aquasecurity
Helm Chart - Allow custom volumes for built-in trivy server
While there are options to define custom volumes via the Helm chart for the operator and the scan jobs, there is no option to define custom volumes and volumeMounts for the built-in trivy server.
Use case example: Running the operator and built-in server behind a proxy that does SSL interception, it is necessary to trust the proxy certificate to allow the trivy built-in server to update its database. In this scenario, if the certificate is not trusted, the trivy server enters a CrashLoopBackOff state:
I have tried using the trivy.sslCertDir however that creates a hostPath volume which is not as flexible as other types of volume mounts, i.e.: ConfigMaps or Secrets. For instance, the host may not have the right certificates, which is my case. Ideally, the trusted signer certificates would be provided to the built-in trivy server via a ConfigMap or Secret mounted as a volume, i.e.:
volumes:
- name: trusted-certs
secret:
defaultMode: 420
secretName: trusted-certs
[...]
volumeMounts:
- name: trusted-certs
mountPath: /etc/ssl/certs/
The above snippet is in fact what it is possible to configure for the operator, but unfortunately not for the trivy built-in server.
Also to have this in the Trivy Operator would be nice for the policiesBundle
https://github.com/aquasecurity/trivy-operator/issues/1675 this is also probably related
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Haven't seen a solution for this anywhere. Any chance someone has solved this?
Haven't seen a solution for this anywhere. Any chance someone has solved this?
trivy server is a separated Statefulset: https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm/templates/trivy-server
you can customize it yourself
