Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:SCC:helm-charts
trivy-runner
_service:obs_scm:templates.obscpio
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:templates.obscpio of Package trivy-runner
07070100000000000041ED0000000000000000000000026734A22000000000000000000000000000000000000000000000001F00000000templates/helm-chart/templates07070100000001000081A40000000000000000000000016734A22000000221000000000000000000000000000000000000002900000000templates/helm-chart/templates/NOTES.txt{{- $root := . -}} === Trivy Runer Deployment === {{- if $root.Values.ingress.enabled }} TLS Endpoints: {{- range $entry := $root.Values.ingress.tls }} {{- range $entry.hosts }} - https://{{ . }} {{- end }} {{- end }} {{- $ingressStatus := (lookup "networking.k8s.io/v1" "Ingress" $root.Release.Namespace (include "trivy-runner.fullname" $root)).status -}} {{- with $ingressStatus }} Ingress Load Balancer endpoints: {{- range .loadBalancer.ingress }} - {{ .hostname }} {{- end }} {{- end }} {{- end }} 07070100000002000081A40000000000000000000000016734A22000000E08000000000000000000000000000000000000002C00000000templates/helm-chart/templates/_helpers.tpl{{/* Create chart name and version as used by the chart label. */}} {{- define "trivy-runner.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Expand the name of the chart. */}} {{- define "trivy-runner.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} {{- define "trivy-runner.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} {{- $name := default .Chart.Name .Values.nameOverride }} {{- printf "%s-%s" $name .Release.Namespace | trunc 63 | trimSuffix "-" }} {{- end }} {{- end }} {{/* Namespace */}} {{- define "trivy-runner.namespace" -}} {{- if (and .Values.namespace.create .Values.namespace.name) }} {{- .Values.namespace.name | trunc 63 | trimSuffix "-" }} {{- else }} {{- .Release.Namespace }} {{- end }} {{- end }} {{/* Namespace */}} {{- define "trivy-runner.serviceAccountName" -}} {{- if (and .Values.serviceAccount.create .Values.serviceAccount.name) }} {{- .Values.serviceAccount.name | trunc 63 | trimSuffix "-" }} {{- else }} {{- printf "%s-%s" (include "trivy-runner.name" .) "sa" | trunc 63 }} {{- end }} {{- end }} {{/* Labels - Trivy */}} {{- define "trivy-runner.labels" -}} helm.sh/chart: {{ include "trivy-runner.chart" . }} {{ include "trivy-runner.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} {{/* Selector labels - trivy */}} {{- define "trivy-runner.selectorLabels" -}} app.kubernetes.io/name: {{ include "trivy-runner.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Common environment variables among trivy containers */}} {{- define "trivy-runner.redisEnv" -}} - name: REDIS_HOST value: localhost - name: REDIS_PORT value: "6379" {{- end -}} {{/* Errbit variables. For now we reuse main Rails app Errbit keys */}} {{- define "trivy-runner.pushworkerEnv" -}} - name: WEBHOOK_URL value: "{{ .Values.pushworker.webhookUrl }}" {{- end -}} {{- define "trivy-runner.scanworkerEnv" -}} {{- if .Values.scanworker.pushToCatalog }} - name: PUSH_TO_CATALOG value: "true" {{- end }} {{- if .Values.scanworker.scanParallelism }} - name: SCAN_PARALLELISM value: "{{ .Values.scanworker.scanParallelism }}" {{- end -}} {{- if .Values.scanworker.scanTimeout }} - name: SCAN_TIMEOUT value: "{{ .Values.scanworker.scanTimeout }}" {{- end -}} {{- end -}} {{- define "trivy-runner.trivyEnv" -}} - name: TRIVY_ENV value: "{{ .Values.environment }}" - name: SENTRY_DSN valueFrom: secretKeyRef: name: secrets key: sentry-dsn - name: REGISTRY_USERNAME valueFrom: secretKeyRef: name: secrets key: registry-user - name: REGISTRY_PASSWORD valueFrom: secretKeyRef: name: secrets key: registry-password - name: IMAGES_APP_DIR value: /pool/images - name: REPORTS_APP_DIR value: /pool/reports {{- if .Values.pushworker.enabled }} - name: PUSH_TO_CATALOG value: "1" {{- end }} {{- end -}} {{/* Expand fully qualified image name (repo/image:tag@sha) */}} {{- define "trivy-runner.fullImageName" -}} {{ .registry }}/{{ .repository }} {{- if .tag }}:{{ .tag }}{{- end }} {{- if .sha }}@sha256{{ .tag }}{{- end }} {{- end }} 07070100000003000081A40000000000000000000000016734A220000019D3000000000000000000000000000000000000002F00000000templates/helm-chart/templates/deployment.yaml--- apiVersion: apps/v1 kind: Deployment metadata: namespace: {{ include "trivy-runner.namespace" . }} name: {{ include "trivy-runner.name" . }} labels: {{- include "trivy-runner.selectorLabels" . | nindent 4 }} spec: replicas: {{ .Values.replicas }} serviceAccountName: {{ include "trivy-runner.serviceAccountName" . }} strategy: type: Recreate selector: matchLabels: {{- include "trivy-runner.selectorLabels" . | nindent 6 }} template: metadata: labels: {{- include "trivy-runner.selectorLabels" . | nindent 8 }} spec: securityContext: fsGroup: 1000 runAsUser: 1000 runAsGroup: 1000 volumes: - name: trivy-pool {{- if .Values.pvc.enabled }} ephemeral: volumeClaimTemplate: spec: accessModes: {{- toYaml .Values.pvc.accessModes | nindent 18 }} volumeMode: Filesystem storageClassName: {{ .Values.pvc.storageClass }} resources: requests: {{- with .Values.pvc.capacity | default "1Gi" }} storage: {{ . }} {{- end }} {{- else }} emptyDir: {} {{- end }} - name: redis-storage emptyDir: {} {{- with .Values.podSpec.affinity }} affinity: {{- tpl (. | toYaml) $ | nindent 8 }} {{- end }} {{- with .Values.podSpec.tolerations }} tolerations: {{- . | toYaml | nindent 8 }} {{- end }} {{- with .Values.podSpec.dnsConfig }} dnsConfig: {{- . | toYaml | nindent 8 }} {{- end }} {{- with .Values.podSpec.dnsPolicy }} dnsPolicy: {{ . }} {{- end }} containers: - name: getsizeworker image: {{ include "trivy-runner.fullImageName" .Values.image }} imagePullPolicy: Always command: - getsizeworker env: {{- include "trivy-runner.trivyEnv" . | nindent 12 }} {{- include "trivy-runner.redisEnv" . | nindent 12 }} volumeMounts: - name: trivy-pool mountPath: /pool/ {{- with .Values.getsizeworker.resources }} ports: - containerPort: 8084 # it should be called http-getsizeworker # but we can't, because of 15 chars limitation name: http-sizeworker resources: {{- toYaml . | nindent 12 }} {{- end }} - name: pullworker image: {{ include "trivy-runner.fullImageName" .Values.image }} imagePullPolicy: Always command: - pullworker env: {{- include "trivy-runner.trivyEnv" . | nindent 12 }} {{- include "trivy-runner.redisEnv" . | nindent 12 }} volumeMounts: - name: trivy-pool mountPath: /pool/ {{- with .Values.pullworker.resources }} ports: - containerPort: 8082 name: http-pullworker resources: {{- toYaml . | nindent 12 }} {{- end }} {{- if .Values.pushworker.enabled }} - name: pushworker image: {{ include "trivy-runner.fullImageName" .Values.image }} imagePullPolicy: Always command: - pushworker env: {{- include "trivy-runner.redisEnv" . | nindent 12 }} {{- include "trivy-runner.trivyEnv" . | nindent 12 }} {{- include "trivy-runner.pushworkerEnv" . | nindent 12 }} ports: - containerPort: 8083 name: http-pushworker volumeMounts: - name: trivy-pool mountPath: /pool/ {{- with .Values.pushworker.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} {{- end }} - name: scanworker image: {{ include "trivy-runner.fullImageName" .Values.image }} imagePullPolicy: Always command: - scanworker env: {{- include "trivy-runner.redisEnv" . | nindent 12 }} {{- include "trivy-runner.trivyEnv" . | nindent 12 }} {{- include "trivy-runner.scanworkerEnv" . | nindent 12 }} ports: - containerPort: 8081 name: http-scanworker volumeMounts: - name: trivy-pool mountPath: /pool/ {{- with .Values.scanworker.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - name: webapi image: {{ include "trivy-runner.fullImageName" .Values.image }} imagePullPolicy: Always command: - webapi env: {{- include "trivy-runner.redisEnv" . | nindent 12 }} {{- include "trivy-runner.trivyEnv" . | nindent 12 }} ports: - containerPort: 8080 name: http-webapi volumeMounts: - name: trivy-pool mountPath: /pool/ {{- with .Values.webapi.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - name: redisexporter image: {{ include "trivy-runner.fullImageName" .Values.image }} imagePullPolicy: Always command: - redisexporter env: {{- include "trivy-runner.redisEnv" . | nindent 12 }} {{- include "trivy-runner.trivyEnv" . | nindent 12 }} - name: REDIS_QUEUES value: topull toscan getsize topush ports: - containerPort: 8086 name: tcp-redisexp # tcp-redisexporter {{- with .Values.redisexporter.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - name: redis image: {{ include "trivy-runner.fullImageName" .Values.redis.image }} imagePullPolicy: Always command: - redis-server workingDir: /data env: {{- include "trivy-runner.redisEnv" . | nindent 12 }} {{- include "trivy-runner.trivyEnv" . | nindent 12 }} {{- with .Values.redis.resources }} volumeMounts: - name: redis-storage mountPath: /data securityContext: runAsUser: 101 # redis user runAsGroup: 101 resources: {{- toYaml . | nindent 12 }} {{- end }} 07070100000004000081A40000000000000000000000016734A220000002C0000000000000000000000000000000000000002C00000000templates/helm-chart/templates/ingress.yaml{{- if .Values.ingress.enabled -}} --- {{ $name := include "trivy-runner.name" . }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: namespace: {{ include "trivy-runner.namespace" . }} name: {{ $name }} annotations: {{- toYaml .Values.ingress.annotations | nindent 4 }} spec: {{- if .Values.ingress.tls }} tls: {{- toYaml .Values.ingress.tls | nindent 4 }} {{- end }} rules: {{- range .Values.ingress.hosts }} - host: {{ . }} http: paths: - path: / pathType: Prefix backend: service: name: {{ $name }} port: name: http-webapi {{- end }} {{- end }} 07070100000005000081A40000000000000000000000016734A22000000432000000000000000000000000000000000000003500000000templates/helm-chart/templates/pod-monitor-trivy.yml{{- if .Values.metrics.enabled -}} --- apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: namespace: {{ include "trivy-runner.namespace" . }} name: {{ include "trivy-runner.name" . }} labels: {{- include "trivy-runner.selectorLabels" . | nindent 4 }} release: kube-prometheus-stack # this is required by IT's prometheus-operator spec: jobLabel: {{ include "trivy-runner.fullname" . }} namespaceSelector: matchNames: - {{ .Release.Namespace }} podMetricsEndpoints: - interval: 30s path: /metrics # TODO: change this when trivy gets a dedicated port for metrics. port: http-webapi scrapeTimeout: 10s - interval: 30s path: /metrics port: http-scanworker - interval: 30s path: /metrics port: http-pullworker - interval: 30s path: /metrics port: http-pushworker - interval: 30s path: /metrics port: http-sizeworker - interval: 30s path: /metrics port: tcp-redisexp selector: matchLabels: {{- include "trivy-runner.selectorLabels" . | nindent 6 }} {{- end }} 07070100000006000081A40000000000000000000000016734A220000001D2000000000000000000000000000000000000002800000000templates/helm-chart/templates/pvc.yaml{{- if .Values.pvc.enabled -}} --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ include "trivy-runner.name" . }} namespace: {{ include "trivy-runner.namespace" . }} spec: accessModes: {{- toYaml .Values.pvc.accessModes | nindent 4 }} volumeMode: Filesystem storageClassName: {{ .Values.pvc.storageClass }} resources: requests: {{- with .Values.pvc.capacity | default "1Gi" }} storage: {{ . }} {{- end }} {{- end }} 07070100000007000081A40000000000000000000000016734A22000000246000000000000000000000000000000000000002B00000000templates/helm-chart/templates/secret.yaml--- apiVersion: v1 kind: Secret metadata: namespace: {{ include "trivy-runner.namespace" . }} name: secrets labels: {{- include "trivy-runner.labels" . | nindent 4 }} annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/resource-policy: keep helm.sh/hook-weight: "10" type: Opaque stringData: # == RUNTIME SERVICES == # - REGISTRY USER registry-user: "{{ .Values.secrets.registryUser }}" # - REGISTRY PASSWORD registry-password: "{{ .Values.secrets.registryPassword }}" # - SENTRY FOR TRIVY sentry-dsn: "{{ .Values.secrets.sentryDsn }}" 07070100000008000081A40000000000000000000000016734A22000000118000000000000000000000000000000000000003400000000templates/helm-chart/templates/service-account.yaml{{- if .Values.serviceAccount.create -}} --- apiVersion: v1 kind: ServiceAccount metadata: namespace: {{ include "trivy-runner.namespace" . }} name: {{ include "trivy-runner.serviceAccountName" . }} labels: {{- include "trivy-runner.labels" . | nindent 4 }} {{- end -}} 07070100000009000081A40000000000000000000000016734A220000001EA000000000000000000000000000000000000002C00000000templates/helm-chart/templates/service.yaml{{- if .Values.service.enabled -}} --- apiVersion: v1 kind: Service metadata: namespace: {{ include "trivy-runner.namespace" . }} name: {{ include "trivy-runner.name" . }} labels: {{- include "trivy-runner.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: - name: http-webapi port: {{ .Values.service.port }} targetPort: http-webapi protocol: TCP selector: {{- include "trivy-runner.selectorLabels" . | nindent 6 }} {{- end }} 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!32 blocks
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
