Configuration for Starboard" +output "trivy_config" { + description = "Configuration for Trivy" value = { - starboard_role_arn = module.starboard_ecr["starboard"].role_arn - trivy_role_arn = module.trivy_ecr["trivy"].role_arn + trivy_operator_role_arn = module.trivy_operator_ecr["trivy"].role_arn + trivy_role_arn = module.trivy_ecr["trivy"].role_arn } } diff --git a/modules/aws/eks/variables.tf b/modules/aws/eks/variables.tf index 4c06c7b82..8e91a0d68 100644 --- a/modules/aws/eks/variables.tf +++ b/modules/aws/eks/variables.tf @@ -98,9 +98,8 @@ variable "enabled_cluster_log_types" { default = ["api", "audit", "authenticator", "controllerManager", "scheduler"] } -variable "starboard_enabled" { - description = "Should starboard be enaled" +variable "trivy_enabled" { + description = "Should trivy be enaled" type = bool - default = false + default = true } - diff --git a/modules/kubernetes/README.md b/modules/kubernetes/README.md index e6f295dce..422a896b5 100644 --- a/modules/kubernetes/README.md +++ b/modules/kubernetes/README.md @@ -25,7 +25,7 @@ This directory contains all the Kubernetes Terraform modules. - [`ingress-healthz`](ingress-healthz/README.md) - [`linkerd`](linkerd/README.md) - [`cluster-autoscaler`](cluster-autoscaler/README.md) -- [`starboard`](starboard/README.md) +- [`trivy`](trivy/README.md) - [`vpa`](vpa/README.md) - [`grafana-agent`](grafana-agent/README.md) - [`node-local-dns`](node-local-dns/README.md) diff --git a/modules/kubernetes/aks-core/README.md b/modules/kubernetes/aks-core/README.md index ed2ff1a9f..b359c897c 100644 --- a/modules/kubernetes/aks-core/README.md +++ b/modules/kubernetes/aks-core/README.md @@ -58,8 +58,8 @@ This module is used to create AKS clusters. | [prometheus\_crd](#module\_prometheus\_crd) | ../../kubernetes/helm-crd | n/a | | [promtail](#module\_promtail) | ../../kubernetes/promtail | n/a | | [reloader](#module\_reloader) | ../../kubernetes/reloader | n/a | -| [starboard](#module\_starboard) | ../../kubernetes/starboard | n/a | -| [starboard\_crd](#module\_starboard\_crd) | ../../kubernetes/helm-crd | n/a | +| [trivy](#module\_trivy) | ../../kubernetes/trivy | n/a | +| [trivy\_crd](#module\_trivy\_crd) | ../../kubernetes/helm-crd | n/a | | [velero](#module\_velero) | ../../kubernetes/velero | n/a | | [vpa](#module\_vpa) | ../../kubernetes/vpa | n/a | | [vpa\_crd](#module\_vpa\_crd) | ../../kubernetes/helm-crd | n/a | @@ -75,8 +75,8 @@ This module is used to create AKS clusters. | [kubernetes_cluster_role.get_vpa](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.helm_release](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.list_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | -| [kubernetes_cluster_role.starboard_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.top](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | +| [kubernetes_cluster_role.trivy_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role_binding.cluster_admin](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role_binding) | resource | | [kubernetes_cluster_role_binding.cluster_view](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role_binding) | resource | | [kubernetes_cluster_role_binding.edit_list_ns](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role_binding) | resource | @@ -90,8 +90,8 @@ This module is used to create AKS clusters. | [kubernetes_role_binding.custom_resource_edit](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.edit](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.helm_release](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | -| [kubernetes_role_binding.starboard_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.top](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | +| [kubernetes_role_binding.trivy_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.view](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.vpa](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_storage_class.zrs_premium](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/storage_class) | resource | @@ -151,10 +151,10 @@ This module is used to create AKS clusters. | [promtail\_config](#input\_promtail\_config) | Configuration for promtail | 
object({
    azure_key_vault_name = string
    identity = object({
      client_id   = string
      resource_id = string
      tenant_id   = string
    })
    loki_address        = string
    excluded_namespaces = list(string)
  })
| 
{
  "azure_key_vault_name": "",
  "excluded_namespaces": [],
  "identity": {
    "client_id": "",
    "resource_id": "",
    "tenant_id": ""
  },
  "loki_address": ""
}
| no | | [promtail\_enabled](#input\_promtail\_enabled) | Should promtail be enabled | `bool` | `false` | no | | [reloader\_enabled](#input\_reloader\_enabled) | Should Reloader be enabled | `bool` | `true` | no | -| [starboard\_config](#input\_starboard\_config) | Configuration for starboard | 
object({
    client_id   = string
    resource_id = string
  })
| n/a | yes | -| [starboard\_enabled](#input\_starboard\_enabled) | Should Starboard be enabled | `bool` | `true` | no | -| [starboard\_volume\_claim\_storage\_class\_name](#input\_starboard\_volume\_claim\_storage\_class\_name) | Configuration for starboard volume claim storage class name | `string` | `"managed-csi-zrs"` | no | | [subscription\_name](#input\_subscription\_name) | The commonName for the subscription | `string` | n/a | yes | +| [trivy\_config](#input\_trivy\_config) | Configuration for trivy | 
object({
    client_id   = string
    resource_id = string
  })
| n/a | yes | +| [trivy\_enabled](#input\_trivy\_enabled) | Should trivy be enabled | `bool` | `true` | no | +| [trivy\_volume\_claim\_storage\_class\_name](#input\_trivy\_volume\_claim\_storage\_class\_name) | Configuration for trivy volume claim storage class name | `string` | `"managed-csi-zrs"` | no | | [velero\_config](#input\_velero\_config) | Velero configuration | 
object({
    azure_storage_account_name      = string
    azure_storage_account_container = string
    identity = object({
      client_id   = string
      resource_id = string
    })
  })
| n/a | yes | | [velero\_enabled](#input\_velero\_enabled) | Should Velero be enabled | `bool` | `false` | no | | [vpa\_enabled](#input\_vpa\_enabled) | Should VPA be enabled | `bool` | `true` | no | diff --git a/modules/kubernetes/aks-core/k8s-cluster-role.tf b/modules/kubernetes/aks-core/k8s-cluster-role.tf index a3220154a..535fa297d 100644 --- a/modules/kubernetes/aks-core/k8s-cluster-role.tf +++ b/modules/kubernetes/aks-core/k8s-cluster-role.tf @@ -62,15 +62,15 @@ resource "kubernetes_cluster_role" "top" { } } -resource "kubernetes_cluster_role" "starboard_reports" { +resource "kubernetes_cluster_role" "trivy_reports" { for_each = { - for s in ["starboard"] : + for s in ["trivy"] : s => s - if var.starboard_enabled + if var.trivy_enabled } metadata { - name = "starboard-reports" + name = "trivy-reports" labels = { "xkf.xenit.io/kind" = "platform" } diff --git a/modules/kubernetes/aks-core/k8s-role-binding.tf b/modules/kubernetes/aks-core/k8s-role-binding.tf index 1c2407ff4..3cd604159 100644 --- a/modules/kubernetes/aks-core/k8s-role-binding.tf +++ b/modules/kubernetes/aks-core/k8s-role-binding.tf @@ -117,15 +117,15 @@ resource "kubernetes_role_binding" "top" { } } -resource "kubernetes_role_binding" "starboard_reports" { +resource "kubernetes_role_binding" "trivy_reports" { for_each = { for ns in var.namespaces : ns.name => ns - if var.starboard_enabled + if var.trivy_enabled } metadata { - name = "${each.value.name}-starboard-reports" + name = "${each.value.name}-trivy-reports" namespace = kubernetes_namespace.tenant[each.key].metadata[0].name labels = { @@ -136,7 +136,7 @@ resource "kubernetes_role_binding" "starboard_reports" { role_ref { api_group = "rbac.authorization.k8s.io" kind = "ClusterRole" - name = kubernetes_cluster_role.starboard_reports["starboard"].metadata[0].name + name = kubernetes_cluster_role.trivy_reports["trivy"].metadata[0].name } subject { api_group = "rbac.authorization.k8s.io" diff --git a/modules/kubernetes/aks-core/modules.tf b/modules/kubernetes/aks-core/modules.tf index eb9eaf741..6794d106e 100644 --- a/modules/kubernetes/aks-core/modules.tf +++ b/modules/kubernetes/aks-core/modules.tf @@ -15,7 +15,7 @@ locals { "linkerd", "linkerd-cni", "reloader", - "starboard-operator", + "trivy", "tigera-operator", "velero", "grafana-agent", @@ -522,7 +522,7 @@ module "prometheus" { csi_secrets_store_provider_azure_enabled = var.csi_secrets_store_provider_azure_enabled aad_pod_identity_enabled = var.aad_pod_identity_enabled azad_kube_proxy_enabled = var.azad_kube_proxy_enabled - starboard_enabled = var.starboard_enabled + trivy_enabled = var.trivy_enabled vpa_enabled = var.vpa_enabled node_local_dns_enabled = var.node_local_dns_enabled grafana_agent_enabled = var.grafana_agent_enabled @@ -576,30 +576,30 @@ module "promtail" { } } -# starboard -module "starboard_crd" { +# trivy +module "trivy_crd" { source = "../../kubernetes/helm-crd" chart_repository = "https://aquasecurity.github.io/helm-charts/" - chart_name = "starboard-operator" - chart_version = "0.9.1" + chart_name = "trivy-operator" + chart_version = "0.11.0" } -module "starboard" { - depends_on = [module.opa_gatekeeper, module.starboard_crd] +module "trivy" { + depends_on = [module.opa_gatekeeper, module.trivy_crd] for_each = { - for s in ["starboard"] : + for s in ["trivy"] : s => s - if var.starboard_enabled + if var.trivy_enabled } - source = "../../kubernetes/starboard" + source = "../../kubernetes/trivy" cloud_provider = "azure" - client_id = var.starboard_config.client_id - resource_id = var.starboard_config.resource_id - volume_claim_storage_class_name = var.starboard_volume_claim_storage_class_name + client_id = var.trivy_config.client_id + resource_id = var.trivy_config.resource_id + volume_claim_storage_class_name = var.trivy_volume_claim_storage_class_name } # vpa diff --git a/modules/kubernetes/aks-core/variables.tf b/modules/kubernetes/aks-core/variables.tf index e067c0aeb..442975046 100644 --- a/modules/kubernetes/aks-core/variables.tf +++ b/modules/kubernetes/aks-core/variables.tf @@ -453,21 +453,21 @@ variable "linkerd_enabled" { default = false } -variable "starboard_enabled" { - description = "Should Starboard be enabled" +variable "trivy_enabled" { + description = "Should trivy be enabled" type = bool default = true } -variable "starboard_volume_claim_storage_class_name" { - description = "Configuration for starboard volume claim storage class name" +variable "trivy_volume_claim_storage_class_name" { + description = "Configuration for trivy volume claim storage class name" type = string default = "managed-csi-zrs" } -variable "starboard_config" { - description = "Configuration for starboard" +variable "trivy_config" { + description = "Configuration for trivy" type = object({ client_id = string resource_id = string diff --git a/modules/kubernetes/eks-core/README.md b/modules/kubernetes/eks-core/README.md index ae70f5f3a..966a9b3ce 100644 --- a/modules/kubernetes/eks-core/README.md +++ b/modules/kubernetes/eks-core/README.md @@ -51,8 +51,8 @@ This module is used to configure EKS clusters. | [prometheus\_crd](#module\_prometheus\_crd) | ../../kubernetes/helm-crd | n/a | | [promtail](#module\_promtail) | ../../kubernetes/promtail | n/a | | [reloader](#module\_reloader) | ../../kubernetes/reloader | n/a | -| [starboard](#module\_starboard) | ../../kubernetes/starboard | n/a | -| [starboard\_crd](#module\_starboard\_crd) | ../../kubernetes/helm-crd | n/a | +| [trivy](#module\_trivy) | ../../kubernetes/trivy | n/a | +| [trivy\_crd](#module\_trivy\_crd) | ../../kubernetes/helm-crd | n/a | | [velero](#module\_velero) | ../../kubernetes/velero | n/a | | [vpa](#module\_vpa) | ../../kubernetes/vpa | n/a | | [vpa\_crd](#module\_vpa\_crd) | ../../kubernetes/helm-crd | n/a | @@ -67,8 +67,8 @@ This module is used to configure EKS clusters. | [kubernetes_cluster_role.get_vpa](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.helm_release](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.list_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | -| [kubernetes_cluster_role.starboard_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.top](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | +| [kubernetes_cluster_role.trivy_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role_binding.cluster_admin](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role_binding) | resource | | [kubernetes_cluster_role_binding.cluster_view](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role_binding) | resource | | [kubernetes_cluster_role_binding.edit_list_ns](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/cluster_role_binding) | resource | @@ -82,8 +82,8 @@ This module is used to configure EKS clusters. | [kubernetes_role_binding.custom_resource_edit](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.edit](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.helm_release](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | -| [kubernetes_role_binding.starboard_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.top](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | +| [kubernetes_role_binding.trivy_reports](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.view](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [kubernetes_role_binding.vpa](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/role_binding) | resource | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/4.31.0/docs/data-sources/region) | data source | @@ -131,9 +131,9 @@ This module is used to configure EKS clusters. | [promtail\_config](#input\_promtail\_config) | Configuration for promtail | 
object({
    role_arn            = string
    loki_address        = string
    excluded_namespaces = list(string)
  })
| 
{
  "excluded_namespaces": [],
  "loki_address": "",
  "role_arn": ""
}
| no | | [promtail\_enabled](#input\_promtail\_enabled) | Should promtail be enabled | `bool` | `false` | no | | [reloader\_enabled](#input\_reloader\_enabled) | Should Reloader be enabled | `bool` | `true` | no | -| [starboard\_config](#input\_starboard\_config) | Configuration for starboard & trivy | 
object({
    starboard_role_arn = string
    trivy_role_arn     = string
  })
| n/a | yes | -| [starboard\_enabled](#input\_starboard\_enabled) | Should Starboard be enabled | `bool` | `false` | no | | [subscription\_name](#input\_subscription\_name) | The commonName for the subscription | `string` | n/a | yes | +| [trivy\_config](#input\_trivy\_config) | Configuration for trivy-operator & trivy | 
object({
    trivy_operator_role_arn = string
    trivy_role_arn          = string
  })
| n/a | yes | +| [trivy\_enabled](#input\_trivy\_enabled) | Should trivy be enabled | `bool` | `false` | no | | [velero\_config](#input\_velero\_config) | Velero configuration | 
object({
    role_arn     = string
    s3_bucket_id = string
  })
| n/a | yes | | [velero\_enabled](#input\_velero\_enabled) | Should Velero be enabled | `bool` | `false` | no | | [vpa\_enabled](#input\_vpa\_enabled) | Should VPA be enabled | `bool` | `true` | no | diff --git a/modules/kubernetes/eks-core/k8s-cluster-role.tf b/modules/kubernetes/eks-core/k8s-cluster-role.tf index 15d55c989..76230268e 100644 --- a/modules/kubernetes/eks-core/k8s-cluster-role.tf +++ b/modules/kubernetes/eks-core/k8s-cluster-role.tf @@ -62,15 +62,15 @@ resource "kubernetes_cluster_role" "top" { } } -resource "kubernetes_cluster_role" "starboard_reports" { +resource "kubernetes_cluster_role" "trivy_reports" { for_each = { - for s in ["starboard"] : + for s in ["trivy"] : s => s - if var.starboard_enabled + if var.trivy_enabled } metadata { - name = "starboard-reports" + name = "trivy-reports" labels = { "xkf.xenit.io/kind" = "platform" } diff --git a/modules/kubernetes/eks-core/k8s-role-binding.tf b/modules/kubernetes/eks-core/k8s-role-binding.tf index 1c2407ff4..3cd604159 100644 --- a/modules/kubernetes/eks-core/k8s-role-binding.tf +++ b/modules/kubernetes/eks-core/k8s-role-binding.tf @@ -117,15 +117,15 @@ resource "kubernetes_role_binding" "top" { } } -resource "kubernetes_role_binding" "starboard_reports" { +resource "kubernetes_role_binding" "trivy_reports" { for_each = { for ns in var.namespaces : ns.name => ns - if var.starboard_enabled + if var.trivy_enabled } metadata { - name = "${each.value.name}-starboard-reports" + name = "${each.value.name}-trivy-reports" namespace = kubernetes_namespace.tenant[each.key].metadata[0].name labels = { @@ -136,7 +136,7 @@ resource "kubernetes_role_binding" "starboard_reports" { role_ref { api_group = "rbac.authorization.k8s.io" kind = "ClusterRole" - name = kubernetes_cluster_role.starboard_reports["starboard"].metadata[0].name + name = kubernetes_cluster_role.trivy_reports["trivy"].metadata[0].name } subject { api_group = "rbac.authorization.k8s.io" diff --git a/modules/kubernetes/eks-core/modules.tf b/modules/kubernetes/eks-core/modules.tf index 4e23d0918..58f209525 100644 --- a/modules/kubernetes/eks-core/modules.tf +++ b/modules/kubernetes/eks-core/modules.tf @@ -377,35 +377,35 @@ module "prometheus" { flux_enabled = var.fluxcd_v2_enabled csi_secrets_store_provider_aws_enabled = var.csi_secrets_store_provider_aws_enabled azad_kube_proxy_enabled = var.azad_kube_proxy_enabled - starboard_enabled = var.starboard_enabled + trivy_enabled = var.trivy_enabled vpa_enabled = var.vpa_enabled node_local_dns_enabled = var.node_local_dns_enabled promtail_enabled = var.promtail_enabled } -# starboard -module "starboard_crd" { +# trivy +module "trivy_crd" { source = "../../kubernetes/helm-crd" chart_repository = "https://aquasecurity.github.io/helm-charts/" - chart_name = "starboard-operator" - chart_version = "0.9.1" + chart_name = "trivy-operator" + chart_version = "0.11.0" } -module "starboard" { - depends_on = [module.opa_gatekeeper, module.starboard_crd] +module "trivy" { + depends_on = [module.opa_gatekeeper, module.trivy_crd] for_each = { - for s in ["starboard"] : + for s in ["trivy"] : s => s - if var.starboard_enabled + if var.trivy_enabled } - source = "../../kubernetes/starboard" + source = "../../kubernetes/trivy" cloud_provider = "aws" - starboard_role_arn = var.starboard_config.starboard_role_arn - trivy_role_arn = var.starboard_config.trivy_role_arn + trivy_operator_role_arn = var.trivy_config.trivy_operator_role_arn + trivy_role_arn = var.trivy_config.trivy_role_arn volume_claim_storage_class_name = "gp2" } diff --git a/modules/kubernetes/eks-core/variables.tf b/modules/kubernetes/eks-core/variables.tf index f339dc3db..68ace7730 100644 --- a/modules/kubernetes/eks-core/variables.tf +++ b/modules/kubernetes/eks-core/variables.tf @@ -354,17 +354,17 @@ variable "datadog_config" { } } -variable "starboard_enabled" { - description = "Should Starboard be enabled" +variable "trivy_enabled" { + description = "Should trivy be enabled" type = bool default = false } -variable "starboard_config" { - description = "Configuration for starboard & trivy" +variable "trivy_config" { + description = "Configuration for trivy-operator & trivy" type = object({ - starboard_role_arn = string - trivy_role_arn = string + trivy_operator_role_arn = string + trivy_role_arn = string }) } diff --git a/modules/kubernetes/falco/templates/falco-values.yaml.tpl b/modules/kubernetes/falco/templates/falco-values.yaml.tpl index 26e7cd2b7..3baafe6fe 100644 --- a/modules/kubernetes/falco/templates/falco-values.yaml.tpl +++ b/modules/kubernetes/falco/templates/falco-values.yaml.tpl @@ -68,7 +68,7 @@ customRules: (container.image.repository = "k8s.gcr.io/autoscaling/vpa-recommender") or (container.image.repository = "docker.io/bitnami/external-dns") or (container.image.repository = "docker.io/giantswarm/starboard-exporter") or - (container.image.repository = "docker.io/aquasec/starboard-operator") or + (container.image.repository = "docker.io/aquasec/trivy-operator") or (container.image.repository = "k8s.gcr.io/autoscaling/cluster-autoscaler") # Applications which spawn a docker or kubectl client diff --git a/modules/kubernetes/prometheus/README.md b/modules/kubernetes/prometheus/README.md index fe11d2a35..2c83e9e64 100644 --- a/modules/kubernetes/prometheus/README.md +++ b/modules/kubernetes/prometheus/README.md @@ -57,8 +57,8 @@ No modules. | [remote\_write\_authenticated](#input\_remote\_write\_authenticated) | Adds TLS authentication to remote write configuration if true | `bool` | `true` | no | | [remote\_write\_url](#input\_remote\_write\_url) | The URL where to send prometheus remote\_write data | `string` | n/a | yes | | [resource\_selector](#input\_resource\_selector) | Monitoring type labels to look for in Prometheus resources | `list(string)` | 
[
  "platform"
]
| no | -| [starboard\_enabled](#input\_starboard\_enabled) | Should starboard be enabled | `bool` | `false` | no | | [tenant\_id](#input\_tenant\_id) | The tenant id label to apply to all metrics in remote write | `string` | `""` | no | +| [trivy\_enabled](#input\_trivy\_enabled) | Should trivy be enabled | `bool` | `false` | no | | [volume\_claim\_size](#input\_volume\_claim\_size) | Size of prometheus disk | `string` | `"10Gi"` | no | | [volume\_claim\_storage\_class\_name](#input\_volume\_claim\_storage\_class\_name) | StorageClass name that your pvc will use | `string` | `"default"` | no | | [vpa\_enabled](#input\_vpa\_enabled) | Should vpa be enabled | `bool` | `false` | no | diff --git a/modules/kubernetes/prometheus/charts/prometheus-extras/templates/monitors.yaml b/modules/kubernetes/prometheus/charts/prometheus-extras/templates/monitors.yaml index 36b4cdddd..67f045b69 100644 --- a/modules/kubernetes/prometheus/charts/prometheus-extras/templates/monitors.yaml +++ b/modules/kubernetes/prometheus/charts/prometheus-extras/templates/monitors.yaml @@ -362,7 +362,7 @@ spec: - path: /metrics port: metrics {{- end }} -{{- if .Values.enabledMonitors.starboard }} +{{- if .Values.enabledMonitors.trivy }} --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -370,7 +370,7 @@ metadata: labels: xkf.xenit.io/monitoring: platform name: starboard-exporter - namespace: starboard-operator + namespace: trivy spec: endpoints: - interval: 1m @@ -378,7 +378,7 @@ spec: port: metrics namespaceSelector: matchNames: - - starboard-operator + - trivy selector: matchLabels: app.kubernetes.io/instance: starboard-exporter diff --git a/modules/kubernetes/prometheus/charts/prometheus-extras/values.yaml b/modules/kubernetes/prometheus/charts/prometheus-extras/values.yaml index 056efb5be..3de7af884 100644 --- a/modules/kubernetes/prometheus/charts/prometheus-extras/values.yaml +++ b/modules/kubernetes/prometheus/charts/prometheus-extras/values.yaml @@ -64,7 +64,7 @@ enabledMonitors: csiSecretsStorProviderAzure: false csiSecretsStorProviderAws: false azadKubeProxy: false - starboard: false + trivy: false grafanaAgent: false nodeLocalDNS: false promtail: false diff --git a/modules/kubernetes/prometheus/main.tf b/modules/kubernetes/prometheus/main.tf index c902755f3..51b46f04d 100644 --- a/modules/kubernetes/prometheus/main.tf +++ b/modules/kubernetes/prometheus/main.tf @@ -101,7 +101,7 @@ resource "helm_release" "prometheus_extras" { csi_secrets_store_provider_azure_enabled = var.csi_secrets_store_provider_azure_enabled csi_secrets_store_provider_aws_enabled = var.csi_secrets_store_provider_aws_enabled azad_kube_proxy_enabled = var.azad_kube_proxy_enabled - starboard_enabled = var.starboard_enabled + trivy_enabled = var.trivy_enabled grafana_agent_enabled = var.grafana_agent_enabled node_local_dns_enabled = var.node_local_dns_enabled promtail_enabled = var.promtail_enabled diff --git a/modules/kubernetes/prometheus/templates/values-extras.yaml.tpl b/modules/kubernetes/prometheus/templates/values-extras.yaml.tpl index a7dab46ae..aeafef3ea 100644 --- a/modules/kubernetes/prometheus/templates/values-extras.yaml.tpl +++ b/modules/kubernetes/prometheus/templates/values-extras.yaml.tpl @@ -45,7 +45,7 @@ enabledMonitors: csiSecretsStorProviderAzure: ${csi_secrets_store_provider_azure_enabled} csiSecretsStorProviderAws: ${csi_secrets_store_provider_aws_enabled} azadKubeProxy: ${azad_kube_proxy_enabled} - starboard: ${starboard_enabled} + trivy: ${trivy_enabled} grafanaAgent: ${grafana_agent_enabled} nodeLocalDNS: ${node_local_dns_enabled} promtail: ${promtail_enabled} diff --git a/modules/kubernetes/prometheus/variables.tf b/modules/kubernetes/prometheus/variables.tf index 4de36c2d3..4db789578 100644 --- a/modules/kubernetes/prometheus/variables.tf +++ b/modules/kubernetes/prometheus/variables.tf @@ -145,8 +145,8 @@ variable "grafana_agent_enabled" { default = false } -variable "starboard_enabled" { - description = "Should starboard be enabled" +variable "trivy_enabled" { + description = "Should trivy be enabled" type = bool default = false } diff --git a/modules/kubernetes/starboard/README.md b/modules/kubernetes/trivy/README.md similarity index 72% rename from modules/kubernetes/starboard/README.md rename to modules/kubernetes/trivy/README.md index ed6477d86..e8a7bde74 100644 --- a/modules/kubernetes/starboard/README.md +++ b/modules/kubernetes/trivy/README.md @@ -1,14 +1,14 @@ -# Starboard +# Trivy -Adds [`Starboard`](https://github.com/aquasecurity/starboard) and +Adds [`Trivy-operator`](https://github.com/aquasecurity/trivy-operator) and [`Trivy`](https://github.com/aquasecurity/trivy) to a Kubernetes clusters. -The modules consists of two components, trivy and starboard where +The modules consists of two components, trivy and trivy-operator where Trivy is used as a server to store aqua security image vulnerability database. -Staboard is used to trigger image and config scans on newly created replicasets and +Trivy-operator is used to trigger image and config scans on newly created replicasets and generates a CR with a report that both admins and developers can use to improve there setup. [`starboard-exporter`](https://github.com/giantswarm/starboard-exporter) is used to gather -trivy metrics from starboard CRD:s. +trivy metrics from trivy-operator CRD:s. ## Requirements @@ -33,20 +33,20 @@ No modules. | Name | Type | |------|------| -| [helm_release.starboard](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource | | [helm_release.starboard_exporter](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource | | [helm_release.trivy](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource | | [helm_release.trivy_extras](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource | -| [kubernetes_namespace.starboard](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/namespace) | resource | +| [helm_release.trivy_operator](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource | +| [kubernetes_namespace.trivy](https://registry.terraform.io/providers/hashicorp/kubernetes/2.13.1/docs/resources/namespace) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [client\_id](#input\_client\_id) | Azure specific, the client\_id for aadpodidentity with access to ACR | `string` | `""` | no | -| [cloud\_provider](#input\_cloud\_provider) | Cloud provider used for starboard | `string` | n/a | yes | +| [cloud\_provider](#input\_cloud\_provider) | Cloud provider used for trivy | `string` | n/a | yes | | [resource\_id](#input\_resource\_id) | Azure specific, the resource\_id for aadpodidentity to the resource | `string` | `""` | no | -| [starboard\_role\_arn](#input\_starboard\_role\_arn) | starboard role arn used to download ECR images, this only applies to AWS | `string` | `""` | no | +| [trivy\_operator\_role\_arn](#input\_trivy\_operator\_role\_arn) | trivy-operaetor role arn used to download ECR images, this only applies to AWS | `string` | `""` | no | | [trivy\_role\_arn](#input\_trivy\_role\_arn) | trivy role arn used to download ECR images, this only applies to AWS | `string` | `""` | no | | [volume\_claim\_storage\_class\_name](#input\_volume\_claim\_storage\_class\_name) | StorageClass name that your pvc will use | `string` | `"default"` | no | diff --git a/modules/kubernetes/starboard/charts/trivy-extras/.helmignore b/modules/kubernetes/trivy/charts/trivy-extras/.helmignore similarity index 100% rename from modules/kubernetes/starboard/charts/trivy-extras/.helmignore rename to modules/kubernetes/trivy/charts/trivy-extras/.helmignore diff --git a/modules/kubernetes/starboard/charts/trivy-extras/Chart.yaml b/modules/kubernetes/trivy/charts/trivy-extras/Chart.yaml similarity index 100% rename from modules/kubernetes/starboard/charts/trivy-extras/Chart.yaml rename to modules/kubernetes/trivy/charts/trivy-extras/Chart.yaml diff --git a/modules/kubernetes/starboard/charts/trivy-extras/templates/_helpers.tpl b/modules/kubernetes/trivy/charts/trivy-extras/templates/_helpers.tpl similarity index 100% rename from modules/kubernetes/starboard/charts/trivy-extras/templates/_helpers.tpl rename to modules/kubernetes/trivy/charts/trivy-extras/templates/_helpers.tpl diff --git a/modules/kubernetes/starboard/charts/trivy-extras/templates/azure-identity.yaml b/modules/kubernetes/trivy/charts/trivy-extras/templates/azure-identity.yaml similarity index 100% rename from modules/kubernetes/starboard/charts/trivy-extras/templates/azure-identity.yaml rename to modules/kubernetes/trivy/charts/trivy-extras/templates/azure-identity.yaml diff --git a/modules/kubernetes/starboard/charts/trivy-extras/values.yaml b/modules/kubernetes/trivy/charts/trivy-extras/values.yaml similarity index 100% rename from modules/kubernetes/starboard/charts/trivy-extras/values.yaml rename to modules/kubernetes/trivy/charts/trivy-extras/values.yaml diff --git a/modules/kubernetes/starboard/main.tf b/modules/kubernetes/trivy/main.tf similarity index 64% rename from modules/kubernetes/starboard/main.tf rename to modules/kubernetes/trivy/main.tf index d30bde69c..53810da18 100644 --- a/modules/kubernetes/starboard/main.tf +++ b/modules/kubernetes/trivy/main.tf @@ -1,15 +1,15 @@ /** - * # Starboard + * # Trivy * - * Adds [`Starboard`](https://github.com/aquasecurity/starboard) and + * Adds [`Trivy-operator`](https://github.com/aquasecurity/trivy-operator) and * [`Trivy`](https://github.com/aquasecurity/trivy) to a Kubernetes clusters. - * The modules consists of two components, trivy and starboard where + * The modules consists of two components, trivy and trivy-operator where * Trivy is used as a server to store aqua security image vulnerability database. - * Staboard is used to trigger image and config scans on newly created replicasets and + * Trivy-operator is used to trigger image and config scans on newly created replicasets and * generates a CR with a report that both admins and developers can use to improve there setup. * * [`starboard-exporter`](https://github.com/giantswarm/starboard-exporter) is used to gather - * trivy metrics from starboard CRD:s. + * trivy metrics from trivy-operator CRD:s. */ terraform { @@ -27,37 +27,37 @@ terraform { } } -resource "kubernetes_namespace" "starboard" { +resource "kubernetes_namespace" "trivy" { metadata { labels = { - name = "starboard-operator" + name = "trivy" "xkf.xenit.io/kind" = "platform" } - name = "starboard-operator" + name = "trivy" } } -resource "helm_release" "starboard" { +resource "helm_release" "trivy_operator" { repository = "https://aquasecurity.github.io/helm-charts/" - chart = "starboard-operator" - name = "starboard-operator" - namespace = kubernetes_namespace.starboard.metadata[0].name - version = "0.9.1" + chart = "trivy-operator" + name = "trivy-operator" + namespace = kubernetes_namespace.trivy.metadata[0].name + version = "0.11.1-rc" max_history = 3 skip_crds = true - values = [templatefile("${path.module}/templates/starboard-values.yaml.tpl", { - provider = var.cloud_provider - starboard_role_arn = var.starboard_role_arn + values = [templatefile("${path.module}/templates/trivy-operator-values.yaml.tpl", { + provider = var.cloud_provider + trivy_operator_role_arn = var.trivy_operator_role_arn })] } resource "helm_release" "starboard_exporter" { - depends_on = [helm_release.starboard] + depends_on = [helm_release.trivy] repository = "https://giantswarm.github.io/giantswarm-catalog/" chart = "starboard-exporter" name = "starboard-exporter" - version = "0.1.4" - namespace = kubernetes_namespace.starboard.metadata[0].name + version = "0.7.1" + namespace = kubernetes_namespace.trivy.metadata[0].name max_history = 3 values = [file("${path.module}/templates/starboard-exporter-values.yaml")] } @@ -66,8 +66,8 @@ resource "helm_release" "trivy" { repository = "https://aquasecurity.github.io/helm-charts/" chart = "trivy" name = "trivy" - namespace = kubernetes_namespace.starboard.metadata[0].name - version = "0.4.12" + namespace = kubernetes_namespace.trivy.metadata[0].name + version = "0.5.0" max_history = 3 values = [templatefile("${path.module}/templates/trivy-values.yaml.tpl", { provider = var.cloud_provider @@ -85,7 +85,7 @@ resource "helm_release" "trivy_extras" { chart = "${path.module}/charts/trivy-extras" name = "trivy-extras" - namespace = kubernetes_namespace.starboard.metadata[0].name + namespace = kubernetes_namespace.trivy.metadata[0].name max_history = 3 set { diff --git a/modules/kubernetes/starboard/outputs.tf b/modules/kubernetes/trivy/outputs.tf similarity index 100% rename from modules/kubernetes/starboard/outputs.tf rename to modules/kubernetes/trivy/outputs.tf diff --git a/modules/kubernetes/starboard/templates/starboard-exporter-values.yaml b/modules/kubernetes/trivy/templates/starboard-exporter-values.yaml similarity index 100% rename from modules/kubernetes/starboard/templates/starboard-exporter-values.yaml rename to modules/kubernetes/trivy/templates/starboard-exporter-values.yaml diff --git a/modules/kubernetes/starboard/templates/starboard-values.yaml.tpl b/modules/kubernetes/trivy/templates/trivy-operator-values.yaml.tpl similarity index 68% rename from modules/kubernetes/starboard/templates/starboard-values.yaml.tpl rename to modules/kubernetes/trivy/templates/trivy-operator-values.yaml.tpl index ff12200c3..1ebd01675 100644 --- a/modules/kubernetes/starboard/templates/starboard-values.yaml.tpl +++ b/modules/kubernetes/trivy/templates/trivy-operator-values.yaml.tpl @@ -1,4 +1,4 @@ -# targetNamespace defines where you want starboard-operator to operate. By +# targetNamespace defines where you want trivy-operator to operate. By # default it will only operate in the namespace its installed in, but you can # specify another namespace, or a comma separated list of namespaces, or set it # to a blank string to let it operate in all namespaces. @@ -10,27 +10,28 @@ trivy: mode: ClientServer severity: MEDIUM,HIGH,CRITICAL ignoreUnfixed: true - serverURL: "http://trivy.starboard-operator.svc.cluster.local:4954" - imageRef: docker.io/aquasec/trivy:0.24.3 + serverURL: "http://trivy.trivy.svc.cluster.local:4954" operator: # configAuditScannerEnabled the flag to enable configuration audit scanner configAuditScannerEnabled: false - # kubernetesBenchmarkEnabled the flag to enable CIS Kubernetes Benchmark scanner - kubernetesBenchmarkEnabled: false # vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment. vulnerabilityScannerScanOnlyCurrentRevisions: true - # vulnerabilityScannerReportTTL the flag to set how long a vulnerability report should exist. "" means that the vulnerabilityScannerReportTTL feature is disabled - vulnerabilityScannerReportTTL: "25h" + # rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner + rbacAssessmentScannerEnabled: false + # infraAssessmentScannerEnabled the flag to enable infra assessment scanner + infraAssessmentScannerEnabled: false + # scannerReportTTL the flag to set how long a report should exist. "" means that the ScannerReportTTL feature is disabled + ScannerReportTTL: "25h" %{~ if provider == "aws" ~} serviceAccount: annotations: - eks.amazonaws.com/role-arn: ${starboard_role_arn} + eks.amazonaws.com/role-arn: ${trivy_operator_role_arn} %{~ endif ~} %{~ if provider == "azure" ~} -starboard: +trivyOperator: # scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be # labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage` scanJobPodTemplateLabels: "aadpodidbinding=trivy" diff --git a/modules/kubernetes/starboard/templates/trivy-values.yaml.tpl b/modules/kubernetes/trivy/templates/trivy-values.yaml.tpl similarity index 100% rename from modules/kubernetes/starboard/templates/trivy-values.yaml.tpl rename to modules/kubernetes/trivy/templates/trivy-values.yaml.tpl diff --git a/modules/kubernetes/starboard/variables.tf b/modules/kubernetes/trivy/variables.tf similarity index 79% rename from modules/kubernetes/starboard/variables.tf rename to modules/kubernetes/trivy/variables.tf index bd629fbf2..7a66b90e7 100644 --- a/modules/kubernetes/starboard/variables.tf +++ b/modules/kubernetes/trivy/variables.tf @@ -1,10 +1,10 @@ variable "cloud_provider" { - description = "Cloud provider used for starboard" + description = "Cloud provider used for trivy" type = string } -variable "starboard_role_arn" { - description = "starboard role arn used to download ECR images, this only applies to AWS" +variable "trivy_operator_role_arn" { + description = "trivy-operaetor role arn used to download ECR images, this only applies to AWS" type = string default = "" } diff --git a/validation/kubernetes/aks-core/main.tf b/validation/kubernetes/aks-core/main.tf index a2dbb2994..73e3c98c6 100644 --- a/validation/kubernetes/aks-core/main.tf +++ b/validation/kubernetes/aks-core/main.tf @@ -80,8 +80,8 @@ module "aks_core" { resource_id = "bar" } - starboard_enabled = true - starboard_config = { + trivy_enabled = true + trivy_config = { client_id = "foo" resource_id = "bar" } diff --git a/validation/kubernetes/eks-core/main.tf b/validation/kubernetes/eks-core/main.tf index 090340ebc..2fb48aec5 100644 --- a/validation/kubernetes/eks-core/main.tf +++ b/validation/kubernetes/eks-core/main.tf @@ -84,11 +84,11 @@ module "eks_core" { extra_headers = {} } - starboard_enabled = true + trivy_enabled = true - starboard_config = { - starboard_role_arn = "arn1234" - trivy_role_arn = "arn1234" + trivy_config = { + trivy_operator_role_arn = "arn1234" + trivy_role_arn = "arn1234" } prometheus_enabled = true diff --git a/validation/kubernetes/starboard/main.tf b/validation/kubernetes/trivy/main.tf similarity index 68% rename from validation/kubernetes/starboard/main.tf rename to validation/kubernetes/trivy/main.tf index 16d19c04d..a9d0b1328 100644 --- a/validation/kubernetes/starboard/main.tf +++ b/validation/kubernetes/trivy/main.tf @@ -4,8 +4,8 @@ provider "kubernetes" {} provider "helm" {} -module "starboard" { - source = "../../../modules/kubernetes/starboard" +module "trivy" { + source = "../../../modules/kubernetes/trivy" providers = { kubernetes = kubernetes